How to Submit a File to Windows Defender for Scanning in Batch Script
Windows Defender (Microsoft Defender Antivirus) uses a combination of local signatures and cloud-based intelligence to protect your system. If you encounter a suspicious file that is not being flagged, or if you are a developer whose harmless software is being incorrectly blocked (a "False Positive"), you can submit that file directly to Microsoft for professional analysis. While this is usually done via the online portal, the command-line utility MpCmdRun.exe allows you to trigger scans and manage sample submissions programmatically.
This guide explains how to use Batch to interact with the Defender submission engine.
Why Submit Files via Script?
- False Positive Resolution: Automatically submitting your newly compiled
.exefiles to Microsoft to ensure they aren't blocked for your users. - Security Research: Building a tool that automatically sends suspicious email attachments to the cloud for deeper inspection.
- Environment Integrity: Ensuring that any "Unrecognized" files in a mission-critical directory are verified by the Microsoft security team.
The utility MpCmdRun.exe is part of every Windows 10 and 11 installation. It handles local triggers for the cloud submission engine.
Method 1: Scanning a Specific File Locally
Before submitting a file, you should always run a local scan to see what Defender currently thinks about the file.
@echo off
setlocal
:: Dynamically locate MpCmdRun.exe
set "MP_PATH="
if exist "%ProgramFiles%\Windows Defender\MpCmdRun.exe" (
set "MP_PATH=%ProgramFiles%\Windows Defender\MpCmdRun.exe"
) else (
for /f "delims=" %%f in ('dir /s /b "%ProgramData%\Microsoft\Windows Defender\Platform\MpCmdRun.exe" 2^>nul') do set "MP_PATH=%%f"
)
if not defined MP_PATH (
echo [ERROR] Could not locate MpCmdRun.exe.
pause
exit /b 1
)
set "FILE_PATH=C:\Temp\suspicious_app.exe"
:: Verify the target file exists
if not exist "%FILE_PATH%" (
echo [ERROR] File not found: %FILE_PATH%
pause
exit /b 1
)
echo [PROCESS] Scanning file: %FILE_PATH%
echo.
"%MP_PATH%" -Scan -ScanType 3 -File "%FILE_PATH%"
if %errorlevel% equ 0 (
echo [INFO] No threats detected by local scan.
) else if %errorlevel% equ 2 (
echo [WARNING] Threat detected in this file!
) else (
echo [INFO] Scan completed with code: %errorlevel%
)
pause
Method 2: Sending a Sample to Microsoft via MpCmdRun
You can use MpCmdRun.exe to submit a file sample to the Microsoft cloud for analysis. This requires that "Automatic Sample Submission" is enabled in Windows Security settings.
@echo off
setlocal
:: Locate MpCmdRun.exe
set "MP_PATH="
if exist "%ProgramFiles%\Windows Defender\MpCmdRun.exe" (
set "MP_PATH=%ProgramFiles%\Windows Defender\MpCmdRun.exe"
) else (
for /f "delims=" %%f in ('dir /s /b "%ProgramData%\Microsoft\Windows Defender\Platform\MpCmdRun.exe" 2^>nul') do set "MP_PATH=%%f"
)
if not defined MP_PATH (
echo [ERROR] Could not locate MpCmdRun.exe.
pause
exit /b 1
)
set "TARGET=C:\Temp\unknown.exe"
if not exist "%TARGET%" (
echo [ERROR] File not found: %TARGET%
pause
exit /b 1
)
echo [PROCESS] Submitting file for cloud analysis: %TARGET%
echo [NOTE] Automatic Sample Submission must be enabled in Windows Security.
echo.
:: Submit the file sample to Microsoft for analysis
"%MP_PATH%" -SubmitSamples -SendSamples -Path "%TARGET%"
if %errorlevel% equ 0 (
echo [SUCCESS] Sample submitted for analysis.
) else (
echo [WARNING] Submission may have failed. Code: %errorlevel%
echo [HELP] Ensure Automatic Sample Submission is enabled in
echo Windows Security ^> Virus ^& threat protection ^> Manage settings.
)
pause
Method 3: Using PowerShell for Submissions
For IT teams, PowerShell provides additional submission capabilities through the Defender cmdlets.
@echo off
setlocal
set "S_FILE=C:\Dev\MyTool.exe"
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
if not exist "%S_FILE%" (
echo [ERROR] File not found: %S_FILE%
pause
exit /b 1
)
echo [PROCESS] Submitting file for cloud analysis: %S_FILE%
echo.
:: Use Add-MpPreference to send the sample, or trigger via MAPS
powershell -NoProfile -Command ^
"$file = '%S_FILE%';" ^
"Write-Host 'Scanning file locally first...';" ^
"Start-MpScan -ScanPath $file -ScanType CustomScan;" ^
"Write-Host 'Local scan complete.'" 2>nul
if %errorlevel% equ 0 (
echo [SUCCESS] Scan completed. If MAPS is enabled, suspicious files
echo are automatically submitted for cloud analysis.
) else (
echo [ERROR] Operation failed. Code: %errorlevel%
)
echo.
echo [TIP] For manual submission, visit:
echo https://www.microsoft.com/en-us/wdsi/filesubmission
pause
Creating a Developer "False Positive" Guard
This script scans a file and provides clear guidance on next steps for developers whose software may be incorrectly flagged.
@echo off
setlocal
echo ============================================================
echo File Integrity Verification Tool
echo ============================================================
:: 1. Verify arguments
if "%~1"=="" (
echo [ERROR] Usage: %~nx0 "C:\path\to\yourfile.exe"
pause
exit /b 1
)
if not exist "%~1" (
echo [ERROR] File not found: %~1
pause
exit /b 1
)
:: 2. Locate MpCmdRun.exe
set "MP_PATH="
if exist "%ProgramFiles%\Windows Defender\MpCmdRun.exe" (
set "MP_PATH=%ProgramFiles%\Windows Defender\MpCmdRun.exe"
) else (
for /f "delims=" %%f in ('dir /s /b "%ProgramData%\Microsoft\Windows Defender\Platform\MpCmdRun.exe" 2^>nul') do set "MP_PATH=%%f"
)
if not defined MP_PATH (
echo [ERROR] Could not locate MpCmdRun.exe.
pause
exit /b 1
)
:: 3. Perform Local Scan
echo [1/2] Running local scan on: %~1
echo.
"%MP_PATH%" -Scan -ScanType 3 -File "%~1"
if %errorlevel% equ 2 (
echo.
echo [ALERT] File was flagged as a threat!
echo [ACTION] If this is a false positive, submit it for review at:
echo https://www.microsoft.com/en-us/wdsi/filesubmission
echo ============================================================
pause
exit /b 1
)
:: 4. Attempt cloud submission
echo.
echo [2/2] Triggering cloud verification...
"%MP_PATH%" -SubmitSamples -SendSamples -Path "%~1" >nul 2>&1
echo.
echo [DONE] File verification complete.
echo [INFO] If your file is being flagged as a false positive:
echo 1. Sign it with a trusted code signing certificate.
echo 2. Submit it at: https://www.microsoft.com/en-us/wdsi/filesubmission
echo 3. Monitor status via Get-MpThreat in PowerShell.
echo ============================================================
pause
Common Pitfalls and How to Avoid Them
Consent and Privacy
Microsoft only accepts samples if the user has opted into "Automatic Sample Submission" in their Windows Security settings.
Wrong Way:
:: Expecting a file to send from a machine with sample submission disabled
Correct Way:
Your script should advise the user to enable "Automatic Sample Submission" in Settings > Update & Security > Windows Security > Virus & threat protection > Manage settings.
File Size Limits
Very large files (over 200MB) or files that are heavily encrypted cannot be processed by the automated submission engines.
Advise your users that if the automatic submission fails, they should visit the official Microsoft Security Intelligence Submission Portal to upload the file manually with a custom description of the behavior.
Best Practices for File Verification
- Check MAPS Status: Ensure the computer is part of "MAPS" (Microsoft Active Protection Service) to get the fastest response from the cloud.
- Use Digital Signatures: Before submitting a file, sign it with a trusted certificate. Signed files are much less likely to be flagged as "Suspicious" in the first place.
- Monitor Status: Check the Windows Defender logs (
Get-MpThreat) to see if the status of your submitted file has changed from "Unknown" to "Clean."
If you have a Microsoft "Developer" or "Azure" account, you can use the portal to track your submission's progress and receive an email once the analysis is complete.
Conclusion
Submitting files to Windows Defender for scanning and analysis via Batch script is a proactive strategy for maintaining a secure and interruption-free environment. By combining local scanning with cloud-based submission tools, you ensure that your software is verified by the industry leader in security intelligence. This professional approach to file integrity reduces false positives, improves system performance, and provides a clear, automated path for resolving security ambiguities across your entire Windows deployment.