Add malware scanning and Defender signature updates to Windows deliverables#17
Add malware scanning and Defender signature updates to Windows deliverables#17DaanAcohen merged 4 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds Microsoft Defender signature updates and malware scanning steps to the Windows packaging workflow to validate Windows build artifacts during CI.
Changes:
- Update Defender signatures (
Update-MpSignature) during Windows packaging jobs. - Scan produced artifacts with Defender (
Start-MpScan) and fail the workflow if threats are reported. - Extend scanning to both the built
.exeand the produced.msixpackage.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| $target = "$env:GITHUB_WORKSPACE\kemforge.exe" | ||
| Start-MpScan -ScanType CustomScan -ScanPath $target | ||
| $threats = Get-MpThreat | ||
| if ($threats) { | ||
| Write-Error "Malware detected in ${target}:`n$($threats | Format-List | Out-String)" | ||
| exit 1 |
There was a problem hiding this comment.
Get-MpThreat is not scoped to the just-scanned file and can include prior/ambient threat history on the runner, which can cause false failures. Capture a baseline before Start-MpScan (or filter Get-MpThreatDetection by Resources and detection time) and only fail the job if a new detection for $target appears after the scan (or use MpCmdRun.exe and fail on its exit code).
| - name: Scan MSIX for malware | ||
| shell: pwsh | ||
| run: | | ||
| $target = "$env:GITHUB_WORKSPACE\kemforge.msix" | ||
| Start-MpScan -ScanType CustomScan -ScanPath $target | ||
| $threats = Get-MpThreat | ||
| if ($threats) { | ||
| Write-Error "Malware detected in ${target}:`n$($threats | Format-List | Out-String)" | ||
| exit 1 |
There was a problem hiding this comment.
These malware scan steps run before the MSIX is signed. If the intent is to validate the deliverable being uploaded/installed, consider scanning the final signed kemforge.msix (or re-scan after signing) rather than the unsigned package produced by makeappx.
| run: Update-MpSignature | ||
|
|
There was a problem hiding this comment.
Update-MpSignature can intermittently fail on hosted runners (service disabled/unavailable or transient update errors), which would break packaging even though nothing is wrong with the build. Consider adding explicit error handling (e.g., -ErrorAction Stop with retry/backoff) and/or a clear fallback behavior if Defender cmdlets aren't available.
| run: Update-MpSignature | |
| run: | | |
| # Check if Update-MpSignature cmdlet is available (Defender present/enabled) | |
| if (-not (Get-Command -Name Update-MpSignature -ErrorAction SilentlyContinue)) { | |
| Write-Warning "Update-MpSignature cmdlet not available. Skipping Defender signature update." | |
| exit 0 | |
| } | |
| $maxAttempts = 3 | |
| $delaySeconds = 10 | |
| for ($attempt = 1; $attempt -le $maxAttempts; $attempt++) { | |
| try { | |
| Write-Host "Attempt $attempt of $maxAttempts: Updating Defender signatures..." | |
| Update-MpSignature -ErrorAction Stop | |
| Write-Host "Defender signatures updated successfully." | |
| break | |
| } | |
| catch { | |
| Write-Warning "Update-MpSignature failed on attempt $attempt of $maxAttempts: $($_.Exception.Message)" | |
| if ($attempt -lt $maxAttempts) { | |
| Write-Host "Retrying in $delaySeconds seconds..." | |
| Start-Sleep -Seconds $delaySeconds | |
| } | |
| else { | |
| Write-Warning "All attempts to update Defender signatures have failed. Continuing without updated signatures." | |
| } | |
| } | |
| } |
| - name: Update Defender signatures | ||
| shell: pwsh | ||
| run: Update-MpSignature | ||
|
|
||
| - name: Scan executable for malware | ||
| shell: pwsh | ||
| run: | | ||
| $target = "$env:GITHUB_WORKSPACE\kemforge.exe" | ||
| Start-MpScan -ScanType CustomScan -ScanPath $target | ||
| $threats = Get-MpThreat | ||
| if ($threats) { | ||
| Write-Error "Malware detected in ${target}:`n$($threats | Format-List | Out-String)" | ||
| exit 1 | ||
| } | ||
| Write-Output "No threats detected in $target" |
There was a problem hiding this comment.
The Defender update + scan block is duplicated across multiple jobs in this workflow (and again for MSIX). To keep behavior consistent and reduce maintenance, consider extracting this into a reusable PowerShell script (e.g., scripts/defender-scan.ps1) or a composite action and call it with the target path.
| - name: Update Defender signatures | |
| shell: pwsh | |
| run: Update-MpSignature | |
| - name: Scan executable for malware | |
| shell: pwsh | |
| run: | | |
| $target = "$env:GITHUB_WORKSPACE\kemforge.exe" | |
| Start-MpScan -ScanType CustomScan -ScanPath $target | |
| $threats = Get-MpThreat | |
| if ($threats) { | |
| Write-Error "Malware detected in ${target}:`n$($threats | Format-List | Out-String)" | |
| exit 1 | |
| } | |
| Write-Output "No threats detected in $target" | |
| - name: Scan executable for malware | |
| shell: pwsh | |
| run: | | |
| $target = "$env:GITHUB_WORKSPACE\kemforge.exe" | |
| .\scripts\defender-scan.ps1 -TargetPath $target |
| - name: Scan executable for malware | ||
| shell: pwsh | ||
| run: | | ||
| $target = "$env:GITHUB_WORKSPACE\kemforge.exe" | ||
| Start-MpScan -ScanType CustomScan -ScanPath $target | ||
| $threats = Get-MpThreat | ||
| if ($threats) { | ||
| Write-Error "Malware detected in ${target}:`n$($threats | Format-List | Out-String)" | ||
| exit 1 | ||
| } | ||
| Write-Output "No threats detected in $target" |
There was a problem hiding this comment.
In release_windows, the scan happens before signing and before the final kemforge.zip is created/released. If the goal is to ensure released artifacts are clean, scan the signed executable and/or the generated zip right before creating the GitHub Release.
…re the actual deliverable is scanned.
…indows packaging workflow
No description provided.