Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add [Windows Defender] (question/feature) #855

Closed
2 tasks done
FrancescElies opened this issue May 8, 2020 · 6 comments
Closed
2 tasks done

Add [Windows Defender] (question/feature) #855

FrancescElies opened this issue May 8, 2020 · 6 comments
Assignees
@al-cheb
Labels
Area: Image administration OS: Windows question Further information is requested

Comments

@FrancescElies
Copy link

Problem:
I wanted to run following commands in the cloud:

"C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File myfile.so

Is there a way to do this or something I missed?

Tool information

  • Tool name: Windows Defender

Area for Triage:
Don't know

Question, Bug, or Feature?:
Question and/or Feature (not sure)

Virtual environments affected

  • Windows Server 2016 R2
  • Windows Server 2019

Can this tool be installed during the build?
I guess so, belongs to windows

Tool installation time in runtime
I don't know

Are you willing to submit a PR?
I don't think this would be optimal, I'm not a windows dev.
@al-cheb
Copy link
Contributor

al-cheb commented May 8, 2020

Hello, @FrancescElies

You should use a scheduled job to run antivirus check:

Example:

- run: |
        $fileName = 'C:\eicar.com'
        Invoke-WebRequest https://secure.eicar.org/eicar.com -OutFile $fileName
       Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath
        $taskName = "FileScan"
        schtasks /create /tn $taskName /sc DAILY /st 13:00 /ru SYSTEM /rl HIGHEST /tr "'C:\Program Files\Windows Defender\MpCmdRun.exe' -Scan -ScanType 3 -File $fileName"
        Start-ScheduledTask -TaskName $taskName
        while ((Get-ScheduledTask -TaskName $taskName).State  -ne 'Ready') 
        {
            Start-Sleep -Seconds 5
        }
        Get-MpThreatDetection

antivirus - Copy

@al-cheb al-cheb self-assigned this May 8, 2020
@FrancescElies
Copy link
Author

@al-cheb Thanks for the quick reply, a couple of questions.

Just for my understanding, what's the reason behind for having to run MpCmdRun.exe over the scheduler? shouldn't "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File myfile.so be enough?
I saw you used /st 13:00 starts the command at on o'clock? Is there any trick here I don't see so that the command starts directly?

- run: is an alias for - powershell, right?

@al-cheb
Copy link
Contributor

al-cheb commented May 11, 2020
edited

@FrancescElies,

  1. I saw you used /st 13:00 starts the command at on o'clock? - I am using Start-ScheduledTask -TaskName $taskName command in my example to start a scheduled task right now and wait until finishing.

    • run: is an alias for - powershell, right? - by default it uses pwsh shell. I forgot to provide shell: powershell when copy the example:
- run: |
        $fileName = "C:\myfile.so"
        Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath
        $taskName = "FileScan"
        schtasks /create /tn $taskName /sc DAILY /st 13:00 /ru SYSTEM /rl HIGHEST /tr "'C:\Program Files\Windows Defender\MpCmdRun.exe' -Scan -ScanType 3 -File $fileName"
        Start-ScheduledTask -TaskName $taskName
        while ((Get-ScheduledTask -TaskName $taskName).State  -ne 'Ready') 
        {
            Start-Sleep -Seconds 5
        }
        Get-MpThreatDetection
  shell: powershell
  1. Just for my understanding, what's the reason behind for having to run MpCmdRun.exe over the scheduler? - Without using scheduler under System user I have faced with hr = 0x80070422 or skipping files to scan.

I have tested with shell:cmd and it works too:

- run: |
          Invoke-WebRequest https://secure.eicar.org/eicar.com -OutFile C:\eicar.com
          Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath
      shell: powershell
    - run: |
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate -http
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\eicar.com
      shell: cmd

@miketimofeev miketimofeev added the question Further information is requested label May 11, 2020
@FrancescElies
Copy link
Author

For the moment I have it running on a self-hosted machine, over there I can run MpCmdRun directly.

Is hr = 0x80070422 a bug? Is this something to be addressed?
At some point I it would be nice to move that job to the cloud without having to do gymnastics with the scheduler.

@al-cheb
Copy link
Contributor

al-cheb commented May 11, 2020
edited

Is hr = 0x80070422 a bug? - Nope, wuauserv service is disabled by default. You should manually enable the wuauserv service in a pipeline.

   - run: |
        Invoke-WebRequest https://secure.eicar.org/eicar.com -OutFile C:\eicar.com
        Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath
        Set-Service -Name wuauserv -StartupType Manual -Status Running
   shell: powershell
   - run: |
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\eicar.com
    shell: cmd

@FrancescElies
Copy link
Author

I see, I will close this one, thanks for your help!

@Tobbe Tobbe mentioned this issue Feb 28, 2021
Open
16 tasks
This was referenced Mar 7, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@al-cheb al-cheb

Labels
Area: Image administration OS: Windows question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@FrancescElies @al-cheb @miketimofeev