Virtual-environments: Add [Windows Defender] (question/feature)

Hello, @FrancescElies

You should use a scheduled job to run antivirus check:

Example:

- run: |
        $fileName = 'C:\eicar.com'
        Invoke-WebRequest https://secure.eicar.org/eicar.com -OutFile $fileName
       Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath
        $taskName = "FileScan"
        schtasks /create /tn $taskName /sc DAILY /st 13:00 /ru SYSTEM /rl HIGHEST /tr "'C:\Program Files\Windows Defender\MpCmdRun.exe' -Scan -ScanType 3 -File $fileName"
        Start-ScheduledTask -TaskName $taskName
        while ((Get-ScheduledTask -TaskName $taskName).State  -ne 'Ready') 
        {
            Start-Sleep -Seconds 5
        }
        Get-MpThreatDetection

@al-cheb Thanks for the quick reply, a couple of questions.

Just for my understanding, what's the reason behind for having to run MpCmdRun.exe over the scheduler? shouldn't "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File myfile.so be enough?
I saw you used /st 13:00 starts the command at on o'clock? Is there any trick here I don't see so that the command starts directly?

- run: is an alias for - powershell, right?

@FrancescElies,

1. I saw you used /st 13:00 starts the command at on o'clock? - I am using Start-ScheduledTask -TaskName $taskName command in my example to start a scheduled task right now and wait until finishing.

1. 
   
   • run: is an alias for - powershell, right? - by default it uses pwsh shell. I forgot to provide shell: powershell when copy the example:
   
   

- run: |
        $fileName = "C:\myfile.so"
        Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath
        $taskName = "FileScan"
        schtasks /create /tn $taskName /sc DAILY /st 13:00 /ru SYSTEM /rl HIGHEST /tr "'C:\Program Files\Windows Defender\MpCmdRun.exe' -Scan -ScanType 3 -File $fileName"
        Start-ScheduledTask -TaskName $taskName
        while ((Get-ScheduledTask -TaskName $taskName).State  -ne 'Ready') 
        {
            Start-Sleep -Seconds 5
        }
        Get-MpThreatDetection
  shell: powershell

1. Just for my understanding, what's the reason behind for having to run MpCmdRun.exe over the scheduler? - Without using scheduler under System user I have faced with hr = 0x80070422 or skipping files to scan.

I have tested with shell:cmd and it works too:

- run: |
          Invoke-WebRequest https://secure.eicar.org/eicar.com -OutFile C:\eicar.com
          Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath
      shell: powershell
    - run: |
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate -http
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\eicar.com
      shell: cmd

For the moment I have it running on a self-hosted machine, over there I can run MpCmdRun directly.

Is hr = 0x80070422 a bug? Is this something to be addressed?
At some point I it would be nice to move that job to the cloud without having to do gymnastics with the scheduler.

Is hr = 0x80070422 a bug? - Nope, wuauserv service is disabled by default. You should manually enable the wuauserv service in a pipeline.

   - run: |
        Invoke-WebRequest https://secure.eicar.org/eicar.com -OutFile C:\eicar.com
        Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath
        Set-Service -Name wuauserv -StartupType Manual -Status Running
   shell: powershell
   - run: |
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\eicar.com
    shell: cmd 

I see, I will close this one, thanks for your help!