Attempt to prevent false positive detections by Windows Defender

[kachick]

Resolves Closes #442

[kachick]

~ psh
> cd "\\wsl.localhost\Ubuntu-22.04\home\kachick\repos\dotfiles"

kachick\repos\dotfiles via 🐹 v1.22.1 psh
> go build
go: RLock go.mod: Incorrect function.

golang/go#37461 🙄
golang/go#48572

[kachick]

cp -r "\\wsl.localhost\Ubuntu-22.04\home\kachick\repos\dotfiles" .\tmp\
cd .\tmp\dotfiles\
go build -o dist ./...
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File .\dist\winit-conf.exe
Scan starting...
CmdTool: Failed with hr = 0x80508023. Check C:\Users\YOU\AppData\Local\Temp\MpCmdRun.log for more information

https://learn.microsoft.com/ja-jp/powershell/scripting/learn/shell/running-commands?view=powershell-7.4|

https://answers.microsoft.com/en-us/windows/forum/all/error-code-0x80508023-with-windows-defender/3b37fc4d-8763-445d-9319-3e9b5a27800d

https://jikkenjo.net/1788.html

[kachick]

dotfiles rebel-for-ms-cop(e385403)  ≡via 🐹 v1.22.1 psh
! & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "$(pwd)\dist\mksym.exe"
Scan starting...
Scan finished.
Scanning C:\Users\YOU\tmp\dotfiles\dist\mksym.exe found no threats.

dotfiles rebel-for-ms-cop(e385403)  ≡via 🐹 v1.22.1 psh
! & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "$(pwd)\dist\winit-conf.exe"
Scan starting...
Scan finished.
Scanning C:\Users\YOU\tmp\dotfiles\dist\winit-conf.exe found no threats.

dotfiles rebel-for-ms-cop(e385403)  ≡via 🐹 v1.22.1 psh
> & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "$(pwd)\dist\winit-reg.exe"
Scan starting...
Scan finished.
Scanning C:\Users\YOU\tmp\dotfiles\dist\winit-reg.exe found no threats.

[kachick]

💭 Getting GitHub artifact needs the auth header https://docs.github.com/ja/rest/actions/artifacts?apiVersion=2022-11-28#get-an-artifact, I want release #417

[kachick]

https://github.com/kachick/dotfiles/actions/runs/8183096127/job/22375449050

Signature update started . . .
Service Version: 4.18.24010.12
Engine Version: 1.1.24020.9
AntiSpyware Signature Version: 1.40[7](https://github.com/kachick/dotfiles/actions/runs/8183096127/job/22375449050#step:9:8).[8](https://github.com/kachick/dotfiles/actions/runs/8183096127/job/22375449050#step:9:9).0
AntiVirus Signature Version: 1.407.8.0
Signature update finished. No updates needed
Scan starting...
Scan finished.
Scanning D:\a\dotfiles\dotfiles\dist\winit-conf_windows_amd64_v1\winit-conf.exe was skipped.
Scan starting...
Scan finished.
Scanning D:\a\dotfiles\dotfiles\dist\winit-reg_windows_amd64_v1\winit-reg.exe was skipped.

🤔 Why skipped the 👮‍♂️

[kachick]

🎉

1987087

Signature update started . . .
Service Version: 4.18.24010.12
Engine Version: 1.1.24020.[9](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:9:10)
AntiSpyware Signature Version: 1.407.8.0
AntiVirus Signature Version: 1.407.8.0
Signature update finished. No updates needed
Scan starting...
Scan finished.
Scanning D:\a\dotfiles\dotfiles\dist\winit-conf_windows_amd64_v1\winit-conf.exe found no threats.
Scan starting...
Scan finished.
Scanning D:\a\dotfiles\dotfiles\dist\winit-reg_windows_amd64_v1\winit-reg.exe found no threats.

💭 But ... why detected in my client with same logic binary...

[kachick]

With the provided path, there will be 2 files uploaded
Artifact name is valid!
Root directory input is valid!
Beginning upload of artifact content to blob storage
Uploaded bytes 1444426
Finished uploading artifact content to blob storage!
SHA256 hash of uploaded artifact zip is 21f71e16e3ccea63dbd5d1fe72fc0b4eecb[9](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:8:10)5dce90cb00022238a865a9e3d020
Finalizing artifact upload
Artifact winit.zip successfully finalized. Artifact ID [13](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:8:14)04707506
Artifact winit has been successfully uploaded! Final size is [14](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:8:15)44426 bytes. Artifact ID is 1304707506
Artifact download URL: https://github.com/kachick/dotfiles/actions/runs/8[18](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:8:19)3[1](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:11:1)96[4](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:11:5)02/artifacts/1304707[5](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:11:6)0[6](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:11:7)

Still detect for this zip 😠

[kachick]

There are no Dynamic Signatures on the machine.

Looks different with my local

How to use AddDynamicSignature?

https://github.com/MicrosoftDocs/microsoft-365-docs/blob/72fee082b7dd7f5549ee2f4d50563810e6f4aafc/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md?plain=1#L66
https://github.com/quikdev/go/blob/0768e40eb1694a5607b93500d341fb1738167c0e/README.md?plain=1#L99-L121

[kachick]

https://www.microsoft.com/en-us/wdsi/defenderupdates
https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes

🤔

[kachick]

& "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -DynamicSignatures

It removes all dynamic signatures and & "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate does NOT append again 🤣

Then my artifact will not be detected as CI, so this is the guilty reason...

[kachick]

I need MS help to beat MS

[kachick]

You're welcome. Here is the translation of my answer in English:

Dynamic Signatures are a feature that allows you to download definitions to deal with new threats through a cloud-based service called Microsoft SpyNet. To enable Dynamic Signatures, you need to turn on cloud-based protection and automatic sample submission in Windows Security settings. By enabling Dynamic Signatures, Windows Defender can provide more advanced protection.

[kachick]

Enabling all, but empty list

Toggled some options and wait some times, the list appeared again. I didn't know which option is the treasure...

[kachick]

Hello, this is Copilot. Let's talk about MpCmdRun.exe and Dynamic Signatures.

You are correct that `MpCmdRun.exe -ListAllDynamicSignatures` lists the enabled Dynamic Signatures, which are definitions that are downloaded from Microsoft SpyNet to deal with new threats¹. You can also use `MpCmdRun.exe -AddDynamicSignature` to load Dynamic Signatures from a local file or a network share².

The -PATH parameter of AddDynamicSignature specifies the location of the Dynamic Signature file that you want to load. The file must be in the CAB format and contain a valid signature set². You can obtain such a file from Microsoft or create your own using the Dynamic Signature Authoring Tool³.

The SignatureSet ID that is shown by ListAllDynamicSignatures is a unique identifier for each Dynamic Signature that is loaded. You can use this ID to remove a specific Dynamic Signature using the command `MpCmdRun.exe -RemoveDynamicSignature -SignatureSetID <ID>`².

I hope this helps you understand how to use MpCmdRun.exe and Dynamic Signatures. If you have any other questions, please let me know.

ソース: Bing との会話 2024/3/7
([1](https://learn.microsoft.com/ja-jp/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide)) コマンドラインを使用して Microsoft Defender ウイルス対策を管理 .... https://learn.microsoft.com/ja-jp/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide.
([2](https://wa3.i-3-i.info/word13502.html)) MpCmDRun.exeとは｜「分かりそう」で「分からない」でも .... https://wa3.i-3-i.info/word1350[2](https://wa3.i-3-i.info/word13502.html).html.
([3](https://news.mynavi.jp/article/win10tips-410/)) Windows Defenderの定義ファイルを手動で更新する - マイナビ .... https://news.mynavi.jp/article/win10tips-410/.
(4) Windows Defenderをコマンド操作しよう | nobwak's Lair. https://nobwak.github.io/posts/windows-defender%E3%8[2](https://wa3.i-3-i.info/word13502.html)%92%E3%82%B3%E3%83%9E%E3%83%B3%E3%83%89%E6%93%8D%E4%BD%9C%E3%81%97%E3%82%88%E3%81%86/.
(5) Microsoft Defender ウイルス対策をコマンドで操作する方法 .... https://4thsight.xyz/8270.

[kachick]

Hello, this is Copilot. I'm glad you found the reference helpful. Of course, you can ask more questions.

[According to the web search results](https://github.blog/changelog/2021-11-16-github-actions-windows-server-2022-with-visual-studio-2022-is-now-generally-available-on-github-hosted-runners/)¹², Windows Server 2022 is now available on GitHub-hosted runners, and it supports Visual Studio 2022 and Windows PowerShell 7.2. However, it seems that Dynamic Signatures are not enabled by default on Windows Server 2022, unlike Windows [1](https://github.blog/changelog/2021-11-16-github-actions-windows-server-2022-with-visual-studio-2022-is-now-generally-available-on-github-hosted-runners/)1.

To enable Dynamic Signatures on Windows Server [2](https://github.blog/changelog/2022-01-11-github-actions-jobs-running-on-windows-latest-are-now-running-on-windows-server-2022/)022, you need to do two things:

- First, you need to join the Microsoft SpyNet community, which is a cloud-based service that provides Dynamic Signatures to Windows Defender. You can do this by setting the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\JoinMicrosoftSpyNet` to `1`³.
- Second, you need to configure the Windows Defender settings to allow cloud-based protection and automatic sample submission. You can do this by using the PowerShell cmdlets or the registry keys that I explained in my previous answer.

After doing these steps, you should be able to see the Dynamic Signatures in the output of `MpCmdRun.exe -ListAllDynamicSignatures`. You can also use the `Get-MpComputerStatus` cmdlet to check the status of the Dynamic Signatures⁴.

I hope this helps you understand how to enable Dynamic Signatures on Windows Server 2022. If you have any other questions, please let me know.

ソース: Bing との会話 2024/[3](https://github.com/github/roadmap/issues/241)/7
(1) GitHub Actions: Windows Server 2022 with Visual Studio 2022 .... https://github.blog/changelog/2021-11-16-github-actions-windows-server-2022-with-visual-studio-2022-is-now-generally-available-on-github-hosted-runners/.
(2) GitHub Actions: Jobs running on `windows-latest` are now .... https://github.blog/changelog/2022-01-11-github-actions-jobs-running-on-windows-latest-are-now-running-on-windows-server-2022/.
(3) Actions: Windows Server 2022 on GitHub-hosted runners #2[4](https://newreleases.io/project/github/actions/runner-images/release/win22%2F20240128.1)1. https://github.com/github/roadmap/issues/241.
(4) ️ Actions Runner Image: Windows Server 2022 - NewReleases.io. https://newreleases.io/project/github/actions/runner-images/release/win22%2F20240128.1.
(5) Trigger Windows22 CI · Workflow runs · actions/runner-images. https://github.com/actions/runner-images/actions/workflows/windows2022.yml.

[kachick]

Copilot? 🤷‍♂️ I will be the 🤖 instead

actions/runner-images#8641
actions/runner-images#9403
actions/runner-images#7320 (comment)
actions/runner-images#574
actions/runner-images#4415
actions/runner-images#4489
actions/runner-images#5969
actions/runner-images#6259
actions/runner-images#4924
actions/runner-images#8285

[kachick]

https://github.com/actions/runner-images/blob/61df9288f9be9f6aeaaaa4ad52a7332432913fc3/images/windows/scripts/tests/WindowsFeatures.Tests.ps1#L76-L82
https://github.com/actions/runner-images/blob/61df9288f9be9f6aeaaaa4ad52a7332432913fc3/images/windows/templates/windows-2022.pkr.hcl#L248
https://github.com/actions/runner-images/blob/61df9288f9be9f6aeaaaa4ad52a7332432913fc3/images/windows/scripts/build/Install-WindowsUpdates.ps1#L26-L28
https://github.com/actions/runner-images/blob/61df9288f9be9f6aeaaaa4ad52a7332432913fc3/images/windows/scripts/build/Install-WindowsUpdatesAfterReboot.ps1#L7
https://github.com/actions/runner-images/blob/61df9288f9be9f6aeaaaa4ad52a7332432913fc3/images/windows/scripts/build/Configure-WindowsDefender.ps1#L3

[kachick]

[kachick]

[kachick]

https://github.com/kachick/dotfiles/actions/runs/8188096063 detect - 956b773
https://github.com/kachick/dotfiles/actions/runs/8188170201 next artifact, not detect - 8eca3a6

956b773...8eca3a6 ??? 🤷‍♂️

Hmm... if #444 (comment)

Maybe he works for us as a linter 🤣

🙄 Then I wish to use it as a CLI...