Scan Windows release package using Microsoft Defender

Things aren't perfect, but they're the best we can do given what we're left to work with. For example: - We cannot update the virus signatures, because that command simply fails, despite being copy-and-paste'd from Microsoft's documentation. - When queried, Windows reports its virus signature age is 4,294,967,295 days old, which, on geological time scales, pre-dates even the Pleistocene era by 9.7 million years. Despite these issues, my hunch is that the signatures are current as of the date when the VM's base-image was generated; and because we're in the Holocene era of zero-day network threats, my guess is GitHub is re-generating images at least weekly if not more frequently (and sure enough, Defender catches the EICAR dummy virus. Note that we're not using Start-MpScan because it does not provide any useful output on status of scans (indeed!), so I've moved that here into the commit message.
2020-04-29 14:20:47 -07:00 · 2020-04-29 14:20:47 -07:00 · e417d06289
commit e417d06289
parent 71af263cf5
3 changed files with 14 additions and 2 deletions
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -142,7 +142,7 @@ jobs:
          # Create tarball
          tar -cJf "dosbox-staging-linux-$VERSION.tar.xz" "dosbox-staging-linux-$VERSION"

-      - name: AV scan
+      - name: Clam AV scan
        run: |
          set -x
          sudo apt-get install clamav > /dev/null
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -144,7 +144,7 @@ jobs:
              -srcfolder dist \
              -ov -format UDZO "dosbox-staging-macOS-${{ env.VERSION }}.dmg"

-      - name: AV scan
+      - name: Clam AV scan
        run: |
          set -x
          brew install clamav > /dev/null
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -169,6 +169,18 @@ jobs:
          sed -i "s|%GITHUB_REPO%|$GITHUB_REPOSITORY|"       dest/README.txt
          # Create dir for zipping
          mv dest dosbox-staging-windows-${{ env.VERSION }}
+
+      - name: Windows Defender AV Scan
+        shell: powershell
+        run: |
+          $ErrorActionPreference = 'Stop'
+          $dosboxDir = "${{ github.workspace }}/dosbox-staging-windows-${{ env.VERSION }}"
+          & 'C:\Program Files\Windows Defender\MpCmdRun.exe' -Scan -ScanType 3 -DisableRemediation -File $dosboxDir
+          if( $LASTEXITCODE -ne 0 ) {
+              Get-Content -Path $env:TEMP\MpCmdRun.log
+              Throw "Exit $LASTEXITCODE : Windows Defender found an issue"
+          }
+
      - name: Upload package
        uses: actions/upload-artifact@master
        with: