From e417d062898d93eefa73415ccdc3974b3345bd1c Mon Sep 17 00:00:00 2001 From: Troy Campbell Date: Wed, 29 Apr 2020 14:20:47 -0700 Subject: [PATCH] Scan Windows release package using Microsoft Defender Things aren't perfect, but they're the best we can do given what we're left to work with. For example: - We cannot update the virus signatures, because that command simply fails, despite being copy-and-paste'd from Microsoft's documentation. - When queried, Windows reports its virus signature age is 4,294,967,295 days old, which, on geological time scales, pre-dates even the Pleistocene era by 9.7 million years. Despite these issues, my hunch is that the signatures are current as of the date when the VM's base-image was generated; and because we're in the Holocene era of zero-day network threats, my guess is GitHub is re-generating images at least weekly if not more frequently (and sure enough, Defender catches the EICAR dummy virus. Note that we're not using Start-MpScan because it does not provide any useful output on status of scans (indeed!), so I've moved that here into the commit message. --- .github/workflows/linux.yml | 2 +- .github/workflows/macos.yml | 2 +- .github/workflows/windows.yml | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 768cbf85..c6002edd 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -142,7 +142,7 @@ jobs: # Create tarball tar -cJf "dosbox-staging-linux-$VERSION.tar.xz" "dosbox-staging-linux-$VERSION" - - name: AV scan + - name: Clam AV scan run: | set -x sudo apt-get install clamav > /dev/null diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 8508f51d..8ad15131 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -144,7 +144,7 @@ jobs: -srcfolder dist \ -ov -format UDZO "dosbox-staging-macOS-${{ env.VERSION }}.dmg" - - name: AV scan + - name: Clam AV scan run: | set -x brew install clamav > /dev/null diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 56879a82..c4394a0c 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -169,6 +169,18 @@ jobs: sed -i "s|%GITHUB_REPO%|$GITHUB_REPOSITORY|" dest/README.txt # Create dir for zipping mv dest dosbox-staging-windows-${{ env.VERSION }} + + - name: Windows Defender AV Scan + shell: powershell + run: | + $ErrorActionPreference = 'Stop' + $dosboxDir = "${{ github.workspace }}/dosbox-staging-windows-${{ env.VERSION }}" + & 'C:\Program Files\Windows Defender\MpCmdRun.exe' -Scan -ScanType 3 -DisableRemediation -File $dosboxDir + if( $LASTEXITCODE -ne 0 ) { + Get-Content -Path $env:TEMP\MpCmdRun.log + Throw "Exit $LASTEXITCODE : Windows Defender found an issue" + } + - name: Upload package uses: actions/upload-artifact@master with: