Windows Defender as scanner
Question asked by echoDreamz - June 7, 2017 at 10:27 AM
Unanswered
Has anyone had the idea of trying to use Windows Defender's command line scanner with SmarterMail? Clam is great, but the detection rate is pretty low even with 3rd party databases. I imagine WD is a little better.

Christopher

12 Replies

Reply to Thread
0
jorge.mx.neto Replied
In this thread (https://portal.smartertools.com/community/a2204/what-is-the-enable-real-time-av.aspx) this topic was approached, but no specific answers how to manage the command line AV.
 
I've made some tests with the MS Windows Defender but no conclusive results, below for reference the syntax I used.
 
C:\Program Files\Microsoft Security Client>MpCmdRun.exe -Scan -ScanType 3 -File %FILEPATH -disableremediation
 
Maybe someone can also chime in more results on this topic.
 
0
echoDreamz Replied
C:\Program Files\Windows Defender\MpCmdRun.exe -scan -scantype 3 -file "%FILEPATH" -disableremediation
Same as your setup here. I see scans are running. Though reports today show 0 viruses caught. Usually we have 800+ (though that is based on the ClamAV scanner).
 
The log located in the Windows temp directory shows tons of scanned messages with no threats, so either it is simply not working or is really not finding any threats.

Christopher

0
echoDreamz Replied
Just an update, after setting up a mail server to send ecar test viruses through easily to our primary server, Windows defender picks them up if I copy to the desktop or manually scan the file, but in an email, it reports no threats. So clearly the scanner is not working properly.

Christopher

1
Shivam Parikh Replied
Any way to make this work ? I just found out ClamAV missed a virus in an .iso format.
My email gets forwarded to Gmail and they reported the virus and blocked it.
0
echoDreamz Replied
We were able to get it working, but it involved a custom proc monitoring service and extracts the attachments from the .eml file and initiates the scan.

Christopher

0
Can you help with some guide ?
0
echoDreamz Replied
https://github.com/SmarterTools/SMCustomHeaders modified version of this along with the MailBee.net library to help with processing the .eml file.

Just have to be real careful, if the proc monitoring service you created stalls our crashes, email delivery stops.

Christopher

0
Just asking but isn't it "dangerous" to let Windows Defender actively running on a SmarterMail server.
I mean if it catches a dangerous pattern in a .grp file, won't it remove the whole file instead of the offending mail ?


0
echoDreamz Replied
That is why SmarterMail adds .grp files and other files automatically to the exclusion list.

Christopher

0
Oh @echoDreams, I didn't know about this kb page, thanks.
On our side we just uninstalled it to avoid problems :)
1
Windows Defender is probably going to be the worst possible mail server virus scanner.  One, it updates infrequently (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus ), and two, it might not be able to extract base64 encoded attachments from email files for a proper scan.
1
echoDreamz Replied
Yeah, this is why we've used Mailbee.net to extract the attachments. We did stop using Windows Defender, it did work really well, but lack of reporting and logging was a bit annoying. We moved to another scanner that we can easily review what happened, what infection was identified etc.

Christopher

Reply to Thread