Windows Defender as scanner

Question asked by echoDreamz - 6/7/2017 at 10:27 AM

Unanswered

Has anyone had the idea of trying to use Windows Defender's command line scanner with SmarterMail? Clam is great, but the detection rate is pretty low even with 3rd party databases. I imagine WD is a little better.

12 Replies

Reply to Thread

jorge.mx.neto Replied

6/8/2017 at 9:07 AM

In this thread (https://portal.smartertools.com/community/a2204/what-is-the-enable-real-time-av.aspx) this topic was approached, but no specific answers how to manage the command line AV.

I've made some tests with the MS Windows Defender but no conclusive results, below for reference the syntax I used.

C:\Program Files\Microsoft Security Client>MpCmdRun.exe -Scan -ScanType 3 -File %FILEPATH -disableremediation

Maybe someone can also chime in more results on this topic.

echoDreamz Replied

6/8/2017 at 9:46 AM

C:\Program Files\Windows Defender\MpCmdRun.exe -scan -scantype 3 -file "%FILEPATH" -disableremediation

Same as your setup here. I see scans are running. Though reports today show 0 viruses caught. Usually we have 800+ (though that is based on the ClamAV scanner).

The log located in the Windows temp directory shows tons of scanned messages with no threats, so either it is simply not working or is really not finding any threats.

echoDreamz Replied

6/8/2017 at 12:38 PM

Just an update, after setting up a mail server to send ecar test viruses through easily to our primary server, Windows defender picks them up if I copy to the desktop or manually scan the file, but in an email, it reports no threats. So clearly the scanner is not working properly.

Shivam Parikh Replied

12/1/2018 at 7:07 AM

Any way to make this work ? I just found out ClamAV missed a virus in an .iso format.

My email gets forwarded to Gmail and they reported the virus and blocked it.

echoDreamz Replied

12/1/2018 at 11:53 AM

We were able to get it working, but it involved a custom proc monitoring service and extracts the attachments from the .eml file and initiates the scan.

Shivam Parikh Replied

12/1/2018 at 12:04 PM

Can you help with some guide ?

echoDreamz Replied

12/1/2018 at 1:14 PM

https://github.com/SmarterTools/SMCustomHeaders modified version of this along with the MailBee.net library to help with processing the .eml file.

Just have to be real careful, if the proc monitoring service you created stalls our crashes, email delivery stops.

Nicolas Fertig Replied

12/1/2018 at 10:24 PM

Just asking but isn't it "dangerous" to let Windows Defender actively running on a SmarterMail server.

I mean if it catches a dangerous pattern in a .grp file, won't it remove the whole file instead of the offending mail ?

echoDreamz Replied

12/2/2018 at 12:04 AM

That is why SmarterMail adds .grp files and other files automatically to the exclusion list.

https://portal.smartertools.com/kb/a3249/windows-defender-and-virus-scanner-exceptions.aspx

Nicolas Fertig Replied

12/2/2018 at 1:25 AM

Oh @echoDreams, I didn't know about this kb page, thanks.

On our side we just uninstalled it to avoid problems :)

They Call Me Matt Replied

12/3/2018 at 2:02 PM

Windows Defender is probably going to be the worst possible mail server virus scanner. One, it updates infrequently (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus ), and two, it might not be able to extract base64 encoded attachments from email files for a proper scan.

echoDreamz Replied

12/3/2018 at 7:45 PM

Yeah, this is why we've used Mailbee.net to extract the attachments. We did stop using Windows Defender, it did work really well, but lack of reporting and logging was a bit annoying. We moved to another scanner that we can easily review what happened, what infection was identified etc.

Back to Community Threads

Please leave this box unchecked

12 Replies

Reply to Thread

Tags

Related Knowledge Base Articles