refactor(diagnostic,scoop-checkup): Improvements for 'check_windows_d…

…efender' and 'scoop-checkup' (ScoopInstaller#4699)

* Downgrade defender checks from `warn` to `info`

* checkup update

- Skip `check_windows_defender` when have not admin privileges
- Separate defender issues($defenderIssues)
- Security Tips

* Skip check for `ExclusionPath` if defender realtime protect is disabled

* elif

* CHANGELOG

CHANGELOG.md

@@ -33,6 +33,10 @@
 - **rmdir:** Use 'Remove-Item' instead of 'rmdir' ([#4691](https://github.com/ScoopInstaller/Scoop/issues/4691))
 - **COMSPEC:** Deprecate use of subshell cmd.exe ([#4692](https://github.com/ScoopInstaller/Scoop/pull/4692))
 - **git:** Use 'git -C' to specify the work directory instead of 'Push-Location'/'Pop-Location' ([#4697](https://github.com/ScoopInstaller/Scoop/pull/4697))
+- **diagnostic** Downgrade defender checks from 'WARN' to 'INFO' ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
+- **diagnostic** Skip check for 'exclusionPath' if defender realtime protect is disabled ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
+- **scoop-checkup** Skip 'check_windows_defender' when have not admin privileges ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
+- **scoop-checkup** Separate defender issues, mark as performance problem instead potential problem ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
 
 ### Builds
 

lib/diagnostic.ps1

@@ -6,19 +6,20 @@ Use 'warn' to highlight the issue, and follow up with the recommended actions to
 . "$PSScriptRoot\buckets.ps1"
 
 function check_windows_defender($global) {
-    $defender = get-service -name WinDefend -errorAction SilentlyContinue
-    if($defender -and $defender.status) {
-        if($defender.status -eq [system.serviceprocess.servicecontrollerstatus]::running) {
-            if (Test-CommandAvailable Get-MpPreference) {
+    $defender = Get-Service -Name WinDefend -ErrorAction SilentlyContinue
+    if (Test-CommandAvailable Get-MpPreference) {
+        if ((Get-MpPreference).DisableRealtimeMonitoring) { return $true }
+        if ($defender -and $defender.Status) {
+            if ($defender.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
                 $installPath = $scoopdir;
-                if($global) { $installPath = $globaldir; }
-
-                $exclusionPath = (Get-MpPreference).exclusionPath
-                if(!($exclusionPath -contains $installPath)) {
-                    warn "Windows Defender may slow down or disrupt installs with realtime scanning."
-                    write-host "  Consider running:"
-                    write-host "    sudo Add-MpPreference -ExclusionPath '$installPath'"
-                    write-host "  (Requires 'sudo' command. Run 'scoop install sudo' if you don't have it.)"
+                if ($global) { $installPath = $globaldir; }
+
+                $exclusionPath = (Get-MpPreference).ExclusionPath
+                if (!($exclusionPath -contains $installPath)) {
+                    info "Windows Defender may slow down or disrupt installs with realtime scanning."
+                    Write-Host "  Consider running:"
+                    Write-Host "    sudo Add-MpPreference -ExclusionPath '$installPath'"
+                    Write-Host "  (Requires 'sudo' command. Run 'scoop install sudo' if you don't have it.)"
                     return $false
                 }
             }
@@ -28,7 +29,7 @@ function check_windows_defender($global) {
 }
 
 function check_main_bucket {
-    if ((Get-LocalBucket) -notcontains 'main'){
+    if ((Get-LocalBucket) -notcontains 'main') {
         warn 'Main bucket is not added.'
         Write-Host "  run 'scoop bucket add main'"
 

libexec/scoop-checkup.ps1

@@ -7,9 +7,15 @@
 . "$psscriptroot\..\lib\diagnostic.ps1"
 
 $issues = 0
+$defenderIssues = 0
+
+$adminPrivileges = ([System.Security.Principal.WindowsPrincipal] [System.Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
+
+if ($adminPrivileges) {
+    $defenderIssues += !(check_windows_defender $false)
+    $defenderIssues += !(check_windows_defender $true)
+}
 
-$issues += !(check_windows_defender $false)
-$issues += !(check_windows_defender $true)
 $issues += !(check_main_bucket)
 $issues += !(check_long_paths)
 
@@ -29,19 +35,22 @@ if (!(Test-HelperInstalled -Helper Dark)) {
 }
 
 $globaldir = New-Object System.IO.DriveInfo($globaldir)
-if($globaldir.DriveFormat -ne 'NTFS') {
+if ($globaldir.DriveFormat -ne 'NTFS') {
     error "Scoop requires an NTFS volume to work! Please point `$env:SCOOP_GLOBAL or 'globalPath' variable in '~/.config/scoop/config.json' to another Drive."
     $issues++
 }
 
 $scoopdir = New-Object System.IO.DriveInfo($scoopdir)
-if($scoopdir.DriveFormat -ne 'NTFS') {
+if ($scoopdir.DriveFormat -ne 'NTFS') {
     error "Scoop requires an NTFS volume to work! Please point `$env:SCOOP or 'rootPath' variable in '~/.config/scoop/config.json' to another Drive."
     $issues++
 }
 
-if($issues) {
+if ($issues) {
     warn "Found $issues potential $(pluralize $issues problem problems)."
+} elseif ($defenderIssues) {
+    info "Found $defenderIssues performance $(pluralize $defenderIssues problem problems)."
+    warn "Security is more important than performance, in most cases."
 } else {
     success "No problems identified!"
 }