From 940591fc77082db2e70028b934192b51077dc11a Mon Sep 17 00:00:00 2001 From: HUMORCE Date: Tue, 1 Feb 2022 15:54:48 +0800 Subject: [PATCH] refactor(diagnostic,scoop-checkup): Improvements for 'check_windows_defender' and 'scoop-checkup' (#4699) * Downgrade defender checks from `warn` to `info` * checkup update - Skip `check_windows_defender` when have not admin privileges - Separate defender issues($defenderIssues) - Security Tips * Skip check for `ExclusionPath` if defender realtime protect is disabled * elif * CHANGELOG --- CHANGELOG.md | 4 ++++ lib/diagnostic.ps1 | 27 ++++++++++++++------------- libexec/scoop-checkup.ps1 | 19 ++++++++++++++----- 3 files changed, 32 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 04ea9110f9..fa8d0848f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,10 @@ - **rmdir:** Use 'Remove-Item' instead of 'rmdir' ([#4691](https://github.com/ScoopInstaller/Scoop/issues/4691)) - **COMSPEC:** Deprecate use of subshell cmd.exe ([#4692](https://github.com/ScoopInstaller/Scoop/pull/4692)) - **git:** Use 'git -C' to specify the work directory instead of 'Push-Location'/'Pop-Location' ([#4697](https://github.com/ScoopInstaller/Scoop/pull/4697)) +- **diagnostic** Downgrade defender checks from 'WARN' to 'INFO' ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699)) +- **diagnostic** Skip check for 'exclusionPath' if defender realtime protect is disabled ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699)) +- **scoop-checkup** Skip 'check_windows_defender' when have not admin privileges ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699)) +- **scoop-checkup** Separate defender issues, mark as performance problem instead potential problem ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699)) ### Builds diff --git a/lib/diagnostic.ps1 b/lib/diagnostic.ps1 index b3927e8bec..807e1e73e5 100644 --- a/lib/diagnostic.ps1 +++ b/lib/diagnostic.ps1 @@ -6,19 +6,20 @@ Use 'warn' to highlight the issue, and follow up with the recommended actions to . "$PSScriptRoot\buckets.ps1" function check_windows_defender($global) { - $defender = get-service -name WinDefend -errorAction SilentlyContinue - if($defender -and $defender.status) { - if($defender.status -eq [system.serviceprocess.servicecontrollerstatus]::running) { - if (Test-CommandAvailable Get-MpPreference) { + $defender = Get-Service -Name WinDefend -ErrorAction SilentlyContinue + if (Test-CommandAvailable Get-MpPreference) { + if ((Get-MpPreference).DisableRealtimeMonitoring) { return $true } + if ($defender -and $defender.Status) { + if ($defender.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { $installPath = $scoopdir; - if($global) { $installPath = $globaldir; } - - $exclusionPath = (Get-MpPreference).exclusionPath - if(!($exclusionPath -contains $installPath)) { - warn "Windows Defender may slow down or disrupt installs with realtime scanning." - write-host " Consider running:" - write-host " sudo Add-MpPreference -ExclusionPath '$installPath'" - write-host " (Requires 'sudo' command. Run 'scoop install sudo' if you don't have it.)" + if ($global) { $installPath = $globaldir; } + + $exclusionPath = (Get-MpPreference).ExclusionPath + if (!($exclusionPath -contains $installPath)) { + info "Windows Defender may slow down or disrupt installs with realtime scanning." + Write-Host " Consider running:" + Write-Host " sudo Add-MpPreference -ExclusionPath '$installPath'" + Write-Host " (Requires 'sudo' command. Run 'scoop install sudo' if you don't have it.)" return $false } } @@ -28,7 +29,7 @@ function check_windows_defender($global) { } function check_main_bucket { - if ((Get-LocalBucket) -notcontains 'main'){ + if ((Get-LocalBucket) -notcontains 'main') { warn 'Main bucket is not added.' Write-Host " run 'scoop bucket add main'" diff --git a/libexec/scoop-checkup.ps1 b/libexec/scoop-checkup.ps1 index df4a8b6ec5..3e9d89326a 100644 --- a/libexec/scoop-checkup.ps1 +++ b/libexec/scoop-checkup.ps1 @@ -7,9 +7,15 @@ . "$psscriptroot\..\lib\diagnostic.ps1" $issues = 0 +$defenderIssues = 0 + +$adminPrivileges = ([System.Security.Principal.WindowsPrincipal] [System.Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) + +if ($adminPrivileges) { + $defenderIssues += !(check_windows_defender $false) + $defenderIssues += !(check_windows_defender $true) +} -$issues += !(check_windows_defender $false) -$issues += !(check_windows_defender $true) $issues += !(check_main_bucket) $issues += !(check_long_paths) @@ -29,19 +35,22 @@ if (!(Test-HelperInstalled -Helper Dark)) { } $globaldir = New-Object System.IO.DriveInfo($globaldir) -if($globaldir.DriveFormat -ne 'NTFS') { +if ($globaldir.DriveFormat -ne 'NTFS') { error "Scoop requires an NTFS volume to work! Please point `$env:SCOOP_GLOBAL or 'globalPath' variable in '~/.config/scoop/config.json' to another Drive." $issues++ } $scoopdir = New-Object System.IO.DriveInfo($scoopdir) -if($scoopdir.DriveFormat -ne 'NTFS') { +if ($scoopdir.DriveFormat -ne 'NTFS') { error "Scoop requires an NTFS volume to work! Please point `$env:SCOOP or 'rootPath' variable in '~/.config/scoop/config.json' to another Drive." $issues++ } -if($issues) { +if ($issues) { warn "Found $issues potential $(pluralize $issues problem problems)." +} elseif ($defenderIssues) { + info "Found $defenderIssues performance $(pluralize $defenderIssues problem problems)." + warn "Security is more important than performance, in most cases." } else { success "No problems identified!" }