I've created a ASP.NET Web API that retrieves a file as a stream content, saves to disk and scans the file using Windows defender (MpCmdRun.exe). When running the API locally on my computer, everything is fine. However, I want to host this API in the cloud (Azure), as the rest of my applications are there. I decided to put this Web API inside a docker container, and then publish it to Azure. However, when running Windows Defender inside the Docker Container, I get the following error:
Running:
C:\Program Files\Windows Defender>MpCmdRun.exe -Scan -ScanType 3 -File ThirdPartyNotices.txt
Returns:
Scan starting...
CmdTool: Failed with hr = 0x8050800C. Check C:\Users\ContainerAdministrator\AppData\Local\Temp\MpCmdRun.log for more information
The log file doesn't give much more information.
MpCmdRun: Command Line: MpCmdRun.exe -Scan -ScanType 3 -File
ThirdPartyNotices.txt
Start Time: ?Sun ?Dec ?03 ?2017 23:53:16
Starting RunCommandScan.
INFO: ScheduleJob is not set. Skipping signature update.
Scanning path as file: ThirdPartyNotices.txt.
Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16385, path
ThirdPartyNotices.txt, DisableRemediation = 0, BootSectorScan
= 0, Timeout in days = 1)
MpScan() started
Warning: MpScan() encounter errror. hr = 0x8050800c
MpScan() was completed
ERROR: MpScan(dwOptions=16385) Completion Failed 8050800C
MpCmdRun: End Time: ?Sun ?Dec ?03 ?2017 23:53:16
Dockerfile:
FROM microsoft/aspnet
COPY ./bin/Release/PublishOutput/ /inetpub/wwwroot
#So I can write sent file to disk in container
RUN powershell New-Item c:\inetpub\wwwroot\temp_files -type directory
RUN icacls c:\inetpub\wwwroot\temp_files /grant IIS_IUSRS:F
#Without this Windows Update is disabled
RUN powershell Set-Service wuauserv -StartupType "Automatic"
#Without this Windows defender is disabled
RUN reg add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 2 /f
#Tried running these, as well as Update-MpSignature in powershell, to no success.
#RUN ["c:\\Program Files\\Windows Defender\\MpCmdRun.exe", "-RemoveDefinitions", "-All"]
#RUN ["c:\\Program Files\\Windows Defender\\MpCmdRun.exe", "-SignatureUpdate"]
When inside the docker container (docker exec -it test powershell). Running Get-MpComputerStatus in powershell returns the following:
AMEngineVersion : 1.1.14306.0
AMProductVersion : 4.10.14393.1794
AMServiceEnabled : True
AMServiceVersion : 4.10.14393.1794
AntispywareEnabled : True
AntispywareSignatureAge : 0
AntispywareSignatureLastUpdated : 12/3/2017 8:15:49 PM
AntispywareSignatureVersion : 1.257.1327.0
AntivirusEnabled : True
AntivirusSignatureAge : 0
AntivirusSignatureLastUpdated : 12/3/2017 8:15:51 PM
AntivirusSignatureVersion : 1.257.1327.0
BehaviorMonitorEnabled : False
ComputerState : 0
FullScanAge : 4294967295
FullScanEndTime :
FullScanStartTime :
IoavProtectionEnabled : False
LastFullScanSource : 0
LastQuickScanSource : 0
NISEnabled : False
NISEngineVersion : 0.0.0.0
NISSignatureAge : 4294967295
NISSignatureLastUpdated :
NISSignatureVersion : 0.0.0.0
OnAccessProtectionEnabled : False
QuickScanAge : 4294967295
QuickScanEndTime :
QuickScanStartTime :
RealTimeProtectionEnabled : False
RealTimeScanDirection : 0
PSComputerName :
Here I'm concerned about the NIS settings being 0.0.0.0.
When trying to update the Windows Defender signatures with Update-MpSignature Returns:
Update-MpSignature : Virus and spyware definitions update was completed with
errors.
At line:1 char:1
+ Update-MpSignature
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified:
(MSFT_MpSignature:ROOT\Microsoft\...SFT_MpSignature) [Update-MpSignature],
CimException
+ FullyQualifiedErrorId : HRESULT 0x80070643,Update-MpSignature
I'm not really able to RDP into the docker container (as far as I can tell it's not possible with the microsoft/aspnet image). This means I have to do everything in the command prompt/powershell, and I'm still quite new to that.
This might not be enough information, or even the right information to track this problem, but I've been stuck with this for way to long now. If anyone can give me some pointers on what to look for/how to proceed with locating/fixing these issues that'd be awesome. Thank you in advance!
run this as admin to completely disable windows defender
Set-MpPreference -DisableRealtimeMonitoring $true
Windows Server 2016 by default uses process isolation (not HyperV) and antivirus already scans your files on unlabeled disk and volume.
User contributions licensed under CC BY-SA 3.0