I've created a ASP.NET Web API that retrieves a file as a stream content, saves to disk and scans the file using Windows defender (MpCmdRun.exe). When running the API locally on my computer, everything is fine. However, I want to host this API in the cloud (Azure), as the rest of my applications are there. I decided to put this Web API inside a docker container, and then publish it to Azure. However, when running Windows Defender inside the Docker Container, I get the following error:
C:\Program Files\Windows Defender>MpCmdRun.exe -Scan -ScanType 3 -File ThirdPartyNotices.txt
Scan starting... CmdTool: Failed with hr = 0x8050800C. Check C:\Users\ContainerAdministrator\AppData\Local\Temp\MpCmdRun.log for more information
The log file doesn't give much more information.
MpCmdRun: Command Line: MpCmdRun.exe -Scan -ScanType 3 -File ThirdPartyNotices.txt Start Time: ?Sun ?Dec ?03 ?2017 23:53:16 Starting RunCommandScan. INFO: ScheduleJob is not set. Skipping signature update. Scanning path as file: ThirdPartyNotices.txt. Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16385, path ThirdPartyNotices.txt, DisableRemediation = 0, BootSectorScan = 0, Timeout in days = 1) MpScan() started Warning: MpScan() encounter errror. hr = 0x8050800c MpScan() was completed ERROR: MpScan(dwOptions=16385) Completion Failed 8050800C MpCmdRun: End Time: ?Sun ?Dec ?03 ?2017 23:53:16
FROM microsoft/aspnet COPY ./bin/Release/PublishOutput/ /inetpub/wwwroot #So I can write sent file to disk in container RUN powershell New-Item c:\inetpub\wwwroot\temp_files -type directory RUN icacls c:\inetpub\wwwroot\temp_files /grant IIS_IUSRS:F #Without this Windows Update is disabled RUN powershell Set-Service wuauserv -StartupType "Automatic" #Without this Windows defender is disabled RUN reg add "HKLM\SYSTEM\CurrentControlSet\services\WinDefend" /v Start /t REG_DWORD /d 2 /f #Tried running these, as well as Update-MpSignature in powershell, to no success. #RUN ["c:\\Program Files\\Windows Defender\\MpCmdRun.exe", "-RemoveDefinitions", "-All"] #RUN ["c:\\Program Files\\Windows Defender\\MpCmdRun.exe", "-SignatureUpdate"]
When inside the docker container (docker exec -it test powershell). Running Get-MpComputerStatus in powershell returns the following:
AMEngineVersion : 1.1.14306.0 AMProductVersion : 4.10.14393.1794 AMServiceEnabled : True AMServiceVersion : 4.10.14393.1794 AntispywareEnabled : True AntispywareSignatureAge : 0 AntispywareSignatureLastUpdated : 12/3/2017 8:15:49 PM AntispywareSignatureVersion : 1.257.1327.0 AntivirusEnabled : True AntivirusSignatureAge : 0 AntivirusSignatureLastUpdated : 12/3/2017 8:15:51 PM AntivirusSignatureVersion : 1.257.1327.0 BehaviorMonitorEnabled : False ComputerState : 0 FullScanAge : 4294967295 FullScanEndTime : FullScanStartTime : IoavProtectionEnabled : False LastFullScanSource : 0 LastQuickScanSource : 0 NISEnabled : False NISEngineVersion : 0.0.0.0 NISSignatureAge : 4294967295 NISSignatureLastUpdated : NISSignatureVersion : 0.0.0.0 OnAccessProtectionEnabled : False QuickScanAge : 4294967295 QuickScanEndTime : QuickScanStartTime : RealTimeProtectionEnabled : False RealTimeScanDirection : 0 PSComputerName :
Here I'm concerned about the NIS settings being 0.0.0.0.
When trying to update the Windows Defender signatures with Update-MpSignature Returns:
Update-MpSignature : Virus and spyware definitions update was completed with errors. At line:1 char:1 + Update-MpSignature + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (MSFT_MpSignature:ROOT\Microsoft\...SFT_MpSignature) [Update-MpSignature], CimException + FullyQualifiedErrorId : HRESULT 0x80070643,Update-MpSignature
I'm not really able to RDP into the docker container (as far as I can tell it's not possible with the microsoft/aspnet image). This means I have to do everything in the command prompt/powershell, and I'm still quite new to that.
This might not be enough information, or even the right information to track this problem, but I've been stuck with this for way to long now. If anyone can give me some pointers on what to look for/how to proceed with locating/fixing these issues that'd be awesome. Thank you in advance!
User contributions licensed under CC BY-SA 3.0