Windows Defender: adding and removing exclusions from PowerShell (via Stack Overflow)
Posted by jpluimers on 2022/02/16
I use this small script to install or update [Wayback] Chocolatey package NirLauncher (which is the [Wayback] Nirsoft Launcher that has all the [Wayback] Nirsoft freeware tools in it).
powershell -Command Add-MpPreference -ExclusionPath "%TEMP%\chocolatey\NuGetScratch" choco update --yes NirLauncher powershell -Command Remove-MpPreference -ExclusionPath "%TEMP%\chocolatey\NuGetScratch"
It works around the issue that many times NirLauncher is marked by anti-virus tools or/and listed on VirusTotal, which means you get an error like this:
NirLauncher not installed. An error occurred during installation: Operation did not complete successfully because the file contains a virus or potentially unwanted software.
followed by
Chocolatey upgraded 0/1 packages. 1 packages failed. See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
I wrote about this error before Need to research: Nirlauncher v1.23.42 to 1.23.43 upgrade through Chocolatey fails with “Operation did not complete successfully because the file contains a virus or potentially unwanted software.”, and this post is explaining how I got to the above workaround.
Context: I was running Windows Defender (now officially called Microsoft Defender, but most people still use the old name), which is a good baseline anti-virus tool that is included with Windows.
Finding out the location of the offending file
The offending location is not actually in the C:\ProgramData\chocolatey\logs\chocolatey.log file.
I did a small search to see if one could list Windows Defender messages, and there was [Wayback] Use PowerShell to See What Windows Defender Detected | Scripting Blog explaining the Get-MpThreatDetection available since around Windows 8.x.
This little command got what I wanted:
C:\temp>PowerShell Get-MpThreatDetection ^| Format-List ^| Out-String -Width 4096 | findstr /I "nir" Resources : {file:_C:\Users\jeroenp\AppData\Local\Temp\chocolatey\NuGetScratch\a78a5776-0fdd-48c0-8313-9b0107f54cba\hy3odwgw.1dc\tools\nirsoft_package_1.23.44.zip}
A few tricks I used here:
^|allows pipes to run within PowerShell itself (instead of thecmdwrapper)Out-String -Width 4096makes for a really wide output (soFormat-Listdoes not wrap around any lines; I mentioned that trick before in PowerShell: when Format-Table -AutoSize displays only 10 columns and uses the width of the console when redirecting to file)| findstr /I "nir"uses thecmdwrapper pipe through the oldfindstrcommand from the DOS era that allows to filter output (I triedSelect-String, but that failed – despite tricks mentioned in [Wayback] pipingGet-ChildItemintoSelect-Stringin powershell – Stack Overflow – likely because that is not text-oriented, but object oriented in nature)
Searching for [Wayback] “chocolatey\NuGetScratch” – Google Search, I found out %Temp%\chocolatey\NuGetScratch is the default value for [Wayback] chocolatey cacheLocation – Google Search. I run default settings, so that is good enough for me.
Adding / removing a recursive folder exclusion to Windows defender
I found [Wayback] Windows Defender – Add exclusion folder programmatically – Stack Overflow through [Wayback] “Windows Defender” exclusion from commandline – Google Search explaining these (thanks [Wayback] gavenkoa!):
Run in elevated shell (search
cmdin Start menu and hit Ctrl+Shift+Enter).powershell -Command Add-MpPreference -ExclusionPath "C:\tmp" powershell -Command Add-MpPreference -ExclusionProcess "java.exe" powershell -Command Add-MpPreference -ExclusionExtension ".java" powershell -Command Remove-MpPreference -ExclusionExtension ".java"
This was a short step to these documentation pages (note to self: figure out the origin of the Mp prefix)
- [Wayback] Add-MpPreference (Defender) | Microsoft Docs
- [Wayback] Remove-MpPreference (Defender) | Microsoft Docs
Windows Defender still marks individual tools
Of course Windows Defender still marks individual tools as “unsafe” (for instance C:\tools\NirLauncher\NirSoft\mailpv.exe). To alleviate that, you have to permanently add this directory to the exclusion list: C:\tools\NirLauncher.
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply