The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,731 other followers

Windows Defender: adding and removing exclusions from PowerShell (via Stack Overflow)

Posted by jpluimers on 2022/02/16

I use this small script to install or update [Wayback] Chocolatey package NirLauncher (which is the [Wayback] Nirsoft Launcher that has all the [Wayback] Nirsoft freeware tools in it).

powershell -Command Add-MpPreference -ExclusionPath "%TEMP%\chocolatey\NuGetScratch"
choco update --yes NirLauncher 
powershell -Command Remove-MpPreference -ExclusionPath "%TEMP%\chocolatey\NuGetScratch"

It works around the issue that many times NirLauncher is marked by anti-virus tools or/and listed on VirusTotal, which means you get an error like this:

NirLauncher not installed. An error occurred during installation:
 Operation did not complete successfully because the file contains a virus or potentially unwanted software.

followed by

Chocolatey upgraded 0/1 packages. 1 packages failed.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

I wrote about this error before Need to research: Nirlauncher v1.23.42 to 1.23.43 upgrade through Chocolatey fails with “Operation did not complete successfully because the file contains a virus or potentially unwanted software.”, and this post is explaining how I got to the above workaround.

Context: I was running Windows Defender (now officially called Microsoft Defender, but most people still use the old name), which is a good baseline anti-virus tool that is included with Windows.

Finding out the location of the offending file

The offending location is not actually in the C:\ProgramData\chocolatey\logs\chocolatey.log file.

I did a small search to see if one could list Windows Defender messages, and there was [Wayback] Use PowerShell to See What Windows Defender Detected | Scripting Blog explaining the Get-MpThreatDetection available since around Windows 8.x.

This little command got what I wanted:

C:\temp>PowerShell Get-MpThreatDetection ^| Format-List ^| Out-String -Width 4096 | findstr /I "nir"
Resources                      : {file:_C:\Users\jeroenp\AppData\Local\Temp\chocolatey\NuGetScratch\a78a5776-0fdd-48c0-8313-9b0107f54cba\hy3odwgw.1dc\tools\nirsoft_package_1.23.44.zip}

A few tricks I used here:

Searching for [Wayback] “chocolatey\NuGetScratch” – Google Search, I found out %Temp%\chocolatey\NuGetScratch is the default value for [Wayback] chocolatey cacheLocation – Google Search. I run default settings, so that is good enough for me.

Adding / removing a recursive folder exclusion to Windows defender

I found [Wayback] Windows Defender – Add exclusion folder programmatically – Stack Overflow through [Wayback] “Windows Defender” exclusion from commandline – Google Search explaining these (thanks [Wayback] gavenkoa!):

Run in elevated shell (search cmd in Start menu and hit Ctrl+Shift+Enter).

powershell -Command Add-MpPreference -ExclusionPath "C:\tmp"
powershell -Command Add-MpPreference -ExclusionProcess "java.exe"
powershell -Command Add-MpPreference -ExclusionExtension ".java"

powershell -Command Remove-MpPreference -ExclusionExtension ".java"

This was a short step to these documentation pages (note to self: figure out the origin of the Mp prefix)

Windows Defender still marks individual tools

Of course Windows Defender still marks individual tools as “unsafe” (for instance C:\tools\NirLauncher\NirSoft\mailpv.exe). To alleviate that, you have to permanently add this directory to the exclusion list: C:\tools\NirLauncher.

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: