WindowDefenderのCustomScanはフルパスでファイルを渡す

Windows8のWindowsDefenderは、Windows7以前のWindowsDefenderとMicrosoftSecurityEssentialsが統合されたもので、シンプルなアンチウイルスソフトとしてプリインストールされています。今回、いろいろと実験してみたので結果を書き記しておきます。

ファイルを指定してスキャンする

MSEでは出来ていた「特定ファイルを指定してスキャン」の機能が、WindowsDefenderではGUIから呼び出せなくなっています。ただし、実体の実行ファイル(”C:\Program Files\Windows Defender\MpCmdRun.exe”)にオプションを与えてやることで実現可能です。

"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\Username\Desktop\a.txt"

実行結果は下記のとおりです。

Scan starting...
Scan finished.
Scanning C:\Users\Username\Desktop\a.txt found no threats.

ここでの注意は、「Program Files」というイケていない空白入りのフォルダ名が原因で実行ファイルすらダブルクォーテーションで囲む必要がある点と、スキャン対象をフルパスで渡す必要がある点です。フルパスで渡さなかった場合は下記のようなエラーが発生します。

CmdTool: Failed with hr = 0x80070002.
Check C:\Users\Username\AppData\Local\Temp\MpCmdRun.log for more information

「詳しくはログを見ろ」としか言ってくれないのでログを見てみると、下記のようなログが出力されています。……よくわからないですね。私はここで躓きました。ググっても英語ばかりで要領を得ません。

MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe"  -Scan -ScanType 3 -File "a.txt"
 Start Time: ‎木 ‎12 ‎25 ‎2014 01:09:44

Starting RunCommandScan.
INFO: ScheduleJob is not set. Skipping signature update.
Invalid path to scan: a.txt. hr = 80070002
MpCmdRun: End Time: ‎木 ‎12 ‎25 ‎2014 01:09:44

ちなみに、引数等は-hオプションで確認できます。実行結果を載せておきます。※ただし英語

Microsoft Antimalware Service Command Line Utility (c) 2006-2014 Microsoft Corp
Use this tool to automate and troubleshoot Microsoft Antimalware Service

Usage:
MpCmdRun.exe [command] [-options]

Command Description
   -? / -h                                    Displays all available options
                                              for this tool
   -Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]]
         [-Timeout <days>]
                                              Scans for malicious software
   -Trace [-Grouping #] [-Level #]            Starts diagnostic tracing
   -GetFiles                                  Collects support information
   -RemoveDefinitions [-All]                  Restores the installed
                                              signature definitions
                                              to a previous backup copy or to
                                              the original default set of
                                              signatures
                      [-DynamicSignatures]    Removes only the dynamically
                                              downloaded signatures
   -SignatureUpdate [-UNC | -MMPC]            Checks for new definition updates
   -Restore  [-ListAll | [-Name <name>] [-All] [-Path <path>]]  Restore or list
                                                               quarantined item(s)
   -AddDynamicSignature [-Path]               Loads a dynamic signature
   -ListAllDynamicSignatures                  List the loaded dynamic signatures
   -RemoveDynamicSignature [-SignatureSetID]  Removes a dynamic signature
   -EnableIntegrityServices                   Enables integrity services
   -SubmitSamples                             Submit all sample requests

Additional Information:

Support information will be in the following directory:
C:\ProgramData\Microsoft\Windows Defender\Support

   -Scan [-ScanType value]
        0  Default, according to your configuration
        1  Quick scan
        2  Full system scan
        3  File and directory custom scan

           [-File <path>]
                Indicates the file or directory  to be scanned, only valid for custom scan.

           [-DisableRemediation]
                This option is valid only for custom scan.
                When specified:
                  - File exclusions are ignored.
                  - Archive files are scanned.
                  - Actions are not applied after detection.
                  - Event log entries are not written after detection.
                  - Detections from the custom scan are not displayed in the user interface.

           [-BootSectorScan]
                Enables boot sector scanning; only valid for custom scan.

           [-Timeout <days>]
                Timeout in days; maximum value is 30.
                If this parameter is not specified, default value is 7 days for full scan and 1 day for all other scans.

      Return code is
      0    if no malware is found or malware is successfully remediated and no additional user action is required
      2    if malware is found and not remediated or additional user action is required to complete remediation or there is error in scanning.  Please
 check History for more information.

   -Trace [-Grouping value] [-Level value]
        Begins tracing Microsoft Antimalware Service's actions.
        You can specify the components for which tracing is enabled and
        how much information is recorded.
        If no component is specified, all the components will be logged.
        If no level is specified, the Error, Warning and Informational levels
        will be logged. The data will be stored in the support directory
        as a file having the current timestamp in its name and bearing
        the extension BIN.

        [-Grouping]
        0x1    Service
        0x2    Malware Protection Engine
        0x4    User Interface
        0x8    Real-Time Protection
        0x10   Scheduled actions
        0x20   NIS/GAPA

        [-Level]
        0x1    Errors
        0x2    Warnings
        0x4    Informational messages
        0x8    Function calls
        0x10   Verbose
        0x20   Performance

   -GetFiles [-Scan]
        Gathers the following log files and packages them together in a
        compressed file in the support directory

        - Any trace files from Microsoft Antimalware Service
        - The Windows Update history log
        - All Microsoft Antimalware Service events from the System event log
        - All relevant Microsoft Antimalware Service registry locations
        - The log file of this tool
        - The log file of the signature update helper tool

        [-Scan]
        Scans for unusual files.  The files and results of the scan
        will be packaged in the compressed file.

   -RemoveDefinitions
        Restores the last set of signature definitions

        [-All]
        Removes any installed signature and engine files. Use this
        option if you have difficulties trying to update signatures.

        [-DynamicSignatures]
        Removes all Dynamic Signatures.

   -SignatureUpdate
        Checks for new definition updates

        [-UNC [-Path <path>]]
        Performs update directly from UNC file share specified in <path>
        If -Path is not specified, update will be performed directly from the
             preconfigured UNC location

        [-MMPC]
        Performs update directly from Microsoft Malware Protection Center

   -Restore
        [-ListAll]
        List all items that were quarantined

        [-Name <name>]
        Restores the most recently quarantined item based on threat name
        One Threat can map to more than one file

        [-All]
        Restores all the quarantined items based on name

        [-Path]
        Specify the path where the quarantined items will be restored.
        If not specified, the item will be restored to the original path.
   -AddDynamicSignature -Path <path>
        Adds a Dynamic Signature specified by <path>

   -ListAllDynamicSignatures
        Lists SignatureSet ID's of all Dynamic Signatures added to the client
        via MAPS and MPCMDRUN -AddDynamicSignature

   -RemoveDynamicSignature -SignatureSetID <SignatureSetID>
        Removes a Dynamic Signature specified by <SignatureSetID>

右クリックメニューに「WindowsDefenderでスキャン」を追加

さすがに毎回コマンドプロンプトから実行するのは面倒なので、右クリックメニューに追加(シェル拡張)してしまいます。レジストリを弄る必要がありますが、regファイルを用意したのでお使いください。(WordPressのポリシーでregファイルをアップロードできないので、拡張子を.regに変更してからご使用ください。)

WindowsDefender_AddRightClickMenu.reg

中身を見ていただくと分かる通り、難しいことはしていません。ただし、自己責任でお願いします。

[HKEY_CLASSES_ROOT\*\shell\WindowsDefender]
"MUIVerb"="Windows Defenderでスキャン"

[HKEY_CLASSES_ROOT\*\shell\WindowsDefender\Command]
@="\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" -Scan -ScanType 3 -File %1"

ちなみに、右クリックから起動してから先ほどのログを見てみると、正常にスキャン完了していることを確認できます。

MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\Users\Username\Desktop\a.txt
 Start Time: ‎木 ‎12 ‎25 ‎2014 01:30:53

Starting RunCommandScan.
INFO: ScheduleJob is not set. Skipping signature update.
Scanning path as file: C:\Users\Username\Desktop\a.txt.
Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16385, path C:\Users\Username\Desktop\a.txt, DisableRemediation = 0, BootSectorScan = 0, Timeout in days = 1)
MpScan() started
MpScan() was completed
Finish: MpScanStart(MP_FEATURE_SUPPORTED, dwOptions=16385)
Finish: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16385, path C:\Users\Username\Desktop\a.txt, DisableRemediation = 0, BootSectorScan = 0, Timeout in days = 1)
Scanning C:\Users\Username\Desktop\a.txt found no threats.
MpScan() has detected 0 threats.
MpCmdRun: End Time: ‎木 ‎12 ‎25 ‎2014 01:30:53

参考資料

コメントを残す

メールアドレスが公開されることはありません。