search

chef / chef

Chef Infra, a powerful automation platform that transforms infrastructure into code automating how infrastructure is configured, deployed and managed across any environment, at any scale
http://www.chef.io/chef/
Apache License 2.0
7.58k stars 2.51k forks source link

windows_defender Realtime Protection setting changes the Tamper Protection setting instead of Real Time Monitoring #13053

Open snohio opened 2 years ago

snohio commented 2 years ago

Userstory

As a user of Chef and the Defender resource, the item that this resource changes should be DisableRealtimeMonitoring and not DisableIOAVProtection so that my cookbook can turn off Realtime Monitoring.

More Details and some opinionate input

What I am trying to do is disable the Defender Realtime Monitoring wrapped around an install that is quite intensive. The command in Powershell to do this is Set-MpPreference -DisableRealtimeMonitoring 1

I think some of this is a word mapping issue. As we call it in our resource realtime_protection and as it is called in Windows, either DisableRealtimeMonitoring or DisableIOAVProtection . The former will stop Defender (Microsoft Security) from realtime scanning of the happening on the OS. The latter changes the Tamper Protection settings.

Because realtime_protection has been a thing already, I'm not sure that we can actually change what it actually does so maybe I'd propose adding a new function of the resource called realtime_monitoring and align that with DisableRealtimeMonitoring.

Line Reference

https://github.com/chef/chef/blob/eca272d679b7cd0c5b155c641945e1c852776e28/lib/chef/resource/windows_defender.rb#L102 https://github.com/chef/chef/blob/eca272d679b7cd0c5b155c641945e1c852776e28/lib/chef/resource/windows_defender.rb#L136

as documented:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide

DISCUSS

I'd love to have a discussion on this with folks if it would help. Please reach out in Comments!

snohio commented 2 years ago

Looking at the original Enhancement Issue - it was called out to configure both but it wasn't implemented that way.

snohio commented 2 years ago

Ok.. The more I look at this.. The command DisableIOAVProtection relates to IOfficeAntivirus which seems to relate more to Internet Explorer and other Office apps that utilize Defender as the AV tool. I do not see how anyone that is implementing this as an option is getting the output that they desire. I'd almost go as far and say it's a bug.