Windows Defender Pack
Local malware-scan capability pack for a Windows-hosted recued server — the zero-install sibling of clamav-pack. By-value cli connector composition (service_kind=cli): Microsoft Defender's MpCmdRun.exe scanning a data.file.received record's bytes, via the file.scan catalog operation. The file_ref's bytes are materialized to an engine-managed throwaway temp file, scanned by the built-in Defender engine, and the temp file removed in a finally (input_materialize) — no bytes flow through op-step values and nothing leaves the machine. VERDICT FROM THE EXIT CODE: the op runs `MpCmdRun.exe -Scan -ScanType 3 -File {target} -DisableRemediation`; per Microsoft's docs the return code is 0 (no malware found) or 2 (malware found and NOT remediated, OR a scan error). `-DisableRemediation` is load-bearing — it suppresses remediation so a detected threat stays 'found and not remediated' (exit 2) instead of collapsing to 'found and remediated' (exit 0); WITH it, exit 0 means no malware found in the custom -File scan path. This is INFERRED from Microsoft's docs (it holds for file-based malware in the custom scan; it is NOT independently verified across every threat category — PUA / behavioral / network detections may not be covered by a custom file scan at all). exit_code_handling success_codes [0,2] → 0 maps to clean, 2 maps to flagged. The exit-2 ambiguity (threat vs scan error, e.g. a non-elevated run) is FAIL-SAFE: a scan error surfaces as 'flagged' (extra review), never as a false 'clean' — no malware passes. read-tier / approval=never so a reactive scan runs unattended; cli-kind so it is never a raw MCP/door tool. PREREQUISITES (Windows only): (1) the recued SERVER must run ON WINDOWS — MpCmdRun.exe is Windows-only; (2) run the server ELEVATED (as Administrator) — MpCmdRun -Scan needs elevation, else it returns exit 2 (every file false-flags); (3) MpCmdRun.exe is NOT on PATH — this pack uses the stable absolute path `C:\Program Files\Windows Defender\MpCmdRun.exe`; if Defender lives elsewhere (a versioned `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>` install), edit the op's argv_template + the ingredient entry_point/probe; (4) Defender must be ENABLED and its security intelligence CURRENT — stale definitions miss new malware and return exit 0 (a false clean, with no exit-code signal, exactly as a stale freshclam DB would for ClamAV), so keep auto-updates on or run `MpCmdRun.exe -SignatureUpdate` on a schedule. A scan is only as good as the definition date. Drives the Windows Defender Scan workflow pack (defender-scan), which auto-scans every inbound reception drop. ALTERNATIVE (cleaner threat/error split, not shipped): a PowerShell wrapper over `Start-MpScan -ScanPath {target} -ScanType CustomScan` + `Get-MpThreatDetection` can distinguish a real detection from a scan error and exit 0/1 — at the cost of a fiddly detection-filter; switch to it here if the exit-2 false-flag noise bites.
What this pack installs
- defender Ingredient
Trust & control
What installing this whole pack would let it do. Recued grants these permissions at install — review them there before approving.