Microsoft Defender
With the free Microsoft Defender plugin for Xima® Formcycle it is possible to scan uploaded files for viruses. For this purpose the plugin uses the Malware Protection Command Line Utility provided by Microsoft Defender.
Functionality
- Instant virus scan
- Each file is scanned immediately after it is uploaded.
In Xima® Formcycle it is possible to upload files e.g. in the form through an upload element or in the backend of Xima® Formcycle. Through this plugin the Malware Protection Command Line Utility of Microsoft Defender is addressed and a virus scan is performed on the uploaded file. If, according to Microsoft Defender, the file is a virus, an error message is displayed and an entry is added to the process log.
Installation
To ensure that the plugin is also available in all clients and forms, it is recommended to install it as a system plugin, which allows for better central administration and configuration.
Configuration
The following configuration parameters exist:
- MpCmdRun-path (Required).
- File path to MpCmdRun.exe or Malware Protection Command Line Utility from Microsoft Defender. Through it, a scan can take place in the file system through the command line. If this configuration is not done, an attempt is made to generate a possible file path, which is then specified in the plugin description. However, it is recommended to specify the path to MpCmdRun.exe or Malware Protection Command Line Utility itself. Possible file paths could be: C:\Program Files\Windows Defender\MpCmdRun.exe or C:\ProgramData\Microsoft\Windows Defender\Platform\<select last version>\MpCmdRun.exe. If a folder path is specified, an attempt is made to automatically generate the path to the latest version of the Malware Protection Command Line Utility. The currently used file path to the Malware Protection Command Line Utility is also specified in the plugin description.
- scan-timeout (Required)
- Allows to define the time in seconds before the scan process is stopped. After the timeout, the file will be treated as a file where a virus was found. The default value is 45 seconds.
Example configuration
Example configuration of the plugin:
Usage
Once a virus signature is detected, the following message is seen:
Test file
A common method to check virus scanners is the eicar.com file.
For example, in the backend of Xima® Formcycle this test file can be uploaded and after successful configuration an error message can be seen.
Logging
When a virus scan is run by Microsoft Defender's Malware Protection Command Line Utility, the results are written to an MpCmdRun.log file. This allows the exact command line return of the scan to be traced. Usually this log file is located in the local temp directory. For example: C:\Users\<UserName>\AppData\Local\Temp\MpCmdRun.log
Xima® Formcycle logs can be found for this at /tomcat9/bin/logs.
- For example, after uploading the eicar.com test file, the following entry can be seen in formcycle-errors-log :
- [WARN] [25-05-22 10:10:21,192] [ajp-nio-127.0.0.1-8009-exec-43] (MalwareScanner.java:211) - Scanner <fc.plugin.fc_plugin_malware_scanner_ms_defender. MsDefenderFileScanner@7b2a4953> detected malware signature for file </home/fc/tomcat9/tmp/xima-temp/formcycle7/xfc-malware-scan/stream-scan12705251110052849842/data2383296604287452271>: {stream=[Win.Test.EICAR_HDB-1]}
- [ERROR] [25-05-22 10:10:21,207] [ajp-nio-127.0.0.1-8009-exec-43] (VirusScannerService.java:71) - Detected a virus
Version history
Version 1.0.3
- Change: The plugin is synchronized with the frontend server when one is available. This allows for malware scanning when using a frontend server.
Version 1.0.2
- Automatic determination of the path to the MS Defender executable file (MpCmdRun) if no path is explicitly specified.
Version 1.0.1
- Naming of plugin properties
Version 1.0.0
- Initial release