I'm experimenting with some options for an endpoint pen-testing lab for a Windows environment, and Docker seems like a pretty light-weight and easily configurable option. However, upon testing Windows Defender within this setup I'm faced with errors and every help thread answer I've found on it has just resulted in more errors. Is running Windows Defender in a docker container not doable?
What I've tried:
Ran a docker Windows container:
PS C:\WINDOWS\system32> docker run mcr.microsoft.com/windows:20H2
Unable to find image 'mcr.microsoft.com/windows:20H2' locally
20H2: Pulling from windows
f26dc4584b4d: Pull complete
881882374a3c: Pull complete
Digest: sha256:bfcfdafc3db9b35528635acfdbc07169ed0a6b8af88feb7b6e1da62cd4f3b748
Status: Downloaded newer image for mcr.microsoft.com/windows:20H2
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.
C:\>
Then within that container CLI, ran:
PS C:\> (Get-Service windefend).Status
Stopped
PS C:\> Start-Service windefend
Start-Service : Service 'Microsoft Defender Antivirus Service (windefend)'
on computer '.'.
At line:1 char:1
+ Start-Service windefend
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.ServiceProcess.ServiceControl
ler:ServiceController) [Start-Service], ServiceCommandException
+ FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Comman
ds.StartServiceCommand
PS C:\> Get-MpComputerStatus
Get-MpComputerStatus : A general error occurred that is not covered by a more
specific error code.
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_MpComputerStatus:ROOT\Micros
oft\...pComputerStatus) [Get-MpComputerStatus], CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Get-MpComputerStatus
These error messages, to my eyes, aren't helpful. I have no idea what CategoryInfo : NotSpecified: (MSFT_MpComputerStatus:ROOT\Microsoft\...pComputerStatus) [Get-MpComputerStatus], CimException means, nor FullyQualifiedErrorId : HRESULT 0x800106ba,Get-MpComputerStatus, and it doesn't seem to allude to any reason why it can't start the service. Hence, I'm wondering if it's just not possible.
What a nightmare! but I got it working for both 1809 and 20h2.
PS C:\> Start-Service windefend
Start-Service : Service 'Microsoft Defender Antivirus Service (windefend)' cannot be started due to the following
error: Cannot start service windefend on computer '.'.
At line:1 char:1
+ Start-Service windefend
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
ServiceCommandException
+ FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand
PS C:\>
The service is set to system startup so you need to put into manual startup first:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend\" -Name "Start" -Value 3
Then remove the launchprotected key from the registry:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend\" -Name "LaunchProtected" -Value 0
And then WinDefend will startup after rebooting the container.
PS C:\> Start-Service windefend
PS C:\> Get-Service windefend
Status Name DisplayName
------ ---- -----------
Running windefend Microsoft Defender Antivirus Service