refactor(diagnostic,scoop-checkup): Improvements for 'check_windows_defender' and 'scoop-checkup' (#4699)

* Downgrade defender checks from `warn` to `info` * checkup update - Skip `check_windows_defender` when have not admin privileges - Separate defender issues($defenderIssues) - Security Tips * Skip check for `ExclusionPath` if defender realtime protect is disabled * elif * CHANGELOG
2025-12-07 00:25:33 +00:00 · 2022-02-01 15:54:48 +08:00
parent 5b0bdaf893
commit c6b10c8f89
3 changed files with 31 additions and 17 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,10 @@
 - **rmdir:** Use 'Remove-Item' instead of 'rmdir' ([#4691](https://github.com/ScoopInstaller/Scoop/issues/4691))
 - **COMSPEC:** Deprecate use of subshell cmd.exe ([#4692](https://github.com/ScoopInstaller/Scoop/pull/4692))
 - **git:** Use 'git -C' to specify the work directory instead of 'Push-Location'/'Pop-Location' ([#4697](https://github.com/ScoopInstaller/Scoop/pull/4697))
+- **diagnostic** Downgrade defender checks from 'WARN' to 'INFO' ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
+- **diagnostic** Skip check for 'exclusionPath' if defender realtime protect is disabled ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
+- **scoop-checkup** Skip 'check_windows_defender' when have not admin privileges ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
+- **scoop-checkup** Separate defender issues, mark as performance problem instead potential problem ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))

 ### Builds

--- a/lib/diagnostic.ps1
+++ b/lib/diagnostic.ps1
@@ -6,19 +6,20 @@ Use 'warn' to highlight the issue, and follow up with the recommended actions to
 . "$PSScriptRoot\buckets.ps1"

 function check_windows_defender($global) {
-    $defender = get-service -name WinDefend -errorAction SilentlyContinue
-    if($defender -and $defender.status) {
-        if($defender.status -eq [system.serviceprocess.servicecontrollerstatus]::running) {
-            if (Test-CommandAvailable Get-MpPreference) {
+    $defender = Get-Service -Name WinDefend -ErrorAction SilentlyContinue
+    if (Test-CommandAvailable Get-MpPreference) {
+        if ((Get-MpPreference).DisableRealtimeMonitoring) { return $true }
+        if ($defender -and $defender.Status) {
+            if ($defender.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
                $installPath = $scoopdir;
-                if($global) { $installPath = $globaldir; }
+                if ($global) { $installPath = $globaldir; }

-                $exclusionPath = (Get-MpPreference).exclusionPath
-                if(!($exclusionPath -contains $installPath)) {
-                    warn "Windows Defender may slow down or disrupt installs with realtime scanning."
-                    write-host "  Consider running:"
-                    write-host "    sudo Add-MpPreference -ExclusionPath '$installPath'"
-                    write-host "  (Requires 'sudo' command. Run 'scoop install sudo' if you don't have it.)"
+                $exclusionPath = (Get-MpPreference).ExclusionPath
+                if (!($exclusionPath -contains $installPath)) {
+                    info "Windows Defender may slow down or disrupt installs with realtime scanning."
+                    Write-Host "  Consider running:"
+                    Write-Host "    sudo Add-MpPreference -ExclusionPath '$installPath'"
+                    Write-Host "  (Requires 'sudo' command. Run 'scoop install sudo' if you don't have it.)"
                    return $false
                }
            }
@@ -28,7 +29,7 @@ function check_windows_defender($global) {
 }

 function check_main_bucket {
-    if ((Get-LocalBucket) -notcontains 'main'){
+    if ((Get-LocalBucket) -notcontains 'main') {
        warn 'Main bucket is not added.'
        Write-Host "  run 'scoop bucket add main'"

--- a/libexec/scoop-checkup.ps1
+++ b/libexec/scoop-checkup.ps1
@@ -7,9 +7,15 @@
 . "$psscriptroot\..\lib\diagnostic.ps1"

 $issues = 0
+$defenderIssues = 0
+
+$adminPrivileges = ([System.Security.Principal.WindowsPrincipal] [System.Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
+
+if ($adminPrivileges) {
+    $defenderIssues += !(check_windows_defender $false)
+    $defenderIssues += !(check_windows_defender $true)
+}

-$issues += !(check_windows_defender $false)
-$issues += !(check_windows_defender $true)
 $issues += !(check_main_bucket)
 $issues += !(check_long_paths)

@@ -29,19 +35,22 @@ if (!(Test-HelperInstalled -Helper Dark)) {
 }

 $globaldir = New-Object System.IO.DriveInfo($globaldir)
-if($globaldir.DriveFormat -ne 'NTFS') {
+if ($globaldir.DriveFormat -ne 'NTFS') {
    error "Scoop requires an NTFS volume to work! Please point `$env:SCOOP_GLOBAL or 'globalPath' variable in '~/.config/scoop/config.json' to another Drive."
    $issues++
 }

 $scoopdir = New-Object System.IO.DriveInfo($scoopdir)
-if($scoopdir.DriveFormat -ne 'NTFS') {
+if ($scoopdir.DriveFormat -ne 'NTFS') {
    error "Scoop requires an NTFS volume to work! Please point `$env:SCOOP or 'rootPath' variable in '~/.config/scoop/config.json' to another Drive."
    $issues++
 }

-if($issues) {
+if ($issues) {
    warn "Found $issues potential $(pluralize $issues problem problems)."
+} elseif ($defenderIssues) {
+    info "Found $defenderIssues performance $(pluralize $defenderIssues problem problems)."
+    warn "Security is more important than performance, in most cases."
 } else {
    success "No problems identified!"
 }