refactor(diagnostic,scoop-checkup): Improvements for 'check_windows_defender' and 'scoop-checkup' (#4699)

* Downgrade defender checks from `warn` to `info`

* checkup update

- Skip `check_windows_defender` when have not admin privileges
- Separate defender issues($defenderIssues)
- Security Tips

* Skip check for `ExclusionPath` if defender realtime protect is disabled

* elif

* CHANGELOG

CHANGELOG.md

@@ -33,6 +33,10 @@
 - **rmdir:** Use 'Remove-Item' instead of 'rmdir' ([#4691](https://github.com/ScoopInstaller/Scoop/issues/4691))
 - **COMSPEC:** Deprecate use of subshell cmd.exe ([#4692](https://github.com/ScoopInstaller/Scoop/pull/4692))
 - **git:** Use 'git -C' to specify the work directory instead of 'Push-Location'/'Pop-Location' ([#4697](https://github.com/ScoopInstaller/Scoop/pull/4697))
+- **diagnostic** Downgrade defender checks from 'WARN' to 'INFO' ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
+- **diagnostic** Skip check for 'exclusionPath' if defender realtime protect is disabled ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
+- **scoop-checkup** Skip 'check_windows_defender' when have not admin privileges ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
+- **scoop-checkup** Separate defender issues, mark as performance problem instead potential problem ([#4699](https://github.com/ScoopInstaller/Scoop/pull/4699))
 
 ### Builds
 

lib/diagnostic.ps1

@@ -6,19 +6,20 @@ Use 'warn' to highlight the issue, and follow up with the recommended actions to
 . "$PSScriptRoot\buckets.ps1"
 
 function check_windows_defender($global) {
-    $defender = get-service -name WinDefend -errorAction SilentlyContinue
-    if($defender -and $defender.status) {
-        if($defender.status -eq [system.serviceprocess.servicecontrollerstatus]::running) {
+    $defender = Get-Service -Name WinDefend -ErrorAction SilentlyContinue
     if (Test-CommandAvailable Get-MpPreference) {
+        if ((Get-MpPreference).DisableRealtimeMonitoring) { return $true }
+        if ($defender -and $defender.Status) {
+            if ($defender.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
                 $installPath = $scoopdir;
                 if ($global) { $installPath = $globaldir; }
 
-                $exclusionPath = (Get-MpPreference).exclusionPath
+                $exclusionPath = (Get-MpPreference).ExclusionPath
                 if (!($exclusionPath -contains $installPath)) {
-                    warn "Windows Defender may slow down or disrupt installs with realtime scanning."
-                    write-host "  Consider running:"
-                    write-host "    sudo Add-MpPreference -ExclusionPath '$installPath'"
-                    write-host "  (Requires 'sudo' command. Run 'scoop install sudo' if you don't have it.)"
+                    info "Windows Defender may slow down or disrupt installs with realtime scanning."
+                    Write-Host "  Consider running:"
+                    Write-Host "    sudo Add-MpPreference -ExclusionPath '$installPath'"
+                    Write-Host "  (Requires 'sudo' command. Run 'scoop install sudo' if you don't have it.)"
                     return $false
                 }
             }

libexec/scoop-checkup.ps1

@@ -7,9 +7,15 @@
 . "$psscriptroot\..\lib\diagnostic.ps1"
 
 $issues = 0
+$defenderIssues = 0
+
+$adminPrivileges = ([System.Security.Principal.WindowsPrincipal] [System.Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
+
+if ($adminPrivileges) {
+    $defenderIssues += !(check_windows_defender $false)
+    $defenderIssues += !(check_windows_defender $true)
+}
 
-$issues += !(check_windows_defender $false)
-$issues += !(check_windows_defender $true)
 $issues += !(check_main_bucket)
 $issues += !(check_long_paths)
 
@@ -42,6 +48,9 @@ if($scoopdir.DriveFormat -ne 'NTFS') {
 
 if ($issues) {
     warn "Found $issues potential $(pluralize $issues problem problems)."
+} elseif ($defenderIssues) {
+    info "Found $defenderIssues performance $(pluralize $defenderIssues problem problems)."
+    warn "Security is more important than performance, in most cases."
 } else {
     success "No problems identified!"
 }