Add windows defender problem detection custom plugin #555
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Hi @mcshooter. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/M
|
/cc @jeremyje |
config/windows-defender-monitor.json
Outdated
| { | ||
| "plugin": "custom", | ||
| "pluginConfig": { | ||
| "invoke_interval": "30s", |
There was a problem hiding this comment.
I think it'd be appropriate to make this run every 10 minutes.
| $OK=0 | ||
| $NONOK=1 | ||
|
|
||
| $windowsDefenderThreats = Get-MpThreatDetection |
There was a problem hiding this comment.
The Get-MpThreatDetection cmdlet gets active and past malware threats that Windows Defender detected on the computer.
We only want active threats unless past here means that if a threat is handled by Defender then it's no longer a problem right?
The description in the docs aren't precise enough to make a judgement here. Perhaps check with sig-windows.
There was a problem hiding this comment.
Updated to use Get-MpThreat because there are fields we can use that can help us determine whether a thread is active or has been executed on the windows node.
| $windowsDefenderThreats = Get-MpThreatDetection | ||
|
|
||
| if ($windowsDefenderThreats.length -ne 0) { | ||
| exit $NONOK |
There was a problem hiding this comment.
I think it's clear to just return 0 vs 1 here. Aliasing the variables adds unnecessary indirection.
There was a problem hiding this comment.
Is it common knowledge that 1 indicates a bad exit, and 0 is an OK exit? I haven't had to deal with exits before. I was thinking that the variables makes it easy to read and understand what it indicates, but if it's common knowledge then I am good to remove them and return just 0 or 1.
There was a problem hiding this comment.
exit code 0 indicates success thats common
config/windows-defender-monitor.json
Outdated
| "rules": [ | ||
| { | ||
| "type": "temporary", | ||
| "reason": "WindowsDefenderProblemsDetected", |
There was a problem hiding this comment.
WindowsDefenderThreatsDetected
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
mcshooter
force-pushed
the
addWindowsDefenderProblemDetection
branch
2 times, most recently
from
cb785e1 to
d26eed2
Compare
|
/ok-to-test |
|
/retest |
1 similar comment
|
/retest |
mcshooter
force-pushed
the
addWindowsDefenderProblemDetection
branch
from
d26eed2 to
767f0c1
Compare
mcshooter
force-pushed
the
addWindowsDefenderProblemDetection
branch
from
767f0c1 to
01fa5b3
Compare
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/lgtm This looks pretty useful! Thanks for adding this! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jeremyje, mcshooter, Random-Liu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Windows Defender helps detect any malware, viruses, etc on a windows node. If windows defender detects any threats, we should indicate that there is an issue on the node. So, a custom plugin has been added to monitor this.
Get-MpThreatcurrently will output an empty string if no threats are detected. Anything string output that is returned will indicate that there is a threat.If a threat has been detected, we can check if that threat had been executed or is currently active to determine the health of out node. If either is true, we return with exit 1 to indicate a problem detected from windows defender