From 0137d66039ac2f786ed04526dd2ef20fce081306 Mon Sep 17 00:00:00 2001 From: Simon Baerlocher Date: Mon, 21 Jun 2021 16:24:03 +0200 Subject: [PATCH 1/5] exclude defender path --- plugins/modules/win_defender_exclusion.ps1 | 110 +++++++++++++++++++++ roles/defender/defaults/main.yml | 3 + roles/defender/tasks/main.yml | 7 +- 3 files changed, 118 insertions(+), 2 deletions(-) create mode 100644 plugins/modules/win_defender_exclusion.ps1 diff --git a/plugins/modules/win_defender_exclusion.ps1 b/plugins/modules/win_defender_exclusion.ps1 new file mode 100644 index 0000000..fbeb933 --- /dev/null +++ b/plugins/modules/win_defender_exclusion.ps1 @@ -0,0 +1,110 @@ +#!powershell +# (c) 2017, David Baumann +# GNU GENERAL PUBLIC LICENSE v3 +# +# WANT_JSON +# POWERSHELL_COMMON + +Set-StrictMode -Version 2; +$ErrorActionPreference = "Stop"; + +# Compare Exclusion Lists if we need to Change something +function Compare-ExclusionLists($Current,$Desired,$Cleanup) +{ + # We got nothing to Compare agains on Current so we need to change something + if($Current -eq $null -and $Desired -ne $null){ return $true;}; + + # We got nothing to Compare agains and $null is $null so nothing to change here + if($Current -eq $null -and $Desired -eq $null){ return $false;}; + + # We got nothing Desired and we also should not cleanup so we have nothing to change + if($Desired -eq $null -and -not $Cleanup) { return $false}; + + # We got nothing Desired but we NEED to Cleanup so we have to change + if($Desired -eq $null -and $Cleanup) { return $true;}; + + $diff = Compare-Object -ReferenceObject $Current -DifferenceObject $Desired -CaseSensitive:$false + + # Ensure Nothing is missing on the from the Desired List + if( $($diff | Where-Object { $_.sideIndicator -eq "=>" }) ){ + return $true; + }else{ + # Check for Leftovers on the current Setting + if( $($diff | Where-Object { $_.sideIndicator -eq "<=" }) -and $Cleanup){ + return $true; + } + return $false; + } +} + +# Return current exclusion list of the desired type +function Get-CurrentExclusionList($ExclusionType){ + return Get-MpPreference | Select-Object -ExpandProperty $("Exclusion" + $ExclusionType); +} + +# Set the Defined Exclusion List +function Set-ExclusionList($ExclusionType,$List,$Cleanup=$false){ + + if($List){ + # We got some Values to Set + $setParam = @{}; + $setParam.Add($("Exclusion" + $ExclusionType),$List); + Set-MpPreference @setParam; + }else{ + # We got a empty list + if($Cleanup){ + # We need to Force Removal + $valuesToRemove = Get-MpPreference | Select-Object -ExpandProperty $("Exclusion" + $ExclusionType); + foreach($v in $valuesToRemove) + { + $removeParam=@{} + $removeParam.Add($("Exclusion" + $ExclusionType),$v); + Remove-MpPreference @removeParam; + } + } + } +} + +# Defining Defaults +$changed = $false; + +# Setting and Reading Params from Ansible +$parsed_args = Parse-Args $args -supports_check_mode $true; +$check_mode = Get-AnsibleParam $parsed_args "_ansible_check_mode" -default $false; + +$clean = Get-AnsibleParam $parsed_args "clean" -default $false; +[string[]]$list = Get-AnsibleParam $parsed_args "list" -default []; +$type = Get-AnsibleParam $parsed_args "type" -validateset "Process","Extension","Path"; + + +# Ensure List is Unique, Self fix some errored input +$list = $list | Sort-Object -Property @{Expression={$_.Trim()}} -Unique + +# See if we need to Change something +[string[]]$current = Get-CurrentExclusionList -ExclusionType $type; +$haveToChange = Compare-ExclusionLists -Current $current -Desired $list -Cleanup $clean + +# Check +if(-not $check_mode -and $haveToChange) +{ + # Lets do some Real Work + if(-not $clean) + { + # We need to build a combined list with current and desired Values + $list = $list + $current; + $list = $list | Sort-Object -Property @{Expression={$_.Trim()}} -Unique + } + Set-ExclusionList -ExclusionType $type -List $list -Cleanup $clean + $changed = $true + +}else{ + # Dry Check Mode + $changed = $haveToChange +} + +$result = @{ + changed=$changed + list=$list +} + +Exit-Json $result; diff --git a/roles/defender/defaults/main.yml b/roles/defender/defaults/main.yml index 6aa1940..c650654 100644 --- a/roles/defender/defaults/main.yml +++ b/roles/defender/defaults/main.yml @@ -3,3 +3,6 @@ # disables or enables Windows defender on the Windows system. defender_disable: true +# example +# defender_exclusion: +# - path: diff --git a/roles/defender/tasks/main.yml b/roles/defender/tasks/main.yml index 93dab14..bf6bdd9 100644 --- a/roles/defender/tasks/main.yml +++ b/roles/defender/tasks/main.yml @@ -1,5 +1,8 @@ --- # tasks file for defender -- name: 'Disable or Enable Defender' - win_shell: 'Set-MpPreference -DisableRealtimeMonitoring ${{ defender_disable }}' +- name: 'Exclude from Scanning' + win_defender_exclusion: + list: '{{ item.value }}' + type: '{{ item.key }}' + with_dict: '{{ defender_exclusion }}' From 525e92347e6f0da926b8e3076a69db2dd8f050a1 Mon Sep 17 00:00:00 2001 From: Simon Baerlocher Date: Mon, 21 Jun 2021 16:27:13 +0200 Subject: [PATCH 2/5] fix --- roles/defender/defaults/main.yml | 2 +- roles/defender/tasks/main.yml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/defender/defaults/main.yml b/roles/defender/defaults/main.yml index c650654..2bb4e7d 100644 --- a/roles/defender/defaults/main.yml +++ b/roles/defender/defaults/main.yml @@ -2,7 +2,7 @@ # defaults file for defender # disables or enables Windows defender on the Windows system. -defender_disable: true +defender_disable: fales # example # defender_exclusion: # - path: diff --git a/roles/defender/tasks/main.yml b/roles/defender/tasks/main.yml index bf6bdd9..fd1c52d 100644 --- a/roles/defender/tasks/main.yml +++ b/roles/defender/tasks/main.yml @@ -1,6 +1,10 @@ --- # tasks file for defender +- name: 'Disable or Enable Defender' + win_shell: 'Set-MpPreference -DisableRealtimeMonitoring ${{ defender_disable }}' + when: ansible_distribution_major_version is version('6', '>') + - name: 'Exclude from Scanning' win_defender_exclusion: list: '{{ item.value }}' From 48f31ee819eb36a860e407a186e03f8d0f3fb224 Mon Sep 17 00:00:00 2001 From: Simon Baerlocher Date: Mon, 21 Jun 2021 16:28:27 +0200 Subject: [PATCH 3/5] update readme --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d791df..125d67a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and [human-readable changelog](https://keepachangelog.com/en/1.0.0/). ### Added - Add module win_policyfile +- Add module win_defender_exclusion ### Changed From 3be6ef5dfa4f398d6ce6cc0cd756f6ded645e67e Mon Sep 17 00:00:00 2001 From: Simon Baerlocher Date: Mon, 21 Jun 2021 16:30:01 +0200 Subject: [PATCH 4/5] update readme --- CHANGELOG.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 125d67a..ee700f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,12 +5,17 @@ and [human-readable changelog](https://keepachangelog.com/en/1.0.0/). ## master +## 0.0.8 + +### Added + +- Add module win_defender_exclusion + ## 0.0.7 ### Added - Add module win_policyfile -- Add module win_defender_exclusion ### Changed From e2a607835ebf8b9a02f76d305481d74fd78a5aa1 Mon Sep 17 00:00:00 2001 From: Simon Baerlocher Date: Mon, 21 Jun 2021 16:39:32 +0200 Subject: [PATCH 5/5] update version --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 9f2cb1e..ef5a8d0 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,7 +1,7 @@ --- namespace: 'sbaerlocher' name: 'windows' -version: 0.0.7 +version: 0.0.8 readme: README.md authors: - 'Simon Baerlocher (https://sbaerlocher.ch)'