Closed Bug 1655361 Opened 6 months ago Closed 5 months ago

mach bootstrap should configure Windows for optimal building (e.g. Windows Defender)

Categories

(Firefox Build System :: Bootstrap Configuration, enhancement, P3)

enhancement

Tracking

(firefox81 fixed)

RESOLVED FIXED
81 Branch
Tracking Status
firefox81 --- fixed

People

(Reporter: heycam, Assigned: mhentges)

References

Details

(Keywords: in-triage)

Attachments

(1 file, 1 obsolete file)

I just remembered that I should have added my source directory to the Windows Defender exclusion list. It would be nice if mach bootstrap could do this automatically, or if not possible, to prompt me to do it if it detects that the exclusions hasn't been added.

It probably can't do it automatically, otherwise malware could just disable it for itself. I don't know if it's possible to check the exclusion list through some API...

(also, if such an API exists, it would probably only tell about Windows Defender, not about other antivirus software)

We can certainly do some version of this for Windows Defender at least. I don't know if there's a lower-level API, but powershell -inputformat none -outputformat text -NonInteractive -Command (Get-MpPreference).ExclusionPath can list the exclusions, and we can subprocess into that from bootstrap. There's an analogous powershell invocation to add the exclusion, though it requires elevated permissions and doing that from Python is more complicated.

Severity: -- → S3
Keywords: in-triage
Priority: -- → P3

Huh, I didn't know that powershell.exe isn't accessible from MozillaBuild... not really sure what to do with that. I guess I can trawl through the System32 directory to try to find the right location of the binary, but my Windows isn't good enough to be able to come up with the least error-prone way of doing that.

Apparently the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths can be used to determine whether certain exclusions are added, but I haven't figured out the right incantation of winreg calls to robustly determine whether a given directory is properly excluded.

Assignee: nobody → mhentges

There's a Windows Defender CLI available via Powershell, but MozillaBuild doesn't have access to Powershell. So, instead, we
determine the excluded locations by checking the registry at HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths.

Also updates our Windows Defender docs to make them:

  • More easily link-able
  • Have direct advice to resolve the issue

There's a Windows Defender CLI available via Powershell, but MozillaBuild doesn't have access to Powershell. So, instead, we
determine the excluded locations by checking the registry at HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths.

Also updates our Windows Defender docs to make them:

  • More easily link-able
  • Have direct advice to resolve the issue

Depends on D83572

Attachment #9168186 - Attachment is obsolete: true
Attachment #9168041 - Attachment description: Bug 1655361: Prints a warning if Windows Defender is not excluding the Firefox checkout directory → Bug 1655361: Prints a warning if Windows Defender is watching the Firefox checkout directory
Pushed by mhentges@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/272ef8e25986
Prints a warning if Windows Defender is watching the Firefox checkout directory r=firefox-build-system-reviewers,rstewart
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Regressions: 1659615
You need to log in before you can comment on or make changes to this bug.