0

Using Windows Defender API , I'm trying to do a scan for malwares on a folder. Following The documentation I wrote the code:

MPRESOURCE_INFO ResourceInfo = { 0 };
MPSCAN_RESOURCES ScanResource = { 0 };
PMPRESOURCE_INFO ResourceInfoArray = NULL;
...
ResourceInfo.Scheme = L"dir";
ResourceInfo.Path = L"C:\\temp";
ResourceInfo.Class = 0;

// ResourceInfoArray was Allocated before
*ResourceInfoArray = ResourceInfo;
ScanResource.dwResourceCount = 1;
ScanResource.pResourceList = ResourceInfoArray;

// Opened hMpManager before using MpScanStart
hRetval = MpScanStart(hMpManager, MPSCAN_TYPE_RESOURCE, 0, &ScanResource, NULL, &ScanHnadle);

From which I get an error message: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.

However If I change the ResourceInfo definition to:

ResourceInfo.Scheme = L"file";
ResourceInfo.Path = L"C:\\temp\\MyFile.exe";
ResourceInfo.Class = 0;

It works great, detecting the file in the right way. On the bottom line - the code works for files, but doesn't work for directories. Does anyone know what am I doing wrong with the directory search?

macro_controller
  • 1,209
  • 1
  • 11
  • 24

1 Answers1

0

Analyzing event logs created by MpCmdRun.exe I found out that it uses the scheme "folder" instead of "dir". That change made my code working.

ResourceInfo.Scheme = L"folder";

Folder paths do not have to end with backslash, but drives require it: (F:\).

stefan.gal
  • 192
  • 1
  • 6