Microsoft.FEP.MalwareProtection.AbortScanAction (WriteActionModuleType)
Element properties:
Member Modules:
Overrideable Parameters:
Source Code:
<WriteActionModuleType ID="Microsoft.FEP.MalwareProtection.AbortScanAction" Accessibility="Public" Batching="false">
<Configuration>
<xsd:element minOccurs="0" name="TimeoutSeconds" type="xsd:positiveInteger"/>
</Configuration>
<OverrideableParameters>
<OverrideableParameter ID="TimeoutSeconds" Selector="$Config/TimeoutSeconds$" ParameterType="int"/>
</OverrideableParameters>
<ModuleImplementation Isolation="Any">
<Composite>
<MemberModules>
<WriteAction ID="PowerShellScript" TypeID="Windows!Microsoft.Windows.PowerShellWriteAction">
<ScriptName>MpStopScan.ps1</ScriptName>
<ScriptBody><Script>
function Compile-Csharp ([string] $code)
{
#
# Get an instance of the CSharp code provider
#
$cp = new-object Microsoft.CSharp.CSharpCodeProvider
$cpar = New-Object System.CodeDom.Compiler.CompilerParameters
$cpar.GenerateInMemory = $true
$cpar.GenerateExecutable = $false
$cpar.OutputAssembly = "custom"
$cr = $cp.CompileAssemblyFromSource($cpar, $code)
if ( $cr.Errors.Count)
{
$codeLines = $code.Split("`n");
foreach ($ce in $cr.Errors)
{
write-host "Error: $($codeLines[$($ce.Line - 1)])"
$ce |out-default
}
Throw "INVALID DATA: Errors encountered while compiling code"
}
}
$code = @'
using System;
using System.Runtime.InteropServices;
namespace MpClientInvoke
{
public class MpOperation
{
private const int MPCONTROL_ABORT = 0;
private static IntPtr MpHandle;
[DllImport("kernel32.dll")]
private static extern void SetDllDirectory(string lpFileName);
[DllImport("MpClient.dll")]
private static extern int MpManagerOpen(uint dwReserved, out IntPtr MpHandle);
[DllImport("MpClient.dll")]
private static extern int MpHandleClose(IntPtr hMpHandle);
[DllImport("MpClient.dll")]
private static extern int MpScanControl(IntPtr hScanHandle, int ScanControl);
public static void SetDllSearchDirectory(string dllPath)
{
SetDllDirectory(dllPath);
}
public static int OpenHandle()
{
MpHandle = new IntPtr();
int returncode = MpManagerOpen(0, out MpHandle);
return returncode;
}
public static int StopScan()
{
int returncode = MpScanControl(MpHandle, MPCONTROL_ABORT);
return returncode;
}
public static int CloseHandle()
{
int returncode = MpHandleClose(MpHandle);
return returncode;
}
}
}
'@
$LogFilePath = "$Env:temp" + "\FEP 2010 Security MP\AbortScan.log"
$EnableLog = "0"
$LogPathExist = Test-Path "HKLM:\SOFTWARE\Microsoft\FEPS\Log\"
If ($LogPathExist -eq "True")
{
$EnableLog = (New-Object -ComObject WScript.Shell).RegRead("HKLM\SOFTWARE\Microsoft\FEPS\Log\Enabled")
}
function Log
{
param($message)
if ($EnableLog -eq "1")
{
$message | Out-File $LogFilepath -Append
}
}
compile-CSharp $code "v2.0.50727"
$InstallationPath = (New-Object -ComObject WScript.Shell).RegRead("HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\InstallLocation")
Log "Set Dll SearchDirectory to Path: $InstallationPath"
[MpClientInvoke.MpOperation]::SetDllSearchDirectory($InstallationPath)
$ErrorCode = [MpClientInvoke.MpOperation]::OpenHandle()
Log "MpOpenHandle() success or error code: $ErrorCode"
$ErrorCode = [MpClientInvoke.MpOperation]::StopScan()
Log "MpStopScan() success or error code: $ErrorCode"
$ErrorCode = [MpClientInvoke.MpOperation]::CloseHandle()
Log "MpCloseHandle success or error code: $ErrorCode"
</Script></ScriptBody>
<TimeoutSeconds>$Config/TimeoutSeconds$</TimeoutSeconds>
</WriteAction>
</MemberModules>
<Composition>
<Node ID="PowerShellScript"/>
</Composition>
</Composite>
</ModuleImplementation>
<InputType>System!System.BaseData</InputType>
</WriteActionModuleType>