diff --git a/projects/msp-tools/guru-scan/README.md b/projects/msp-tools/guru-scan/README.md index 9cf8c44..eef25fe 100644 --- a/projects/msp-tools/guru-scan/README.md +++ b/projects/msp-tools/guru-scan/README.md @@ -31,7 +31,6 @@ Scanners run in this order. Each stage hands off to the next regardless of findi | 2 | **AdwCleaner** | adware | Removes adware, PUPs, and browser hijackers. | | 3 | **Emsisoft Command Line Scanner** | antimalware | Two-step: NSIS installer extracts to `C:\EmsisoftCmd\`, then `/update` fetches latest definitions, then scans. | | 4 | **HitmanPro** | antimalware | Cloud-assisted second-opinion scanner. Trial registry is reset before each run via `Invoke-HitmanProTrialReset`. | -| 5 | **ESET Online Scanner** | antimalware | Skipped automatically when running as SYSTEM (requires interactive desktop). | MSERT (Microsoft Safety Scanner) is excluded from the default chain — it is too slow for routine remediation runs. Add it back to `scanners.json` if needed. @@ -46,29 +45,29 @@ for routine remediation runs. Add it back to `scanners.json` if needed. | AdwCleaner | Clean | Cleaned, no reboot needed | Cleaned, reboot required | Found but not cleaned (scan-only) | — | | Emsisoft | Clean | Threats found/cleaned | Cleaned, reboot required | — | — | | HitmanPro | Clean | Cleaned | Cleaned, reboot required | — | — | -| ESET | Clean | Threats found | Incomplete removal, reboot may help | — | — | | MSERT | Clean | Threats found/cleaned | — | — | Non-zero = threats | | TDSSKiller | Clean | Threats found | — | — | — | | Stinger | Clean | — | — | — | 13 = threats | -Reboot-required exit codes: AdwCleaner 2, HitmanPro 2, Emsisoft 2, ESET 2. +Reboot-required exit codes: AdwCleaner 2, HitmanPro 2, Emsisoft 2. --- -## Autologon / Cleanup Lifecycle +## Post-Scan Cleanup Lifecycle -When any scanner exits with a reboot-required code (exit 2), the following sequence runs: +When any scanner exits with a reboot-required code (exit 2), the following sequence runs automatically — no forced reboot, no temp user account: -1. `Invoke-RebootCleanupSetup` writes `cleanup-state.json` with the original user, scan ID, and log path. -2. A hidden `GuruRMM-Temp` administrator account is created with a random password. -3. One-time autologon (`AutoLogonCount=1`) is configured for `GuruRMM-Temp`. Windows clears the password after the first use. -4. The account is hidden from the login screen via the `SpecialAccounts\UserList` registry key. -5. A logon-triggered scheduled task (`GuruRMM-PostRebootCleanup`) is registered for `GuruRMM-Temp`. -6. The machine reboots after a 15-second warning. -7. On next boot, Windows auto-logs in as `GuruRMM-Temp`. The WPF splash appears immediately (full-screen, black, cursor hidden). -8. `Invoke-PostRebootCleanup` runs: verifies pending operations cleared, removes scanner files, writes `logs-ready.json`, restores the original user's login name, clears autologon, removes the cleanup task. -9. A SYSTEM scheduled task (`GuruRMM-TempUserDelete`) is registered to delete the `GuruRMM-Temp` account 2 minutes later (cannot delete your own account while logged in). -10. The splash closes, `logoff` is called, and the machine returns to the normal login screen. +1. `Register-ScannerCleanupTask` writes `cleanup-state.json` (scan ID + log path) to `C:\GuruScan\`. +2. `Invoke-ScannerCleanup.ps1` is written to `C:\GuruScan\`. +3. A SYSTEM scheduled task (`GuruRMM-ScannerCleanup`) is registered with an **at-logon + 30-minute delay** trigger. +4. The scan completes and prints a message to reboot at your convenience. +5. After the next natural reboot and user login, the task fires 30 minutes later (silently, in the background as SYSTEM). +6. The cleanup script removes all scanner installation paths (`C:\EmsisoftCmd`, `C:\AdwCleaner`, `C:\ProgramData\HitmanPro*`, `C:\GuruScan\downloads\`), writes `logs-ready.json` for GuruRMM to pick up, and unregisters itself. + +To run cleanup immediately without waiting (e.g. if the task was missed): +```powershell +.\Invoke-PostRebootCleanup.ps1 +``` --- @@ -76,9 +75,6 @@ When any scanner exits with a reboot-required code (exit 2), the following seque - `-Headless` passes `NoNewWindow` to all scanner launches, suppressing UI windows. Use this when dispatching from an RMM agent that has no interactive desktop. -- ESET is automatically skipped when the script detects it is running as the SYSTEM - account (`[System.Security.Principal.WindowsIdentity]::GetCurrent().IsSystem`). - Pass `-SkipEset` explicitly to skip it under other accounts. --- @@ -90,7 +86,6 @@ When any scanner exits with a reboot-required code (exit 2), the following seque | AdwCleaner | Free for personal and commercial use | | Emsisoft Command Line Scanner | Free for personal and MSP remediation use | | HitmanPro | Commercial license required. Each scan uses trial mode; `Invoke-HitmanProTrialReset` resets the trial window. Verify current licensing terms at https://www.hitmanpro.com before deploying at scale. | -| ESET Online Scanner | Free for personal and commercial use | Always verify current licensing terms with each vendor before large-scale deployment. @@ -105,9 +100,6 @@ Always verify current licensing terms with each vendor before large-scale deploy # Detect only, then auto-remediate if threats found .\Invoke-GuruScan.ps1 -ScanOnly -AutoRemediate -# Skip ESET (e.g. unattended run) -.\Invoke-GuruScan.ps1 -SkipEset - # Suppress scanner windows (RMM dispatch) .\Invoke-GuruScan.ps1 -Headless @@ -147,8 +139,8 @@ Invoke-Remediation -LogRoot "C:\ScanLogs\DESKTOP-20260523-143000" # Summary report Get-ScanSummary -AI -# Post-reboot cleanup (called by Invoke-PostRebootCleanup.ps1) -Invoke-PostRebootCleanup -StateFile "C:\GuruScan\cleanup-state.json" +# Manual scanner cleanup (normally runs via scheduled task) +Invoke-PostRebootCleanup ``` --- @@ -163,7 +155,7 @@ guru-scan\ Invoke-GuruScan.ps1 # Thin launcher -> Invoke-GuruScan Invoke-Remediation.ps1 # Thin launcher -> Invoke-Remediation Get-ScanSummary.ps1 # Thin launcher -> Get-ScanSummary - Invoke-PostRebootCleanup.ps1 # WPF splash + logoff; delegates cleanup to module + Invoke-PostRebootCleanup.ps1 # Thin launcher -> Invoke-PostRebootCleanup (manual cleanup trigger) Download-Scanners.ps1 # Downloads scanner EXEs from scanners.json URLs downloads\ # Scanner EXEs (gitignored) ```