Schedule Full Windows Defender Scan

 In the organization where I work, there is a BYOD policy. However one's own device needs to install a corporate policy enforcer application, called OPSWAT. Organization policy is configured that if a Full Windows Defender Scan isn't performed within a week - the trust in Windows Defender is admirable - then connection to corporate resources is blocked. Now running a full scan periodically is tedious (Start menu > Windows Security > Virus & threat protection > Scan options > Full scan, Scan now).

Instead I opted to automate the full scan. As it turns out Windows' own Task scheduler is prepared with a template which one only needs to tweak a little. So go to Start Menu, then type in Task. Go into task scheduler and go down in Task Scheduler Library > Microsoft > Windows > Windows Defender > Windows Defender Scheduled Scan. The only problem is, that the predefined job is only for Quick scan, not a full one.

First we need to modify the actual command which needs to be executed. The program itself is correct, however the arguments should say Scan -ScanType 2. (Where 2 stands for global scan) No other arguments are needed.

The other bit is the trigger. Since I am running my Windows instance in a VM, I opted for a daily scheduled run. If you need to do this on your main machine, then I'd recommend to set the schedule up a less frequent scan. (Since it's a VM, it only has files which are strictly necessary for my work, hence the runtime is below 5m. YMMW)

One last tip: Sometimes Windows defender exits with an error code (0x2 was the most common) when only the above two options are set. It happened to me as well. Once I changed the user from SYSTEM into my local admin one, this error went away. I am not sure if this is the correct solution, but it is most certainly a viable workaround.


YubiKey and GPG: How to add a new e-mail to an existing key

So the recommendation for storing GPG keys with YubiKey is to:

  • Store public keys on the GPG key chain
  • Store the private sub-keys on YubiKey
  • Store the private key offline, in a separate storage location
Hence, in order to edit the master key one first needs to import the master key back:

gpg --import /path/to/offline/master/key/MASTERKEY.priv.asc
gpg --edit-key MASTERKEY
    adduid # Fill out form
    uid n # where n is the new uid number
    primary # To set the new e-mail as the primary e-mail address for the key

This will add the new identity to the existing GPG key. Now the only thing left is to export the new version of the public information (along with the private keys for good measure)

gpg -a --export MASTERKEY > /path/to/offline/master/key/MASTERKEY.pub.asc
gpg -a --export-secret-key MASTERKEY > /path/to/offline/master/key/MASTERKEY.priv.asc
gpg -a --export-secret-subkeys MASTERKEY > /path/to/offline/master/key/MASTERKEY.priv-sub.asc

Now that everything is at a safe place once again, we shall remove the private keys from the machine (and keep using YubiKey whenever they're needed). That can be done by deleting the private keys plus invoking a simple card-edit.

gpg --delete-secret-key MASTERKEY
gpg --card-edit

You'll know that you're successful if you see the # in front of the master key (indicating that the private key is uknown) and the > in front of the ssb entries (indicating that the private keys are stups on the machine and that the actual keys are stored on your YubiKey)

sec#  rsa4096/0xAAAAAAAAAAAAAAAA 2018-07-15 [C] [expires: 2020-06-16]
      Key fingerprint = DDDD AAAA 9999 7777 6666  EEEE 8888 1111 0000 1111
uid                   [ultimate] John Smith <jsmith@corp1.com>
uid                   [ultimate] John Smith <john.smith@corporation.com>
uid                   [ultimate] John Smith <john_smith4@company.com>
ssb>  rsa2048/0xBBBBBBBBBBBBBBBB 2018-07-15 [E] [expires: 2020-06-16]
ssb>  rsa2048/0xCCCCCCCCCCCCCCCC 2018-07-15 [S] [expires: 2020-06-16]
ssb>  rsa2048/0xDDDDDDDDDDDDDDDD 2018-07-15 [A] [expires: 2020-06-16]


Configuring Yubikey Touch


ykman openpgp info
ykman openpgp set-touch aut on # or off
ykman openpgp set-touch sig on # or off
ykman openpgp set-touch enc on # or off


Moving "Wide audience" to BCC

 At the company where I work there is a great collaborative culture, and I love that. As part of this culture, we have large Outlook distribution lists (DLs) with hundreds or even thousands of employees being a member. And some of these memberships are mandatory, such as "Everyone" or "ORG-Unit-X" etc.

Now the perk of this is that if you need help, you can send out an e-mail to let's say "All-PMS-In-The-Universe" with your question, and chances are you'll get an answer. And this is great. And our corporate policy is to put the DL into BCC, so we can avoid spamming the rest of the DL who's not interested. (If the DL goes accidentally into TO or CC people usually have the decency to delete the DL after hitting reply-all)

But, sometimes people forget and you'll end up getting a ton of uninteresting messages. Now every once in a while these messages will start spamming your inbox. People sometimes step in and sacrifice themselves by moving the DL into BCC and sending it out, but again, chances are they're also disinterested, but they're willing to take one for the team. Which is a great thing to do, but completely unnecessary.

In Outlook, when you compose an e-mail you have the option to specify an alternative e-mail address that will receive the reply instead of your. Simply provide there the e-mail address of the original sender, and call it a day. That way you'll stop getting the spam as well.

Bell Home Hub 3000 & Netgear Nighthawk X4S

So we moved recently into a bigger home, and I had to buy a WiFi extender due to the layout of our new place. Since this Netgear device was available with same-day delivery I went with it. Reviews weren't too bad plus I'll only need it for some light browsing, so any basic extender would work. 

What I didn't want is to rent one from Bell for an extra $10 each month. In less than a year I'll be saving money if I'd own the stuff. 

So after the thing arrived, I had trouble making it work for some mysterious reason. The device setup worked as expected and on the Netgear side, everything was green. However, when I connected a device via the Extender, the weirdest thing happened: Right after connection, for a good 5-8 seconds everything was fine. But then no internet connection. I first though it's a fluke in the system, so I restarted every AP in the house, but the same thing happened all over again.

After spending half the night troubleshooting what could be the issue, I've noticed this togle in my Home Hub 3000:

Once I toggled it off, and restarted everything for good measure the problem was gone, just like that.

Since I haven't found traces of this trick on the web I figured I'll create this short post for future generations :D I hope it helps others.


Outlook & Grey backgrounds

 Have you ever received an esthetic corporate e-mail, something like this one:

Right after that, you get a reply-all follow-up, but it's barely readable due to the new default background color of gray?

 Now, if you hit reply, yours wouldn't look much better either. Here is how you can fix it:

Go to the Options tab (1) in your reply window, then select Page color (2), No Color (3). There, wasn't soo hard now was it? ;)


How to keep a git repo hierarchy constantly in sync locally

In the past few years I have been working more of an architect than a developer and I am mostly working with teams from the other side of the sea. So usually, by the time I wake up and get to work, there are a bunch of updates in the project. And if the project is big enough, it can potentially involve dozens of repos - microservices for the win.

Now I do have notification configured to my liking in the interested repos, but since I am still trying to be hands-on I am trying to spend a few minutes running the code locally. (Or some other cases need to support business in real time, in which case, a running local version is really handy)

TLDR: I need to keep a lot of repos updated, and I have found myself re-inventing the same 10 lines of bash script over and over again.