C:\Program files\twistlock\scripts\defender.ps1 -uninstall
Twistlock can secure Windows containers running on Windows Server 2016 and Windows Server 2019 hosts. A single instance of Twistlock Console can simultaneously protect both Windows and Linux containers on both Windows and Linux hosts. Twistlock’s Intelligence Stream includes vulnerability data from Microsoft, so as new CVEs are reported, Twistlock can detect them in your Windows images.
The architecture for Defender on Windows is different than Defender on Linux. Rather than running as a Docker container (as it does on Linux), Defender runs as a Windows service. And rather than implementing runtime protection in userspace (as it does on Linux), Windows drivers are used. This is because there is no concept of capabilities in Windows Docker containers like there is on Linux. Defender on Windows runs as service so it can acquire the permissions it needs to secure the containers on your host. When you deploy the Defender, it appears as a service. The Defender type "Container Defender - Windows" means that Defender is capable of securing your containers, not that it’s deployed as a container.
To deploy Defender on Windows, you’ll copy a PowerShell script from the Twistlock Console and run it on the host where you want to install Defender.
Full feature parity on both Windows and Linux is a key objective. With every release, Twistlock expands Defender’s capabilities on Windows.
The following table shows the current state of Twistlock’s Windows support:
Platform | Vulnerability | Compliance | Runtime defense | Firewalls | ||||
---|---|---|---|---|---|---|---|---|
Process |
Network |
File sys |
Syscalls |
CNAF |
CNNF |
|||
Linux |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Windows 2016 |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
Windows 2019 |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
No |
Yes |
As a quick review, Twistlock runtime defense builds a whitelist model for each container image during a so-called learning period. After the learning period has completed, any violation of the model triggers an action as defined by your policy (alert, prevent, block).
As Twistlock builds the model, any interactive tasks that are run are logged. These interactive tasks can be viewed in the History tab of each model. On Windows, Twistlock cannot currently detect when interactive tasks are run with the docker exec command, although Twistlock does correctly record interactive tasks run from a shell inside a container with the docker run -it <IMAGE> sh command. No matter how the interactive task is run, however, the model will correctly whitelist a process if it’s in learning mode, and it will take action if the model is violated when in enforcement mode.
Twistlock Console must be first installed on a Linux host. Twistlock Defenders are then installed on each Windows host you want to protect. For more information about installing Console, see Getting Started. The Onebox install is the fastest way to get Console running on a stand-alone Linux machine.
Defenders are deployed with with a PowerShell 64-bit script, defender.ps1, which downloads the necessary files from Console. Defender is registered as a Windows service.
Run the Twistlock Defender deployment PowerShell script from a Windows PowerShell 64-bit shell. |
After the install is completed, Twistlock files can be found in the following locations:
C:\Program Files\Twistlock\
C:\ProgramData\Twistlock\
Windows Server 2016 or Windows Server 2019. Twistlock is not supported on Windows 10 or Hyper-V.
Docker for Windows (1.12.2-cs2-ws-beta) or higher. For more information about installing Docker on Windows, see Windows Containers on Windows Server.
Log into Console.
Go to Manage > Defenders > Deploy.
In Choose the Defender type, select Docker on Windows.
Copy the curl script and run it on your host to install Windows Defender.
If you install Windows locally on your laptop, the 'netsh' commands are not needed. They are only applicable to the GCE environment. |
To scan Windows images in your registry, you must install at least one Windows Defender. Twistlock automatically distributes the scan job across available Defenders. To scan registries that hold both Windows and Linux images, install at least one Linux Defender and one Windows Defender in your environment.
You can uninstall Defender directly from the Console UI.
Go to Manage > Defenders > Manage.
This page shows a list of Defenders deployed in your environment and connected to Console.
Click the Decommission button.
You can also manually uninstall Defender from the command line by running:
C:\Program files\twistlock\scripts\defender.ps1 -uninstall
Since Defender runs as a Windows service, decommissioning it will stop the service. Some remnant files might need to be deleted manually. |
For retrieving windows driver logs, see troubleshooting Windows driver events.