Does a Windows 10 endpoint check software installations for malware if they are installed through GPO / SCCM / Software Center?
I'm trying to get a view on what extra security checks our packaging team could do when they download a potentially infected installer from the web before they package an MSI or EXE (assuming that the software vendor didn't provide a checksum or the staff member from the packaging team omitted to check it). By nature, these installers are run with administrative privileges, increasing the chances of exploitation.
I was wondering to what extent an infected installer would fly under the radar if it is downloaded to a SCCM server and packaged there for distribution to clients. If the installer is never run on any system before being deployed, will malware detection on the endpoint be triggered upon installation?
As Windows Defender Smartscreen only kicks in when you actually run the installer (verified by downloading https://demo.smartscreen.msft.net/known/knownmalicious.exe), how is that handled when a software installation is done silently through a GPO / Software Center? Does the packaging process do some sort of a "dry-run" of the executable before packaging it? (checking publisher certificates, perform a virusscan, try to run it and see if SmartScreen goes off, ...) or is it assumed that the person performing the packaging does this manually?
Any and all input and/or links to resources are highly appreciated.
