Antivirus Monitoring

  • Hi all.

    Right, I'm still a newbie, and in the process of setting up kaseya for my company. have scripts doing things for defrag, backups, installing software for initial updates etc... but anti-virus.... i'm a bit lost to be honest.

    I was wondering what everyone out there is monitoring?
    pattern file out of date?
    scan engine out of date?
    virus found?

    our clients are mostly on WFBS, pc-cillin and NOD32 so any help with scripts on these would be much appreciated.

    Many thanks
    Trentus

    Legacy Forum Name: Antivirus Monitoring,
    Legacy Posted By Username: trent
  • Good Question, has anyone answered it? or is there a similar topic on here that has been addressed?

  • We use WFBS and I have a 5 step monitor set configured to monitor the AV Pattern Dates as requested, however this doesn't work and can't work with WFB7 as they no longer save the Pattern files date in the registry, I have been kinda working on a solution using WMI though this has upsides and downsides too it.

     

    Plus:

    1. Will monitor ANY AV which updates Windows Security Center using WMI, most do but some (Like AVG don't) so it is a lot, lot more flexible.

    2. Doesn't require too much jiggery pokery to work as WMI has already done the leg work.

     

    Minus:

    1. Doesn't manually check pattern date, simply asks WMI if AV is in date and receives a TRUE or FALSE response, this is great in the respect that it keeps it simple, however if a machine gets infected with Security Center Disabler for example it will keep reporting as up to date even when it is not.

    2. Rely's on the notoriously unreliable Security Center. (I know I already mentioned this but it seemed so important I should probably mention it again).

     

    Solutions:

    Open to suggestions here, Trend have been less than helpful though this is to be expected as you start asking their support personal anything outside the script and their head goes into a spin, the only other option I have considered is checking for files of a certain age in the pattern directory, I cannot know how reliable this would be if at all, and it scares me that it could download the pattern file, yet fail to install it properly meaning we would never know.

    I don't really use this new forum that much found the old one so much better back when it was up, can see how to add blocks for text so I will add a reply to this message with the code for all 6 scripts I have...

  • Please see code below, this is in 5 parts, though you will only ever need to run the first one, personally I save these as a backend script and publish 1 front end script which runs stage 1 of 5.

    ================================================================================================================

    <?xml version="1.0" encoding="ISO-8859-1" ?>

    <folderDef0 id="47354690" name="Trend">

     <scriptDef id="93092513" name="Trend Pattern Age 1-5">

       <scriptIf ifFunc="5" fp1="HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc." fp2="" fp3="" ifTest="1" testVal="" scriptType="0" description="This checks to see if you have Trend (PC-Cillin & OfficeScan) installed. Then report on the Age of the Pattern. Example of how Trend reports: 2005 (year) 06 (Day) 01 (month) = 20050601. If Trend is not installed an event will be created in the application log, stating that no AV is installed.  Thanks to Onno de Vries of Kaseya! " />

       <scriptThenElse teType="0" stepNum="1" teFunc="20" fp1="echo "Dummy entry, used to clear the variable NotFoundMessage" >> #AgentTemp#\AV\NotFoundMessage.txt" fp2="1" fp3="" osType="0" contOnFail="1" />

       <scriptThenElse teType="0" stepNum="2" teFunc="26" fp1="10" fp2="" fp3="AgentTemp" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="3" teFunc="26" fp1="0" fp2="HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\PatternDate" fp3="PatternDate" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="4" teFunc="25" fp1="The Current Trend Pattern file was created on:  #PatternDate#!" fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="5" teFunc="5" fp1="#AgentTemp#/AV/Check_Pattern_Age_Trend.vbs" fp2="VSASharedFiles\VBS Scripts\Check_Pattern_Age_Trend.vbs" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="6" teFunc="20" fp1="%systemroot%\system32\wscript.exe #AgentTemp#/AV/Check_Pattern_Age_Trend.vbs #AgentTemp#\AV #PatternDate#" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="7" teFunc="26" fp1="1" fp2="#AgentTemp#/AV/Age.txt" fp3="Age" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="8" teFunc="26" fp1="1" fp2="#AgentTemp#/AV/Current_Date.txt" fp3="CurrentDate" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="9" teFunc="1" fp1="18878050" fp2="0" fp3="0" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="10" teFunc="25" fp1="Trend Anti-Virus Pattern Age Check Performed!" fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="11" teFunc="20" fp1="del  #AgentTemp#\AV\*.* /F /Q" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="1" teFunc="26" fp1="6" fp2="" fp3="machine" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="2" teFunc="25" fp1="Trend Anti-Virus is not found (version problem) or not installed (Trend Micro)." fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="3" teFunc="30" fp1="infrastructure@fwcs.co.uk" fp2="Trend Anti-Virus is not found on #machine#..." fp3="Trend Anti-Virus is not found (version problem) or not installed (Trend Micro)." osType="0" contOnFail="0" />

     </scriptDef>

     <scriptDef id="18878050" name="Trend Pattern Age 2-5">

       <scriptIf ifFunc="8" fp1="#Age#" fp2="" fp3="" ifTest="7" testVal="10" scriptType="0" description="" />

       <scriptThenElse teType="0" stepNum="1" teFunc="25" fp1="Trend Anti-Virus Up-To-Date, the last Trend update occured #Age# days ago on #PatternDate#." fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="2" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Anti-Virus Up-To-Date, the last Trend update occured #Age# days ago on #PatternDate#."" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="1" teFunc="25" fp1="Trend Anti-Virus Out-Of-Date, the last Trend update occured #Age# days ago on #PatternDate#! AutoPCC is now being run!" fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="2" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Antivirus Out-Of-Date, last update was #PatternDate#, #Age# days ago! Update is now being run!"" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="3" teFunc="26" fp1="0" fp2="HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Server" fp3="update" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="4" teFunc="20" fp1=""#update#\ofcscan\autopcc.exe"" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="5" teFunc="25" fp1="Trend Anti-Virus Update Ran!" fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="6" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Anti-Virus Update Ran!"" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="7" teFunc="1" fp1="21306455" fp2="" fp3="0" osType="0" contOnFail="0" />

     </scriptDef>

     <scriptDef id="21306455" name="Trend Pattern Age 3-5">

       <scriptIf ifFunc="8" fp1="#Age#" fp2="" fp3="" ifTest="7" testVal="10" scriptType="0" description="" />

       <scriptThenElse teType="0" stepNum="1" teFunc="25" fp1="Trend Anti-Virus Up-To-Date, the last Trend update occured #Age# days ago on #PatternDate#." fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="2" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Anti-Virus Up-To-Date, the last Trend update occured #Age# days ago on #PatternDate#."" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="1" teFunc="25" fp1="Trend Anti-Virus Out-Of-Date, the last Trend update occured #Age# days ago on #PatternDate#! AutoPCC is now being run!" fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="2" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Antivirus Out-Of-Date, last update was #PatternDate#, #Age# days ago! Update is now being run!"" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="3" teFunc="26" fp1="0" fp2="HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Server" fp3="update" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="4" teFunc="20" fp1=""#update#\ofcscan\autopccp.exe"" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="5" teFunc="25" fp1="Trend Anti-Virus Update Ran!" fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="6" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Anti-Virus Update Ran!"" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="7" teFunc="1" fp1="69806786" fp2="" fp3="0" osType="0" contOnFail="0" />

     </scriptDef>

     <scriptDef id="69806786" name="Trend Pattern Age 4-5">

       <scriptIf ifFunc="8" fp1="#Age#" fp2="" fp3="" ifTest="7" testVal="10" scriptType="0" description="" />

       <scriptThenElse teType="0" stepNum="1" teFunc="25" fp1="Trend Anti-Virus Up-To-Date, the last Trend update occured #Age# days ago on #PatternDate#." fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="2" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Anti-Virus Up-To-Date, the last Trend update occured #Age# days ago on #PatternDate#."" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="1" teFunc="25" fp1="Trend Anti-Virus Out-Of-Date, the last Trend update occured #Age# days ago on #PatternDate#! AutoPCC is now being run!" fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="2" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Antivirus Out-Of-Date, last update was #PatternDate#, #Age# days ago! Update is now being run!"" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="3" teFunc="26" fp1="0" fp2="HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Server" fp3="update" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="4" teFunc="20" fp1=""#update#\ofcscan\autopcc.exe"" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="5" teFunc="25" fp1="Trend Anti-Virus Update Ran!" fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="6" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Anti-Virus Update Ran!"" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="7" teFunc="1" fp1="52936135" fp2="" fp3="0" osType="0" contOnFail="0" />

     </scriptDef>

     <scriptDef id="52936135" name="Trend Pattern Age 5-5">

       <scriptIf ifFunc="8" fp1="#Age#" fp2="" fp3="" ifTest="7" testVal="10" scriptType="0" description="" />

       <scriptThenElse teType="0" stepNum="1" teFunc="25" fp1="Trend Anti-Virus Up-To-Date, the last Trend update occured #Age# days ago on #PatternDate#." fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="0" stepNum="2" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Anti-Virus Up-To-Date, the last Trend update occured #Age# days ago on #PatternDate#."" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="1" teFunc="25" fp1="Trend Anti-Virus Out-Of-Date, the last Trend update occured #Age# days ago on #PatternDate#! Update has been run automatically 3 times but the AV is Still Out-Of-Date!" fp2="" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="2" teFunc="20" fp1="pgEvent /t=I /s=FWCS /c="Trend Anti-Virus" /i=1968 /m="Trend Anti-Virus Out-Of-Date, last update was #PatternDate#, #Age# days ago! Update has been run automatically 3 times but the AV is Still Out-Of-Date!" fp2="1" fp3="" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="3" teFunc="26" fp1="6" fp2="" fp3="machine" osType="0" contOnFail="0" />

       <scriptThenElse teType="1" stepNum="4" teFunc="30" fp1="infrastructure@fwcs.co.uk" fp2="Anti-Virus Out-of-Date! Machine: #machine#" fp3="The Anti-Virus Pattern file is out of date on #machine#, the pattern file is #Age# days old. A manual update has been run on this machine 3 times already but the file is still out of date, please log a call and investigate further." osType="0" contOnFail="0" />

     </scriptDef>

    </folderDef0>

    ================================================================================================================

    Any problems please do not hesitate in asking.