Kaseya Community

3rd Party AntiVirus Reporting, Monitoring, and Dashboard

This question has suggested answer(s)

Forgive me (and if you can give me the link) if this has been asked before, but we have a need for monitoring, and reporting of 3rd party AV products in a unified view.

 

The dashboard view that comes with Kaseya's AV product is essentially what we are looking for, but across all AV products-  not just KAV.

Does such a dashboard exist?

If not, what workarounds do you suggest?

Some of our customers have Norton (which the version number shows, so that seems well supported) however others have products such as Sophos, and all we get is "product not supported" which isn't too helpful.

I'm sure we could do 100 tweaks, look through file versions, registry keys, etc, but that's what I'm trying to avoid if at all possible.

If not, I suppose we can set that up - it's just each client is going to have such differing products that it will be a large investment for us.

 

To summerize, here is what we are looking for a report(s) that show:

1) Which machines are up to date, and which are not up to date (AV, and Defs)

2 Which machines have infections, were they cleaned, some type of drill down reporting here would be nice.

3) Are there specific machines that keep getting reinfected? 

4) Are there specific viruses that are widespread across a machine group or customer?

We are basically trying to create a managed AV solution as a component of our managed services. A lot of our customers don't have centralized AV, or have various products across their machines, so a vendor console doesn't really do us too much good.

 

I appreciate any comments or pointers in the right direction. Thanks.

All Replies
  • What you're asking for would be brilliant but alas unless you use KAV or KES then there's no dashboard available.  I don't imagine it would be too difficult to implement as I've seen similar in other monitoring software applications so I'm pretty sure Kaseya could create something.

    Good news however, Kaseya's own superstar procedure writer Ben has created a procedure that you can monitor workstations using the Windows Security Centre. I've found it to be an excellent addition.  It takes 20 minutes to setup on your system and you can monitor using monitor sets or as I do by tailoring your view in the Agent module to show the relevant fields.

    community.kaseya.com/.../57536.aspx

  • HI Alistair, I tested this but found very hit and miss results, what have your findings been?

    I found a number of machines reported no AV when they did have AV and also some machines report numbers rather than a status which is the way the av reports and I know from the AP that certain numbers represent certain statuses but these numbers I could not find any reference on the web.

  • Hi Michael, OK is probably the safest answer I can give.  The machines I've tested it on all seem pretty accurate so far.  I do wonder about the information I'm getting back so keep sabotaging my own machine and it has been accurate so far.  The customer machines tested have also been accurate but by complete coincidence they're pretty much all running Sophos.

    I'd really like some more indepth information into using WMI with the WSS as so far I've relied on work others have done and info on the internet is a bit sparse.

  • I have to say it is so fecking annoying that this sort of thing is not standard across av products, you would think they would all get together and say look lets just make it easy instead of all having their own ideas and methods.

    Funny thing is it is actually sophos that is giving me the unknown number - the only way I am going to get to the bottom is a remote session to the machine adn then see what it is going on with teh AV.

  • Not ready to throw the baby out with the bath water, but... Does anyone have experience with:

    www.gfi.com/it-managed-services-software

    Under screen shots, it looks like it has exactly what I am asking for.

    There are a couple AV related screenshots that show several different products (AVG, McAfee,

    They too sell rebranded AV software, but they don't seem to make other products take the back seat as a result of this:

    www.gfi.com/.../GFIMAX-ManagedAntivirus-Overview.asp

    That video shows both management of their product, and a couple reports of other products.

    Furthermore, (this is another post I am going to make today) it has support for patching 3rd party applications like Acrobat, FireFox, etc (what a concept!) without having to write 100 scripts, copy files, etc. It looks like those patches work just the way windows updates work (And why should they be any different?)

    Anyway, like I said, not ready to throw the baby out, but I'm looking. I'm this product will have shortcomings that Kaseya doesn't anyway.

  • Labtech by default detects AV installed on the machine and reports the status of it. Just got to install an agent.

    Should be done by default and just reported back to a view in the system audit page that you can report on...

  • We do a similar thing to Ben, although we look for products directly rather than looking at WSC so we can monitor servers.  As part of a daily maintenance task, look for what we would consider 'supported' AV products, and update custom audit fields with Vendor, Version and Definition Date info.

    Write a report in SQL Reporting Services to pull out the data, and you get something like this: (from a customer currently undergoing a long overdue AV refresh)

     

  • Sam, can you supply the querys that give the server details about the AV products and the report you have created?

  • Sam i assume you have lots of scripts dedicated to the AV versions, we have tried this and found the variation in products as in Symantec 8 / 9 / 10 / 11 etc was such a nightmare - I assume you have ironed out.

    i like Ben's solution but I found it is seriously hit and miss it is so frustrating that they don't standardise the outputs from these products and just dump the data to registry or something, i assume its to protect against virus activity or something.

  • Why have you found it to be Hit or Miss?  From what I can tell it audits Microsoft Security Center and pulls the data directly.  From what I recall it doesn't work on servers because MS Security Center doesn't work on servers but for workstations it should report everything.

  • Hit and miss, some machines report as no AV some report with other numbers not listed in the script and I cannot fine any information the web indicating their status... New AV report status via 6 or 7 digit code

    I think some have reported nothing, I looked at the script and have added in lines writing out data to see what it going on....

  • @NIKNAKS456

    Pulling data from the manual audit fields in the Kaseya DB is pretty simple, for example to get a grouped count of the custom 'AV Vendor' field:

     

    select

        count(*) as f

        /* treat null or blank fields as no AV */

        , case when fieldValue is null or fieldValue = '' then 'Not detected' else fieldValue end as Vendor

    from

        vSystemInfoManual

    where

        fieldName = 'AV Vendor' and Machine_GroupID like '%.mymachinegroup'

    group by

        case when fieldValue is null or fieldValue = '' then 'Not detected' else fieldValue end

     

     

    mmartin assumes right, there are a fair few checks devoted to A/V, as every vendor does things very differently.  However, our estate is largely using McAfee and AVG, with only a small percentage on things like NOD, Sophos, Symantec etc, so the maintenance overhead isn't too bad for us.

     

    I had a play with using Windows Security Center (WSC) for generic workstation AV monitoring, although not all AV products support WSC, some only support V1 etc, but this seems to be getting better as time goes on.

    Version 1 of WSC (XP SP2,SP3, Vista RTM) was simple to work with, returning 'productUpToDate', 'onAccessScanningEnabled', and 'versionNumber' from WMI queries.

    Version 2 (Vista SP1+) was a step backwards for legibility, returning only 'displayName' and the enigmatic and undocumented 'productState'. 

     

    Ben's procedure looks to test against a long list of productStates for the V2 security center, so it's probable that'll it miss a few.   This chap seems to have the method behind productState figured out however, so it should be possible to do more accurate WSC checks now.

     

  • Hi Max,

    just coming back about that script Ben created, I found that the vista section does not work at all once the vista machine is SP1 or above - this is because MS changed vista over to the new Security2 setup after SP1 - the script uses the old WMI locations for AV so I have had to change the script to fix this.

    I have also found and am trying to get to the bottom of it that a lot of XP machines don't report anydata - we have one client who is 50 / 50 XP & Win 7 all the win 7 report correctly but the XP all say no AV which is not true as they are all running KES and up to date.

    I also found a number of productstates not listed in the script so I had to log onto the machine to figure out what the state meant. The script is definitely a good basis to start with but there does seem to be a large number of variables to ensure an accurate reading.

    My other concern with this is that if I report on week one that the AV is up to date and current but then for some reason the script fails or does not report again I will have no idea that the status of the AV changes as  the custom fields will say up to date. So I am looking to add something in there to either timestamp the check or else should a fail occur to alter the settings.

    If anybody has already done all this work it would be great to share it to save us all having to repeat the same tasks.

  • Hi mmartin,

    I just finished an internal webinar and saw that in v6.2 Kaseya now audits the Security Center.  In audit there's a new tab that shows what security products are installed, version, etc.

    - Max

  • yeah I had heard a rumour it was coming but I did not see anything on the 6.2 feature list.

    I actually discovered that on these XP machines Security center has no data - they are running AVG.

    I have been trying to rebuild WMI on one of them and I just reinstalled KES on the pc to see if that makes a difference.