Kaseya Community

3rd Party AntiVirus Reporting, Monitoring, and Dashboard

This question has suggested answer(s)

Forgive me (and if you can give me the link) if this has been asked before, but we have a need for monitoring, and reporting of 3rd party AV products in a unified view.

 

The dashboard view that comes with Kaseya's AV product is essentially what we are looking for, but across all AV products-  not just KAV.

Does such a dashboard exist?

If not, what workarounds do you suggest?

Some of our customers have Norton (which the version number shows, so that seems well supported) however others have products such as Sophos, and all we get is "product not supported" which isn't too helpful.

I'm sure we could do 100 tweaks, look through file versions, registry keys, etc, but that's what I'm trying to avoid if at all possible.

If not, I suppose we can set that up - it's just each client is going to have such differing products that it will be a large investment for us.

 

To summerize, here is what we are looking for a report(s) that show:

1) Which machines are up to date, and which are not up to date (AV, and Defs)

2 Which machines have infections, were they cleaned, some type of drill down reporting here would be nice.

3) Are there specific machines that keep getting reinfected? 

4) Are there specific viruses that are widespread across a machine group or customer?

We are basically trying to create a managed AV solution as a component of our managed services. A lot of our customers don't have centralized AV, or have various products across their machines, so a vendor console doesn't really do us too much good.

 

I appreciate any comments or pointers in the right direction. Thanks.

All Replies
  • wscMonitor.txt

    It's probably academic if 6.2 does this out of the box, but here's a chunk of JS that can run client side to create an event log entry if any of the following are true:

    • No installed AV products are found in Windows Security Center
    • The Access Scanner is disabled
    • AV definitions are outdated

     

    It supports both WSC V1 and V2 and does some bitwise magic on productState so keeping long lists of state codes isn't required.

  • Awesome script Sam, much appreciated. I know nothing of javascipt, is there a way to make it so the dialogue box doesn't show up and have it just write to the event log instead?



    [edited by: ttoomey at 10:13 AM (GMT -7) on 9-9-2011] changed text around
  • Sure thing, just run it with cscript.exe (e.g. cscript.exe wscMonitor.js), and it'll be nice and quiet.

  • Check AV and write to event log.xml

    I took Sam's java script and put it into a very simple procedure. It will run the scrip silently and write to the event log. if you have you event log monitoring set up you will get an alert if there are any problems with AV. Thanks!



    [edited by: ttoomey at 3:57 PM (GMT -7) on 9-9-2011] attachment
  • Warning.  I downloaded and ran wscMonitor.js to test on my desktop and with Security Center disabled and Security Essentials disabled, it returns the same notice:  Microsoft Security Essentials is installed and up to date.  

    It says nothing about being disabled.

    I used the xml file from ttoomey (thanks!) and it gives the same result in the procedure log.

    I have not tested it with any other products.  Anyone else test this?

    Is only seeing if it's installed and up to date?  

    Can it check for enabled / disabled status?  It's flagged somewhere since I have a big 'At risk' notice in the bottom right.  :)

    Thanks!

  • Johnton

    Can it check for enabled / disabled status?  It's flagged somewhere since I have a big 'At risk' notice in the bottom right.  :)

    Ah, you'll be fine - viruses only happen to other people ;)

    A fair question though - what OS are you running?

     

     

  • Windows 7 64 bit

  • I just tested this, and I am not having this problem. I am on windows 7x86. Here is what I did to test.

    1. Disable Real time protection in MSE

    2. Disable the Security Center service

    3. Run script from kaseya

    4. wait for results.

    after waiting for the event log entry to show up (it took like 2-3 minutes) I eventually got this log entry: Windows Security Center reports access scanner disabled for Microsoft Security Essentials

    I then re-enabled both real time scanning and the security center service. After running the scan once again everythi8ng looks good.

    Are these the same steps you took?



    [edited by: ttoomey at 10:15 AM (GMT -8) on 11-9-2011] spelling
  • 1. Disabled Security Center Service

    2. Disabled Microsoft Anti-Malware Service

    4.  Run script from Kaseya (xml file in this post) ; tried it with 64 bit enabled for command procedure and not.

    4.  Results are the same.  Enabled.

    Two things:  My login does not have power to disable MSSE via the interface (if this matters).  This is not the norm; I had just reimaged my desktop and added back to domain and had not 'fixed' this.  It also allowed me to test all my remote install procedures on a 'power user' computer.

    I just tested this on my laptop with no AV and it works; no AV detected.  Laptop is Win 7 x86, shell command not as 64 bit..

    Happy to test anything else.

    Thanks.

  • I just tested this on a Windows 7X64 machine and I am having the same thing happen. It seems to not be reporting properly for x64 based machines.

  • Strange, it's working for me here on a x64 box.  What happens if you run "cscript <path>\wscMonitor.js" from a KLC command line?

  • I'm doing this remotely on my desktop using Live Connecti

    1.  Disabled service 'Microsoft AntiMalware'

    2.  Command Shell - ran cscript wscMonitor.js

    3.  Results:  

    cscript wscMonitor.js

    Microsoft (R) Windows Script Host Version 5.8

    Copyright (C) Microsoft Corporation. All rights reserved.

    Microsoft Security Essentials is installed and up to date

    I then killed off mssecs.exe process.  Same result.  

    Uninstalled MSSE and I get

    cscript wscMonitor.js

    Microsoft (R) Windows Script Host Version 5.8

    Copyright (C) Microsoft Corporation. All rights reserved.

    No installed AntiVirus products found in Windows Security Center

    NOTE:  I had the 64 bit version of MSSE installed.  32 bit version refuses to install (I tried to for testing).

    Anything else I can test / try?

  • Security Center is the problem.

    If the Security Center service is disabled, it seems to 'remember' the last status of the AntiVirus software.  If your system is 'healthy', and you stop Security Center service, it will continue to report all is well (Kevin Bacon in Animal House?).

    Below:  Security Center service disabled, AVG is out of date.  Even after update, disabled the service and same result.

    cscript wscMonitor.js

    Microsoft (R) Windows Script Host Version 5.8

    Copyright (C) Microsoft Corporation. All rights reserved.

    AVG Anti-Virus Free Edition 2012 is installed and up to date

    Below:  Enabled Security Center ; AVG realtime scanner disabled.

    D:\Downloads\Chrome>cscript wscMonitor.js

    cscript wscMonitor.js

    Microsoft (R) Windows Script Host Version 5.8

    Copyright (C) Microsoft Corporation. All rights reserved.

    Windows Security Center reports access scanner disabled for AVG Anti-Virus Free Edition 2012

    AVG Anti-Virus Free Edition 2012 is installed and up to date

    The only way to get the latter result is if I re-enable Security Center.

    I need something independent of Security Center since it can be easily disabled AND I disabled it on many machines since it makes a lot of useless noise.  I control the security and updates / I like the end user not having any 'balloons'.

    Thanks

  • Ahh, that'll teach me to read posts properly.  Yes, if the security center is disabled, it won't know that something has changed.

    If you can't rely on SC, then I imagine you'd have to figure out how to test the condition of each product that you're interested in.  Which could be entertaining!

  • If I had to:  I could make the procedure Net Start "security center" >>centerstatus.txt -> if contains 'error' - send email with txt results.  Then run shell command to sc config [Service Name] start=enabled

    Or just always run sc config [Service Name] start=enabled and then run net start "security center" regardless of status?

    Then I have go find a way to make SC shut up.  I might just have to deal with it for now.

    thanks