Kaseya Community

Finding machines without AV

  • Hi

    Is there a way to find machines that aren't running any AV or whose AV is out of date? This appears to be a feature of most of the RMM tools we are looking at.

    Thanks

     

    Olly

  • Olly,

    Yes, on any machine that the agent is deployed to, you can very easily run a report or configure a view to show which computers have AV running, then a script to check definitions.

  • Can I ask how? I can see how to run a report showing machines that don't have a particular AV package installed, but not to show those that dont have *any* AV package installed.

    Also the script to check definitions would be great. Again I can work out how to script to check for some defs (ESET NOD32 which we use for example) but I'd like to check for any AV being up to date.

    ta

    Olly

  • Brendan is talking specifically about showing which machines don't have KES installed.  There's a couple different ways to do what you want -- but the coolest I've seen is using WMI: forum.kaseya.com/showthread.php

  • Hi,

    I've just used the thread provided by Jason to create this script in K2 format. Works for Trend micro and MS Security Essentials.

    Tested OK on W7 x64 and XP x86.

    I have not bothered to check if the AV is running, although it is possible if you can decypher the productState code. From what i can tell the two numbers here indicate that both products are current and working.

    ---- BEGIN XML ---

    <?xml version="1.0" encoding="utf-8"?>
    <ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting">
      <Procedure name="Check: Antivirus Updated" treePres="3">
        <Body description="Check: Antivirus Updated. Uses WMI to collect the Antivirus status.&#xA;&#xA;Created by Dan Power (SIAX Computing Solutions) 18/9/2010.">
          <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="true" osType="Windows">
            <Parameter xsi:type="EnumParameter" name="VariableType" value="WMIProperty" />
            <Parameter xsi:type="StringParameter" name="SourceContent" value="root\SecurityCenter:AntiVirusProduct[1].displayName" />
            <Parameter xsi:type="StringParameter" name="VariableName" value="displayName" />
          </Statement>
          <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="true" osType="Windows">
            <Parameter xsi:type="EnumParameter" name="VariableType" value="WMIProperty" />
            <Parameter xsi:type="StringParameter" name="SourceContent" value="root\SecurityCenter:AntiVirusProduct[1].productUpToDate" />
            <Parameter xsi:type="StringParameter" name="VariableName" value="current" />
          </Statement>
          <If description="">
            <Condition name="CheckVariable">
              <Parameter xsi:type="StringParameter" name="VariableName" value="#current#" />
              <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" />
              <Parameter xsi:type="StringParameter" name="Value" value="" />
            </Condition>
            <Then>
              <If description="">
                <Condition name="CheckVariable">
                  <Parameter xsi:type="StringParameter" name="VariableName" value="#current#" />
                  <Parameter xsi:type="EnumParameter" name="Condition" value="Equals" />
                  <Parameter xsi:type="StringParameter" name="Value" value="true" />
                </Condition>
                <Then>
                  <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">
                    <Parameter xsi:type="StringParameter" name="Comment" value="Log: Antivirus Current - #displayName#" />
                  </Statement>
                </Then>
                <Else>
                  <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry">
                    <Parameter xsi:type="StringParameter" name="Comment" value="Log: Antivirus Outdated - #displayName#" />
                  </Statement>
                </Else>
              </If>
            </Then>
            <Else>
              <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" osType="Windows">
                <Parameter xsi:type="EnumParameter" name="VariableType" value="WMIProperty" />
                <Parameter xsi:type="StringParameter" name="SourceContent" value="root\SecurityCenter2:AntiVirusProduct[1].displayName" />
                <Parameter xsi:type="StringParameter" name="VariableName" value="displayName" />
              </Statement>
              <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" osType="Windows">
                <Parameter xsi:type="EnumParameter" name="VariableType" value="WMIProperty" />
                <Parameter xsi:type="StringParameter" name="SourceContent" value="root\SecurityCenter2:AntiVirusProduct[1].productState" />
                <Parameter xsi:type="StringParameter" name="VariableName" value="productState" />
              </Statement>
              <If description="">
                <Condition name="CheckVariable">
                  <Parameter xsi:type="StringParameter" name="VariableName" value="#productState#" />
                  <Parameter xsi:type="EnumParameter" name="Condition" value="Equals" />
                  <Parameter xsi:type="StringParameter" name="Value" value="266240" />
                </Condition>
                <Then>
                  <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">
                    <Parameter xsi:type="StringParameter" name="Comment" value="Log: Antivirus Current - #displayName#" />
                  </Statement>
                </Then>
                <Else>
                  <If description="">
                    <Condition name="CheckVariable">
                      <Parameter xsi:type="StringParameter" name="VariableName" value="#productState#" />
                      <Parameter xsi:type="EnumParameter" name="Condition" value="Equals" />
                      <Parameter xsi:type="StringParameter" name="Value" value="397312" />
                    </Condition>
                    <Then>
                      <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">
                        <Parameter xsi:type="StringParameter" name="Comment" value="Log: Antivirus Current - #displayName#" />
                      </Statement>
                    </Then>
                    <Else>
                      <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry">
                        <Parameter xsi:type="StringParameter" name="Comment" value="Log: Antivirus Outdated - #displayName#" />
                      </Statement>
                    </Else>
                  </If>
                </Else>
              </If>
            </Else>
          </If>
        </Body>
      </Procedure>
    </ScriptExport>

    ---- END XML ---

    Hope it helps someone out.

    Regards,

    Dan

  • Very nice script Dan :)

    It does have a bug in it that you can fix with an if statement and configuring the second set of Get WMI value variables to continue on failure. It only occurs when using it on Systems that do not have either SecurityCenter or SecurityCenter2 WMI values (Windows 2000, Windows Server 2003 and Windows Server 2008).

    I have also found that it does not work so well with computers with KES's AVG as I get a -1 value, looking into what that means as this script could tick one of the required tasks my boss has assigned me.

  • Interestingly, I spent some time this morning working on this very issue.  I've not tested it much yet, but maybe someone will find some part of it useful.

     

    <?xml version="1.0" encoding="utf-8"?>

    <ScriptExport xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns="www.kaseya.com/.../Scripting">

     <Procedure name="AntiVirus" treePres="3">

       <Body description="Checks Whether an AntiVirus program is installed and confirms that it is updated and running.">

         <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false" osType="Windows">

           <Parameter xsi:type="EnumParameter" name="VariableType" value="WMIProperty" />

           <Parameter xsi:type="StringParameter" name="SourceContent" value="root\SecurityCenter2:AntiVirusProduct.displayName" />

           <Parameter xsi:type="StringParameter" name="VariableName" value="displayName" />

         </Statement>

         <If description="If the Variable does not exist, no Antivirus program is installed">

           <Condition name="CheckVariable">

             <Parameter xsi:type="StringParameter" name="VariableName" value="#displayName#" />

             <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" />

             <Parameter xsi:type="StringParameter" name="Value" value="" />

           </Condition>

           <Then>

             <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false">

               <Parameter xsi:type="EnumParameter" name="VariableType" value="WMIProperty" />

               <Parameter xsi:type="StringParameter" name="SourceContent" value="root\SecurityCenter2:AntiVirusProduct.productState" />

               <Parameter xsi:type="StringParameter" name="VariableName" value="productState" />

             </Statement>

             <If description="">

               <Condition name="CheckVariable">

                 <Parameter xsi:type="StringParameter" name="VariableName" value="#productState#" />

                 <Parameter xsi:type="EnumParameter" name="Condition" value="NotEquals" />

                 <Parameter xsi:type="StringParameter" name="Value" value="266240" />

               </Condition>

               <Then>

                 <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">

                   <Parameter xsi:type="StringParameter" name="Comment" value="#displayName# is either not running, or not up to date" />

                 </Statement>

               </Then>

             </If>

           </Then>

         </If>

         <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">

           <Parameter xsi:type="StringParameter" name="Comment" value="#displayName# is running" />

         </Statement>

         <If description="">

           <Condition name="CheckVariable">

             <Parameter xsi:type="StringParameter" name="VariableName" value="#displayName#" />

             <Parameter xsi:type="EnumParameter" name="Condition" value="NotExists" />

             <Parameter xsi:type="StringParameter" name="Value" value="" />

           </Condition>

           <Then>

             <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false">

               <Parameter xsi:type="EnumParameter" name="VariableType" value="WMIProperty" />

               <Parameter xsi:type="StringParameter" name="SourceContent" value="root\SecurityCenter:AntiVirusProduct" />

               <Parameter xsi:type="StringParameter" name="VariableName" value="#xpDisaplyName#" />

             </Statement>

             <If description="">

               <Condition name="CheckVariable">

                 <Parameter xsi:type="StringParameter" name="VariableName" value="#xpDisplayName#" />

                 <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" />

                 <Parameter xsi:type="StringParameter" name="Value" value="" />

               </Condition>

               <Then>

                 <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false">

                   <Parameter xsi:type="EnumParameter" name="VariableType" value="WMIProperty" />

                   <Parameter xsi:type="StringParameter" name="SourceContent" value="root\SecurityCenter:AntiVirusProduct.productUptoDate" />

                   <Parameter xsi:type="StringParameter" name="VariableName" value="#uptoDate#" />

                 </Statement>

                 <If description="">

                   <Condition name="CheckVariable">

                     <Parameter xsi:type="StringParameter" name="VariableName" value="#uptoDate#" />

                     <Parameter xsi:type="EnumParameter" name="Condition" value="NotEquals" />

                     <Parameter xsi:type="StringParameter" name="Value" value="true" />

                   </Condition>

                   <Then>

                     <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">

                       <Parameter xsi:type="StringParameter" name="Comment" value="#xpDisaplyName# is not up to date" />

                     </Statement>

                   </Then>

                 </If>

                 <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false">

                   <Parameter xsi:type="EnumParameter" name="VariableType" value="WMIProperty" />

                   <Parameter xsi:type="StringParameter" name="SourceContent" value="root\SecurityCenter:AntiVirusProduct.onAccessScanningEnabled" />

                   <Parameter xsi:type="StringParameter" name="VariableName" value="#xpActive#" />

                 </Statement>

                 <If description="">

                   <Condition name="CheckVariable">

                     <Parameter xsi:type="StringParameter" name="VariableName" value="#xpActive#" />

                     <Parameter xsi:type="EnumParameter" name="Condition" value="NotEquals" />

                     <Parameter xsi:type="StringParameter" name="Value" value="true" />

                   </Condition>

                   <Then>

                     <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">

                       <Parameter xsi:type="StringParameter" name="Comment" value="#xpDisplayName# is not running" />

                     </Statement>

                   </Then>

                 </If>

               </Then>

               <Else>

                 <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry">

                   <Parameter xsi:type="StringParameter" name="Comment" value="No Antivirus product found" />

                 </Statement>

               </Else>

             </If>

           </Then>

         </If>

       </Body>

     </Procedure>

    </ScriptExport>

  • Sorry Dan, don't want to bag your script but I think I found 2 more major bugs in your script.

    1) The Boolean value used for Windows XP's Security Center under WMIC is TRUE or FALSE but when you use Kaseya to grab those values you get -1 (TRUE) and 0 (FALSE). Took some head scratching to figure this out. This means your script will report all XP systems as "Antivirus Outdated"

    2) The two 6 digit  Security Center 2 values you use are 2 of at least 10 current possible values, there are more than likely more and this could increase over time. To be fair documentation on these codes are non-existent however with the guidance of  this guys post I believe I might found 8 additional codes using his method of calculating their value and meaning: www.neophob.com/.../wmi-query-windows-securitycenter2

    I will still stand by my original comment as the idea behind it is very nice, I will post my version in the knowledge exchange and I will make sure to give you credit in the description.