While helping to manage Microsoft Endpoint, a former colleague suggested that I setup Endpoint to automatically run a full system scan each time an infection is detected. I googled the blog posting on it and although it is a great post, I figured I could streamline it even more by just using SCCM alone to achieve the same outcome. It is nice when you are out of the office and your backup might not have the time to keep an eye on the antivirus infections.
This is a second edition of the previous script I wrote. I decided to leave that script if you do not want to have email notification upon a full system scan. This script includes sending out an email to the specified users in the EmailAddresses.txt file. This file resides in the same directory as the script. The other thing that needs to be done is to define the Installation program in SCCM using psexec.exe. Psexec.exe will also need to reside in the same directory as the PowerShell script. This allows the PowerShell script to be executed under a domain account, thereby giving it the ability to use the send-mailmessage commandlet. Here is how to do this:
psexec.exe \\%computername% -u <domain>\<username> -p <password> -h cmd.exe /c "echo . | powershell.exe -executionpolicy bypass -file install.ps1"
I decided to use the SCCM custom application detection to scan a system and see if a full system scan has been performed. I first started out by writing a powershell script that would perform a WMI query on the SCCM server for the status of the system the application detection was being run on. The problem I ran across was that the application is being run under system credentials, which would require me to pass network credentials within the script. Instead of having to do this, I decided to query the event viewer logs on the local machine to look for the last infection date/time, which is event 1116. I queried all machines in my firm to find another event log that was unused, and 1118 happened to be just the one.
Here is how the process works:
This is setup in SCCM as a normal application deployment. The only thing that differs from a standard deployment is the application detection method. That script is imported in for the detection method. The antivirusscan.ps1 file is setup as the installation program. I have mine entered like this:
powershell.exe -executionpolicy bypass -file antivirusscan.ps1
One more thing is that I have the application hidden from the software center. There really isn't a need for it to be there.
Line 57 on the AntivirusScanEmail.ps1 file is the only line of code you should have to customize.
You can download the application and application detection files from the following links:
AntivirusScanEmail.ps1
This is a second edition of the previous script I wrote. I decided to leave that script if you do not want to have email notification upon a full system scan. This script includes sending out an email to the specified users in the EmailAddresses.txt file. This file resides in the same directory as the script. The other thing that needs to be done is to define the Installation program in SCCM using psexec.exe. Psexec.exe will also need to reside in the same directory as the PowerShell script. This allows the PowerShell script to be executed under a domain account, thereby giving it the ability to use the send-mailmessage commandlet. Here is how to do this:
psexec.exe \\%computername% -u <domain>\<username> -p <password> -h cmd.exe /c "echo . | powershell.exe -executionpolicy bypass -file install.ps1"
I decided to use the SCCM custom application detection to scan a system and see if a full system scan has been performed. I first started out by writing a powershell script that would perform a WMI query on the SCCM server for the status of the system the application detection was being run on. The problem I ran across was that the application is being run under system credentials, which would require me to pass network credentials within the script. Instead of having to do this, I decided to query the event viewer logs on the local machine to look for the last infection date/time, which is event 1116. I queried all machines in my firm to find another event log that was unused, and 1118 happened to be just the one.
Here is how the process works:
- SCCM deploys the package to the system.
- The application detection queries the event viewer logs for the last 1116 ID (infection).
- The application detection queries the event viewer logs for the last 1118 ID.
- If a system 1118 ID does not exist since the last infection, or there is no 1116 ID detected, the custom detection method will exit out as a failure.
- If the custom detection failed, the antivirusscan.ps1 file will be executed on the machine.
- An email is sent that tells a scan was performed on %COMPUTERNAME% with the virus details in the body.
- Once the scan is complete, a machine policy update is initiated to update the SCCM server with the status of the system.
- The application detection is initiated again to confirm the scan occurred.
This is setup in SCCM as a normal application deployment. The only thing that differs from a standard deployment is the application detection method. That script is imported in for the detection method. The antivirusscan.ps1 file is setup as the installation program. I have mine entered like this:
powershell.exe -executionpolicy bypass -file antivirusscan.ps1
One more thing is that I have the application hidden from the software center. There really isn't a need for it to be there.
Line 57 on the AntivirusScanEmail.ps1 file is the only line of code you should have to customize.
You can download the application and application detection files from the following links:
AntivirusScanEmail.ps1
1: <#
2: .NOTES
3: ===========================================================================
4: Created with: SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.98
5: Created on: 11/19/2015 3:26 PM
6: Created by: Mick Pletcher
7: Organization:
8: Filename: AntiVirusScanEmail.ps1
9: ===========================================================================
10: .DESCRIPTION
11: This script will initiate a full or quick scan, whichever one is uncommented
12: out below. It will then write a log to the event viewer logs showing the
13: scan was executed. Next, it will email the designated IT staff telling the
14: system scan has been performed. The final step is to execute a machine policy
15: update so the SCCM server is updated on the status of the system.
16: #>
17:
18: #Declare Variables
19: Set-Variable -Name EmailAddress -Force
20: Set-Variable -Name EmailAddresses -Force
21: Set-Variable -Name LastInfection -Force
22: Set-Variable -Name Output -Force
23: Set-Variable -Name RelativePath -Force
24: Set-Variable -Name SMSwmi -Force
25: Set-Variable -Name strAction -Force
26: Set-Variable -Name Subject -Force
27: Set-Variable -Name WMIPath -Force
28:
29: Import-Module $env:ProgramFiles"\Microsoft Security Client\MpProvider"
30: $RelativePath = (split-path $SCRIPT:MyInvocation.MyCommand.Path -parent) + "\"
31: $EmailAddresses = @()
32: $EmailAddresses = Get-Content -Path $RelativePath"EmailAddresses.txt"
33: $LastInfection = get-winevent -filterhashtable @{ logname = 'system'; ID = 1116 } -maxevents 1 -ErrorAction SilentlyContinue
34: <#Full Scan#>
35: Start-MProtScan -ScanType "FullScan"
36: cls
37: Write-Warning "Error: $_"
38: Write-Host $_.Exception.ErrorCode
39: New-EventLog –LogName System –Source "Antimalware Full Scan"
40: If ((Get-EventLog -LogName System -Source "Antimalware Quick Scan") -eq $null) {
41: New-EventLog –LogName System –Source "Antimalware Quick Scan"
42: }
43: Write-EventLog -LogName System -Source "Antimalware Full Scan" -EntryType Information -EventId 1118 -Message "Antimalware full system scan was performed" -Category ""
44: $Subject = "Virus Detection Report for" + [char]32 + $env:COMPUTERNAME
45: $Output = "An antimalware full system scan has been performed on" + [char]32 + $env:COMPUTERNAME + [char]32 + "due to the virus detection listed below." + [char]13 + [char]13 + $LastInfection.Message
46:
47: <#Quick Scan
48: Start-MProtScan -ScanType "QuickScan"
49: If ((Get-EventLog -LogName System -Source "Antimalware Quick Scan") -eq $null) {
50: New-EventLog –LogName System –Source "Antimalware Quick Scan"
51: }
52: Write-EventLog -LogName System -Source "Antimalware Quick Scan" -EntryType Information -EventId 1118 -Message "Antimalware quick system scan was performed" -Category ""
53: $Subject = "Virus Detection Report for" + [char]32 + $env:COMPUTERNAME
54: $Output = "An antimalware quick system scan has been performed on" + [char]32 + $env:COMPUTERNAME + [char]32 + "due to the virus detection listed below." + [char]13 + [char]13 + $LastInfection.Message
55: #>
56: foreach ($EmailAddress in $EmailAddresses) {
57: Send-MailMessage -To $EmailAddress -From "IT@acme.com" -Subject $Subject -Body $Output -SmtpServer "smtp.acme.com"
58: }
59: $WMIPath = "\\" + $env:COMPUTERNAME + "\root\ccm:SMS_Client"
60: $SMSwmi = [wmiclass]$WMIPath
61: $strAction = "{00000000-0000-0000-0000-000000000021}"
62: [Void]$SMSwmi.TriggerSchedule($strAction)
63:
64: #Cleanup Variables
65: Remove-Variable -Name EmailAddress -Force
66: Remove-Variable -Name EmailAddresses -Force
67: Remove-Variable -Name LastInfection -Force
68: Remove-Variable -Name Output -Force
69: Remove-Variable -Name RelativePath -Force
70: Remove-Variable -Name SMSwmi -Force
71: Remove-Variable -Name strAction -Force
72: Remove-Variable -Name Subject -Force
73: Remove-Variable -Name WMIPath -Force
74:
ApplicationVirusDetectionMethodEmail.ps1
1: <#
2: .NOTES
3: ===========================================================================
4: Created with: SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.98
5: Created on: 11/19/2015 3:26 PM
6: Created by: Mick Pletcher
7: Organization:
8: Filename: ApplicationVirusDetectionMethodEmail.ps1
9: ===========================================================================
10: .DESCRIPTION
11: #>
12:
13:
14: $LastInfection = get-winevent -filterhashtable @{ logname = 'system'; ID = 1116 } -maxevents 1 -ErrorAction SilentlyContinue
15: $LastFullScan = get-winevent -filterhashtable @{ logname = 'system'; ID = 1118 } -maxevents 1 -ErrorAction SilentlyContinue
16: If (($LastFullScan.TimeCreated -lt $LastInfection.TimeCreated) -or ($LastInfection -eq $null)) {
17: Start-Sleep -Seconds 5
18: exit 0
19: } else {
20: Write-Host "No Infection"
21: Start-Sleep -Seconds 5
22: exit 0
23: }
24:
0 comments:
Post a Comment