20 November 2015

Automating Microsoft Endpoint Full System Scan upon Infection

While helping to manage Microsoft Endpoint, a former colleague suggested that I setup Endpoint to automatically run a full system scan each time an infection is detected. I googled the blog posting on it and although it is a great post, I figured I could streamline it even more by just using SCCM alone to achieve the same outcome. It is nice when you are out of the office and your backup might not have the time to keep an eye on the antivirus infections.

I decided to use the SCCM custom application detection to scan a system and see if a full system scan has been performed. I first started out by writing a powershell script that would perform a WMI query on the SCCM server for the status of the system the application detection was being run on. The problem I ran across was that the application is being run under system credentials, which would require me to pass network credentials within the script. Instead of having to do this, I decided to query the event viewer logs on the local machine to look for the last infection date/time, which is event 1116. I queried all machines in my firm to find another event log that was unused, and 1118 happened to be just the one.

Here is how the process works:
  1. SCCM deploys the package to the system.
  2. The application detection queries the event viewer logs for the last 1116 ID (infection).
  3. The application detection queries the event viewer logs for the last 1118 ID.
  4. If a system 1118 ID  does not exist since the last infection, or there is no 1116 ID detected, the custom detection method will exit out as a failure.
  5. If the custom detection failed, the antivirusscan.ps1 file will be executed on the machine.
  6. Once the scan is complete, a machine policy update is initiated to update the SCCM server with the status of the system.
  7. The application detection is initiated again to confirm the scan occurred. 

This is setup in SCCM as a normal application deployment. The only thing that differs from a standard deployment is the application detection method. That script is imported in for the detection method. The antivirusscan.ps1 file is setup as the installation program. I have mine entered like this:
powershell.exe -executionpolicy bypass -file antivirusscan.ps1

One more thing is that I have the application hidden from the software center. There really isn't a need for it to be there. 
Click here to download the Application Virus Detection Method.
Click here to download the Antivirus Scan script.

Antivirus Scan Script
1:  <#       
2:       .NOTES  
3:       ===========================================================================  
4:        Created with:      SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.98  
5:        Created on:       11/19/2015 3:26 PM  
6:        Created by:       Mick Pletcher  
7:        Filename:        AntiVirusScan.ps1  
8:       ===========================================================================  
9:       .DESCRIPTION  
10:            This script will initiate a full or quick scan, whichever one is uncommented  
11:            out below. It will then write a log to the event viewer logs showing the   
12:            scan was executed. The final step is to execute a machine policy update so  
13:            the SCCM server is updated on the status of the system.  
14:  #>  
16:  Import-Module $env:ProgramFiles"\Microsoft Security Client\MpProvider"  
17:  <#Full Scan#>  
18:  Start-MProtScan -ScanType "FullScan"  
19:  New-EventLog –LogName System –Source "Antimalware Full Scan"  
20:  Write-EventLog -LogName System -Source "Antimalware Full Scan" -EntryType Information -EventId 1118 -Message "Antimalware full system scan was performed" -Category ""  
22:  <#Quick Scan  
23:  Start-MProtScan -ScanType "QuickScan"  
24:  New-EventLog –LogName System –Source "Antimalware Quick Scan"  
25:  Write-EventLog -LogName System -Source "Antimalware Quick Scan" -EntryType Information -EventId 1118 -Message "Antimalware quick system scan was performed" -Category ""  
26:  #>  
28:  $WMIPath = "\\" + $env:COMPUTERNAME + "\root\ccm:SMS_Client"  
29:  $SMSwmi = [wmiclass]$WMIPath  
30:  $strAction = "{00000000-0000-0000-0000-000000000021}"  
31:  [Void]$SMSwmi.TriggerSchedule($strAction)  
32:  Exit 0  

Application Virus Detection Method
1:  $LastInfection = get-winevent -filterhashtable @{ logname = 'system'; ID = 1116 } -maxevents 1 -ErrorAction SilentlyContinue  
2:  $LastFullScan = get-winevent -filterhashtable @{ logname = 'system'; ID = 1118 } -maxevents 1 -ErrorAction SilentlyContinue  
3:  If (($LastFullScan.TimeCreated -lt $LastInfection.TimeCreated) -or ($LastInfection -eq $null)) {  
4:       Start-Sleep -Seconds 5  
5:       exit 0  
6:  } else {  
7:       Write-Host "No Infection"  
8:       Start-Sleep -Seconds 5  
9:       exit 0  
10:  }  


Post a Comment