Forum Discussion
AntiMalware collection script does not collect any data from Win10 machines
I have enabled the AntiMalware collection in Azure LogAnalytics.
On Win10 machines v1803 with latest updates until May 2019, I see this in the Eventlog under Operations Manager
Event 9991 - AntiMalware Collection Script Started :
Then another 5 sec later
Event 9991 - AntiMalware Collection Script Finished : AntiMalware Collection Script Returned
But there is NO data in the ProtectionStatus table about the machine.
Other data about the machine IS COLLECTED fine, for example heartbeat, system update, etc.
Hints ?
I have other older WIn10 machines that shows in ProtectionStatus, but not newer Win10 machines
Powershell is latest 5.1
2 Replies
Are they all machines with the same OS Minor version?
Would this help identify them?
ProtectionStatus | distinct Computer, ProtectionStatus, ProtectionStatusDetails, ProtectionStatusRank | join ( Heartbeat | distinct Computer, OSName, OSType, OSMajorVersion, OSMinorVersion ) on Computer | sort by OSMinorVersion desc
Thank you CliveWatson
But the problem is actually related to the MMA agent, when it runs the Antimalware collection scripts.
In my case, it doesn't recognize Trend Office Scan or Defender or MRT, so the script doesn't report anything back to LogAnalytics.
I have actually decided to rewrite a antimalware solution as a custom solution.
I'm extracting the antimalware information using this
https://jdhitsolutions.com/blog/powershell/5187/get-antivirus-product-status-with-powershell/
Then I use this sample (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collector-api) to import the data from the first script into a JSON upload.
Then I have a generic solution that will work on ANY antivirus solution, as it talks with Windows.
Lastly, I'm preparing a custom view to e.g. find the count of machines without Trend Antivirus installed and a list of the machines
