Forum Discussion

Morten_Knudsen's avatar
Morten_Knudsen
Brass Contributor
May 21, 2019

AntiMalware collection script does not collect any data from Win10 machines

I have enabled the AntiMalware collection in Azure LogAnalytics. On Win10 machines v1803 with latest updates until May 2019, I see this in the Eventlog under Operations Manager Event 9991 - AntiMal...
Azure Log Analytics Antimalware
azure monitor
CliveWatson's avatar
CliveWatson
Former Employee
May 21, 2019

Morten_Knudsen 

 

Are they all machines with the same OS Minor version?  

 

Would this help identify them?

 

 

ProtectionStatus
| distinct Computer, ProtectionStatus, ProtectionStatusDetails, ProtectionStatusRank
| join 
  (
   Heartbeat  
   | distinct Computer, OSName, OSType, OSMajorVersion, OSMinorVersion 
  ) on Computer 
| sort by OSMinorVersion desc

 

  • Morten_Knudsen's avatar
    Morten_Knudsen
    Brass Contributor
    May 21, 2019

    Thank you CliveWatson 

    But the problem is actually related to the MMA agent, when it runs the Antimalware collection scripts.

    In my case, it doesn't recognize Trend Office Scan or Defender or MRT, so the script doesn't report anything back to LogAnalytics.

     

    I have actually decided to rewrite a antimalware solution as a custom solution.

    I'm extracting the antimalware information using this 

    https://jdhitsolutions.com/blog/powershell/5187/get-antivirus-product-status-with-powershell/

     

    Then I use this sample (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collector-api) to import the data from the first script into a JSON upload.

     

    Then I have a generic solution that will work on ANY antivirus solution, as it talks with Windows.

    Lastly, I'm preparing a custom view to e.g. find the count of machines without Trend Antivirus installed and a list of the machines

Resources