May 21 2019
07:08 AM
- last edited on
Apr 07 2022
05:47 PM
by
TechCommunityAP
May 21 2019
07:08 AM
- last edited on
Apr 07 2022
05:47 PM
by
TechCommunityAP
I have enabled the AntiMalware collection in Azure LogAnalytics.
On Win10 machines v1803 with latest updates until May 2019, I see this in the Eventlog under Operations Manager
Event 9991 - AntiMalware Collection Script Started :
Then another 5 sec later
Event 9991 - AntiMalware Collection Script Finished : AntiMalware Collection Script Returned
But there is NO data in the ProtectionStatus table about the machine.
Other data about the machine IS COLLECTED fine, for example heartbeat, system update, etc.
Hints ?
I have other older WIn10 machines that shows in ProtectionStatus, but not newer Win10 machines
Powershell is latest 5.1
May 21 2019 09:36 AM
Are they all machines with the same OS Minor version?
Would this help identify them?
ProtectionStatus | distinct Computer, ProtectionStatus, ProtectionStatusDetails, ProtectionStatusRank | join ( Heartbeat | distinct Computer, OSName, OSType, OSMajorVersion, OSMinorVersion ) on Computer | sort by OSMinorVersion desc
May 21 2019 01:16 PM
Thank you @CliveWatson
But the problem is actually related to the MMA agent, when it runs the Antimalware collection scripts.
In my case, it doesn't recognize Trend Office Scan or Defender or MRT, so the script doesn't report anything back to LogAnalytics.
I have actually decided to rewrite a antimalware solution as a custom solution.
I'm extracting the antimalware information using this
https://jdhitsolutions.com/blog/powershell/5187/get-antivirus-product-status-with-powershell/
Then I use this sample (Azure Monitor HTTP Data Collector API | Microsoft Docs) to import the data from the first script into a JSON upload.
Then I have a generic solution that will work on ANY antivirus solution, as it talks with Windows.
Lastly, I'm preparing a custom view to e.g. find the count of machines without Trend Antivirus installed and a list of the machines