AntiMalware collection script does not collect any data from Win10 machines

%3CLINGO-SUB%20id%3D%22lingo-sub-623320%22%20slang%3D%22en-US%22%3EAntiMalware%20collection%20script%20does%20not%20collect%20any%20data%20from%20Win10%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-623320%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20enabled%20the%20AntiMalware%20collection%20in%20Azure%20LogAnalytics.%3C%2FP%3E%3CP%3EOn%20Win10%20machines%20v1803%20with%20latest%20updates%20until%20May%202019%2C%20I%20see%20this%20in%20the%20Eventlog%20under%20Operations%20Manager%3C%2FP%3E%3CP%3EEvent%209991%20-%20AntiMalware%20Collection%20Script%20Started%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20another%205%20sec%20later%3C%2FP%3E%3CP%3EEvent%209991%20-%20AntiMalware%20Collection%20Script%20Finished%20%3A%20AntiMalware%20Collection%20Script%20Returned%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20there%20is%20NO%20data%20in%20the%20ProtectionStatus%20table%20about%20the%20machine.%3C%2FP%3E%3CP%3EOther%20data%20about%20the%20machine%20IS%20COLLECTED%20fine%2C%20for%20example%20heartbeat%2C%20system%20update%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHints%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20other%20older%20WIn10%20machines%20that%20shows%20in%20ProtectionStatus%2C%20but%20not%20newer%20Win10%20machines%3C%2FP%3E%3CP%3EPowershell%20is%20latest%205.1%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-623320%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%20Antimalware%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-624033%22%20slang%3D%22en-US%22%3ERe%3A%20AntiMalware%20collection%20script%20does%20not%20collect%20any%20data%20from%20Win10%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-624033%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F162153%22%20target%3D%22_blank%22%3E%40Morten%20Waltorp%20Knudsen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20they%20all%20machines%20with%20the%20same%20OS%20Minor%20version%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWould%20this%20help%20identify%20them%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EProtectionStatus%0A%7C%20distinct%20Computer%2C%20ProtectionStatus%2C%20ProtectionStatusDetails%2C%20ProtectionStatusRank%0A%7C%20join%20%0A%20%20(%0A%20%20%20Heartbeat%20%20%0A%20%20%20%7C%20distinct%20Computer%2C%20OSName%2C%20OSType%2C%20OSMajorVersion%2C%20OSMinorVersion%20%0A%20%20)%20on%20Computer%20%0A%7C%20sort%20by%20OSMinorVersion%20desc%20%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-625528%22%20slang%3D%22en-US%22%3ERe%3A%20AntiMalware%20collection%20script%20does%20not%20collect%20any%20data%20from%20Win10%20machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-625528%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20the%20problem%20is%20actually%20related%20to%20the%20MMA%20agent%2C%20when%20it%20runs%20the%20Antimalware%20collection%20scripts.%3C%2FP%3E%3CP%3EIn%20my%20case%2C%20it%20doesn't%20recognize%20Trend%20Office%20Scan%20or%20Defender%20or%20MRT%2C%20so%20the%20script%20doesn't%20report%20anything%20back%20to%20LogAnalytics.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20actually%20decided%20to%20rewrite%20a%20antimalware%20solution%20as%20a%20custom%20solution.%3C%2FP%3E%3CP%3EI'm%20extracting%20the%20antimalware%20information%20using%20this%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fjdhitsolutions.com%2Fblog%2Fpowershell%2F5187%2Fget-antivirus-product-status-with-powershell%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fjdhitsolutions.com%2Fblog%2Fpowershell%2F5187%2Fget-antivirus-product-status-with-powershell%2F%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThen%20I%20use%20this%20sample%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-collector-api%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Monitor%20HTTP%20Data%20Collector%20API%20%7C%20Microsoft%20Docs%3C%2FA%3E)%20to%20import%20the%20data%20from%20the%20first%20script%20into%20a%20JSON%20upload.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThen%20I%20have%20a%20generic%20solution%20that%20will%20work%20on%20ANY%20antivirus%20solution%2C%20as%20it%20talks%20with%20Windows.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ELastly%2C%20I'm%20preparing%20a%20custom%20view%20to%20e.g.%20find%20the%20count%20of%20machines%20without%20Trend%20Antivirus%20installed%20and%20a%20list%20of%20the%20machines%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I have enabled the AntiMalware collection in Azure LogAnalytics.

On Win10 machines v1803 with latest updates until May 2019, I see this in the Eventlog under Operations Manager

Event 9991 - AntiMalware Collection Script Started :

 

Then another 5 sec later

Event 9991 - AntiMalware Collection Script Finished : AntiMalware Collection Script Returned

 

But there is NO data in the ProtectionStatus table about the machine.

Other data about the machine IS COLLECTED fine, for example heartbeat, system update, etc.

 

Hints ?

 

I have other older WIn10 machines that shows in ProtectionStatus, but not newer Win10 machines

Powershell is latest 5.1

2 Replies

@Morten Waltorp Knudsen 

 

Are they all machines with the same OS Minor version?  

 

Would this help identify them?

 

 

ProtectionStatus
| distinct Computer, ProtectionStatus, ProtectionStatusDetails, ProtectionStatusRank
| join 
  (
   Heartbeat  
   | distinct Computer, OSName, OSType, OSMajorVersion, OSMinorVersion 
  ) on Computer 
| sort by OSMinorVersion desc 

 

Thank you @Clive Watson 

But the problem is actually related to the MMA agent, when it runs the Antimalware collection scripts.

In my case, it doesn't recognize Trend Office Scan or Defender or MRT, so the script doesn't report anything back to LogAnalytics.

 

I have actually decided to rewrite a antimalware solution as a custom solution.

I'm extracting the antimalware information using this 

https://jdhitsolutions.com/blog/powershell/5187/get-antivirus-product-status-with-powershell/

 

Then I use this sample (Azure Monitor HTTP Data Collector API | Microsoft Docs) to import the data from the first script into a JSON upload.

 

Then I have a generic solution that will work on ANY antivirus solution, as it talks with Windows.

Lastly, I'm preparing a custom view to e.g. find the count of machines without Trend Antivirus installed and a list of the machines