Support other Antivirus products in Malware Assessment
I added the Malware Assessment Intelligence Pack today, and it seems to be listing all of my servers as not having any real time AV protection. The servers in question are running Symantec Endpoint Protection. I looked in the description of the intelligence pack to see what AV products it works with, but didn't find that info.
[Edited during forum migration: comments/responses in the old forum included Symantec and Sophos]
Gary Burke commented
I would like to see Trend OfficeScan added please.
Kenneth Lindgren commented
I'm running windows 10 and Windows Defender whit Real-time protection on however our systems are listed as follows:
TypeofProtection:Malicious Software Removal Tool
ProtectionStatus:No real time protection (this looks bad on the summery)
ProtectionStatusDetails:No infection found
I second ESET products too.
Benoit HAMET commented
I have read you are only detecting Windows Defender and SCEP but even so this reports WRONG results
I'm using SCEP and Operation Insights still report my servers with no real time protection while this is clearly not the case
Have you also checked this thread http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519211-windows-server-2008-r2-sp1-servers-are-shown-as-n ?
I'm using SCEP 2012 with Operations Management Suite (with Operational Insights) and OMS is still reporting the server as not having realtime protection installed.
Checked the server and confirmed Real-time protection is turned on and the SCEP is up to date.
Jozef Izso commented
I would love to see integration with ESET products. :)
Rich Lilly commented
Symantec, McAfee, Trend would be great
As per admin response above,
[...] Right now we’re only detecting Windows Defender and System Center Endpoint Protection (SCEP) real-time clients.
If we don’t find one of these clients we use data from the Malicious Software Removal Tool and mark the server as not having real-time protection.
Signatures out of date will only show for servers that haven’t updated their AV/malware signatures in 7 days or more.
If SCEP is detected and real time monitoring is disabled we’ll report this as “no real time protection” instead of “not reporting”. [...]
that's all that is supported by AntiMalware IP at the moment. The data is produced by the agent thru scripts using various WMI and other API calls, to give you a rich shape of data that is easy to query.
Richards's point below is just that you CAN do some of the same things in a 'lightweight' manner (i.e. from Azure PaaS getting events from Windows Azure Diagnostics) and we are exploring this as an alternative to have broader applicability - but it's not the current implementation. Just something you can do on your own with Log Management today.
Of course, if you have other products/workloads/software that logs events - you can use Log Management for a multitude of scenarios: monitoring, troubleshooting, auditing, etc... you just need to know where your software logs and what it logs. i.e. see this blog post about emulating SCOM's Alert Rules with Searches (example for IIS, but the idea applies to anything that logs, really) http://blogs.msdn.com/b/dmuscett/archive/2014/11/05/iis-mp-event-alerting-rules-s-opinsights-searches-equivalents.aspx
But this is not currently native functionality of the specialized 'AntiMalware' IP.
Sean Lewis commented
As per below, we use Webroot, is it a case of ensuring that the AV vendor writes out to the event log in a specific manner, and if this is not the case the OI module will not report correct information?
The API for Action Center is only available in client versions of Windows and there isn't a similar easy way to detect antimalware software on servers.
Right now this intelligence pack uses PowerShell queries, however we're also looking at event based reporting using queries similar to the following:
# computers with Microsoft Antimalware (SCEP/Defender/Essentials) installed
Type=Event Source:"Microsoft Antimalware" | measure count() as Count by Computer
# computers with malware detections
Type=Event Source:"Microsoft Antimalware" EventID:1116
# computers with no signature update in the last 24 hours
Type=Event Source:"Microsoft Antimalware" EventID:2000 | measure max(TimeGenerated) as lastdata by Computer | where lastdata < NOW-24HOURS
Mathieu Isabel commented
Isn't there a mechanism in Windows to detect that an A/V is installed? I.e. the Action Center advises you when no A/V is there/running.