02 December 2015

Automating Microsoft Endpoint Full System Scan upon Infection with Email Notification

While helping to manage Microsoft Endpoint, a former colleague suggested that I setup Endpoint to automatically run a full system scan each time an infection is detected. I googled the blog posting on it and although it is a great post, I figured I could streamline it even more by just using SCCM alone to achieve the same outcome. It is nice when you are out of the office and your backup might not have the time to keep an eye on the antivirus infections.

This is a second edition of the previous script I wrote. I decided to leave that script if you do not want to have email notification upon a full system scan. This script includes sending out an email to the specified users in the EmailAddresses.txt file. This file resides in the same directory as the script. The other thing that needs to be done is to define the Installation program in SCCM using psexec.exe. Psexec.exe will also need to reside in the same directory as the PowerShell script. This allows the PowerShell script to be executed under a domain account, thereby giving it the ability to use the send-mailmessage commandlet.  Here is how to do this:

psexec.exe \\%computername% -u <domain>\<username> -p <password> -h cmd.exe /c "echo . | powershell.exe -executionpolicy bypass -file install.ps1"


I decided to use the SCCM custom application detection to scan a system and see if a full system scan has been performed. I first started out by writing a powershell script that would perform a WMI query on the SCCM server for the status of the system the application detection was being run on. The problem I ran across was that the application is being run under system credentials, which would require me to pass network credentials within the script. Instead of having to do this, I decided to query the event viewer logs on the local machine to look for the last infection date/time, which is event 1116. I queried all machines in my firm to find another event log that was unused, and 1118 happened to be just the one.

Here is how the process works:

  1. SCCM deploys the package to the system.
  2. The application detection queries the event viewer logs for the last 1116 ID (infection).
  3. The application detection queries the event viewer logs for the last 1118 ID.
  4. If a system 1118 ID  does not exist since the last infection, or there is no 1116 ID detected, the custom detection method will exit out as a failure.
  5. If the custom detection failed, the antivirusscan.ps1 file will be executed on the machine.
  6. An email is sent that tells a scan was performed on %COMPUTERNAME% with the virus details in the body.
  7. Once the scan is complete, a machine policy update is initiated to update the SCCM server with the status of the system.
  8. The application detection is initiated again to confirm the scan occurred. 


This is setup in SCCM as a normal application deployment. The only thing that differs from a standard deployment is the application detection method. That script is imported in for the detection method. The antivirusscan.ps1 file is setup as the installation program. I have mine entered like this:
powershell.exe -executionpolicy bypass -file antivirusscan.ps1

One more thing is that I have the application hidden from the software center. There really isn't a need for it to be there.

Line 57 on the AntivirusScanEmail.ps1 file is the only line of code you should have to customize.

You can download the application and application detection files from the following links:



AntivirusScanEmail.ps1
1:  <#       
2:       .NOTES  
3:       ===========================================================================  
4:        Created with:     SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.98  
5:        Created on:       11/19/2015 3:26 PM  
6:        Created by:       Mick Pletcher  
7:        Organization:         
8:        Filename:        AntiVirusScanEmail.ps1  
9:       ===========================================================================  
10:       .DESCRIPTION  
11:            This script will initiate a full or quick scan, whichever one is uncommented  
12:            out below. It will then write a log to the event viewer logs showing the   
13:            scan was executed. Next, it will email the designated IT staff telling the   
14:            system scan has been performed. The final step is to execute a machine policy  
15:            update so the SCCM server is updated on the status of the system.  
16:  #>  
17:    
18:  #Declare Variables  
19:  Set-Variable -Name EmailAddress -Force  
20:  Set-Variable -Name EmailAddresses -Force  
21:  Set-Variable -Name LastInfection -Force  
22:  Set-Variable -Name Output -Force  
23:  Set-Variable -Name RelativePath -Force  
24:  Set-Variable -Name SMSwmi -Force  
25:  Set-Variable -Name strAction -Force  
26:  Set-Variable -Name Subject -Force  
27:  Set-Variable -Name WMIPath -Force  
28:    
29:  Import-Module $env:ProgramFiles"\Microsoft Security Client\MpProvider"  
30:  $RelativePath = (split-path $SCRIPT:MyInvocation.MyCommand.Path -parent) + "\"  
31:  $EmailAddresses = @()  
32:  $EmailAddresses = Get-Content -Path $RelativePath"EmailAddresses.txt"  
33:  $LastInfection = get-winevent -filterhashtable @{ logname = 'system'; ID = 1116 } -maxevents 1 -ErrorAction SilentlyContinue  
34:  <#Full Scan#>  
35:  Start-MProtScan -ScanType "FullScan"  
36:  cls  
37:  Write-Warning "Error: $_"  
38:  Write-Host $_.Exception.ErrorCode  
39:  New-EventLog –LogName System –Source "Antimalware Full Scan"  
40:  If ((Get-EventLog -LogName System -Source "Antimalware Quick Scan") -eq $null) {  
41:       New-EventLog –LogName System –Source "Antimalware Quick Scan"  
42:  }  
43:  Write-EventLog -LogName System -Source "Antimalware Full Scan" -EntryType Information -EventId 1118 -Message "Antimalware full system scan was performed" -Category ""  
44:  $Subject = "Virus Detection Report for" + [char]32 + $env:COMPUTERNAME  
45:  $Output = "An antimalware full system scan has been performed on" + [char]32 + $env:COMPUTERNAME + [char]32 + "due to the virus detection listed below." + [char]13 + [char]13 + $LastInfection.Message  
46:    
47:  <#Quick Scan  
48:  Start-MProtScan -ScanType "QuickScan"  
49:  If ((Get-EventLog -LogName System -Source "Antimalware Quick Scan") -eq $null) {  
50:       New-EventLog –LogName System –Source "Antimalware Quick Scan"  
51:  }  
52:  Write-EventLog -LogName System -Source "Antimalware Quick Scan" -EntryType Information -EventId 1118 -Message "Antimalware quick system scan was performed" -Category ""  
53:  $Subject = "Virus Detection Report for" + [char]32 + $env:COMPUTERNAME  
54:  $Output = "An antimalware quick system scan has been performed on" + [char]32 + $env:COMPUTERNAME + [char]32 + "due to the virus detection listed below." + [char]13 + [char]13 + $LastInfection.Message  
55:  #>  
56:  foreach ($EmailAddress in $EmailAddresses) {  
57:       Send-MailMessage -To $EmailAddress -From "IT@acme.com" -Subject $Subject -Body $Output -SmtpServer "smtp.acme.com"  
58:  }  
59:  $WMIPath = "\\" + $env:COMPUTERNAME + "\root\ccm:SMS_Client"  
60:  $SMSwmi = [wmiclass]$WMIPath  
61:  $strAction = "{00000000-0000-0000-0000-000000000021}"  
62:  [Void]$SMSwmi.TriggerSchedule($strAction)  
63:    
64:  #Cleanup Variables  
65:  Remove-Variable -Name EmailAddress -Force  
66:  Remove-Variable -Name EmailAddresses -Force  
67:  Remove-Variable -Name LastInfection -Force  
68:  Remove-Variable -Name Output -Force  
69:  Remove-Variable -Name RelativePath -Force  
70:  Remove-Variable -Name SMSwmi -Force  
71:  Remove-Variable -Name strAction -Force  
72:  Remove-Variable -Name Subject -Force  
73:  Remove-Variable -Name WMIPath -Force  
74:    


ApplicationVirusDetectionMethodEmail.ps1

1:  <#       
2:       .NOTES  
3:       ===========================================================================  
4:        Created with:     SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.98  
5:        Created on:       11/19/2015 3:26 PM  
6:        Created by:       Mick Pletcher  
7:        Organization:         
8:        Filename:        ApplicationVirusDetectionMethodEmail.ps1  
9:       ===========================================================================  
10:       .DESCRIPTION  
11:  #>  
12:    
13:    
14:  $LastInfection = get-winevent -filterhashtable @{ logname = 'system'; ID = 1116 } -maxevents 1 -ErrorAction SilentlyContinue  
15:  $LastFullScan = get-winevent -filterhashtable @{ logname = 'system'; ID = 1118 } -maxevents 1 -ErrorAction SilentlyContinue  
16:  If (($LastFullScan.TimeCreated -lt $LastInfection.TimeCreated) -or ($LastInfection -eq $null)) {  
17:       Start-Sleep -Seconds 5  
18:       exit 0  
19:  } else {  
20:       Write-Host "No Infection"  
21:       Start-Sleep -Seconds 5  
22:       exit 0  
23:  }  
24:    

0 comments:

Post a Comment