Video Screencast Help

How to ensure you have AV protection on every computer

Created: 20 Apr 2009
ShadowsPapa's picture
+3 3 Votes
Login to vote

I was facing another issue - being a gov't agency, we run at short staff all the time. The boss wants central management of everything, but that still takes people to manage it.
One of the things deemed most critical is the antivirus protection on our clients. Yes, there are audits one can perform, be it by SMS (but it has to know what to look for) or by Symantec's own products, but that takes people to RUN the audit, then filter through and understand what one is seeing. And if you have 45 different subnets, then searching computers via subnet is painstaking. There's the old "get a list from xxx and search from that list" trick, but computers constantly change, they must be turned on to successfully audit, and what if they are off at that very moment of your audit? Some were always falling through the cracks.
There is only one constant - any time a person here logs in, they run our login script. Period. I've found not exceptions (hope not, I set it up that way!)
So I though, what if I could do it via login script? but then how to handle those found to not be running av protection?
I could Log any errors - but someone still has to watch or monitor those logs....
How about having a computer that's not running the proper Symantec product tell me about the problem itself - directly to my desktop?
The solution - as users login, they run a login script - the script looks for the existance of the proper Symantec service. If the service is not there at all, send me an email, if the service is there but not "running", send me an email. In the case of SAV, it there is no parent - if it's unmanaged, tell me. One could modify this to check for the PROPER parent if you recently changed parent servers and want to see what server the clients are really pointing to as their mommy.

This is ROUGH, and those folks who are FAR BETTER than I at VBS can and should clean it up, but here's what I have so far:
THIS first one is for SAV 10.xxx - after that, I'll post for SEP, but it's much messier and not quite perfect, IMO. Again, CLEAN and perfect these as needed.
I use THIS line to launch it from the main script - that way I don't messy up the main login script and it's REALLY simple to change scripts, edit one line to prevent this from running, etc.
I inserted this close to the end of the main script:

'run SAV test script - this script checks for the presence of SAV
objShell.Run "\\vrntdom1\netlogon\check-sav.vbs", 7, False

Note I use the domain name "vrntdom1", not a specific SERVER name - this way, no matter which of the 3 servers respond at a given time, it still works.

This is the check-sav script - it checks for a parent in the registry, checks for the presence of the service, then for the service to be in a running state. You should put a delay in the script to allow the services to all be loaded and RUNNING.

' Symantec Verification Script
' Bill Dickerson
' Iowa Vocational Rehabilitation Services
' Verifies Symantec process is running and is bound to a parent NAV server (managed)
' -------------------------------
On Error Resume Next
Dim oWSH
Dim sParentServer, sClientGroup, sVirusEngine, sRegPath, sComputerName, sErrorMsg, sErrorMsg2 ''Strings
Dim bFoundNavProc, bFoundNavRegVals
Dim oDict '' Dictionary Object for Registry Values
Dim vbCRLF
Dim wmiRoot, wmiColl, wmiObj

vbCRLF = Chr(13) & Chr(10)
'==================================
'Constants
Const cEmailServer = "123.456.789.111" 'IP addressof Exchange Server to send email through
Const cSendTo = email.address@domain.ext
Const cMailFrom = """AntiVirus"" <from.address@yyyy.gov>"
Const cdoNTLM = 2 'NTLM for email server authentication before sending mail
Const iSleepTime = 100000 '50 seconds delay to allow services to launch

'Initialize Error Message Variable
sErrorMsg = ""
sErrorMsg2 = ""
'==================================

WScript.Sleep(iSleepTime)

' Create Objects
Set oWSH = WScript.CreateObject("Wscript.Shell")
Set oDict = WScript.CreateObject("Scripting.Dictionary")
Set wmiRoot = GetObject("WinMgmts:root/cimv2")

'Finds SAV service, see if it's "Running" (case is important)
Set objWMI = GetObject("winmgmts:\\.\root\cimv2")

'Determine if SAV is Running
Set colServices = objWMI.ExecQuery("SELECT State, StartMode FROM Win32_Service WHERE Name='Symantec AntiVirus'")
For Each objService In colServices
strState = objService.State
If strState = "Running" Then
' WScript.Echo strState
sErrorMsg2 = ""
Else
' WScript.Echo strState
sErrorMsg2 = "SAV is not running."
End If

Next

'Get Computer Name
Set wmiColl = wmiRoot.ExecQuery("Select Name FROM Win32_ComputerSystem")
For Each wmiObj In wmiColl
sComputerName = wmiObj.Name
Next

' Get Registry Values
sRegPath = "HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\"
oDict.Add "Parent", oWSH.RegRead(sRegPath & "Parent")

' Evaluate each value
If oDict.Item("Parent") = "" Then
sErrorMsg = "No Parent Server is defined"
' WScript.Echo sErrorMsg '' Provide some feedback to the console
Else
' WScript.Echo oDict.Item("Parent")
End If

If sErrorMsg <> "" Or sErrorMsg2 <> "" Then ' if SAV service is not running or no parent is found, send mail
' **** Send Email About This Computer ***''
Set objMessage = CreateObject("CDO.Message")
WScript.Echo "AntiVirus Error situation found. Sending Email To Admin"
objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = cEmailServer
objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") =cdoNTLM
objMessage.Configuration.Fields.Update

objMessage.Subject = "Symantec client error on " & sComputerName
objMessage.From = cMailFrom
objMessage.To = cSendTo
objMessage.TextBody = "The following error(s) were found on " & sComputerName & ":" & vbCrlf & sErrorMsg & vbCrlf & sErrorMsg2
objMessage.Send
End If

--------------------------------------
Now the script for checking SEP..........
this one needs some work, maybe........... but it does seem to work so far.

' Symantec Verification Script
' Bill Dickerson
' Iowa Vocational Rehabilitation Services
' Verifies Symantec Endpoint Protection process is running.
' Updated Exchange server IP to reflect ITE server, Bill Dickerson 4-1-08
' -------------------------------
On Error Resume Next
Dim oWSH, objNet, wmiRoot, wmiColl, wmiObj, vbCRLF
Dim sParentServer, sClientGroup, sVirusEngine, sRegPath, sComputerName, sErrorMsg3''Strings
Dim bFoundNavProc, bFoundNavRegVals, u1
Dim oDict 'Dictionary Object for Registry Values

vbCRLF = Chr(13) & Chr(10)
'==================================
'Constants
Const cEmailServer = "123.456.789.111" 'IP of Exchange Server to send email through
Const cSendTo = "email.address@domain.gov"
Const cMailFrom = """AntiVirus"" <antivirus.problem@domain.gov>"
Const cdoNTLM = 2 'NTLM for email server authentication before sending mail
Const iSleepTime = 180000 '50 seconds

'Initialize Error Message Variable
sErrorMsg3 = ""

'Sleep for 50 seconds to allow the user to log in and SEP to start
WScript.Sleep(iSleepTime)

' Create Objects
Set oWSH = WScript.CreateObject("Wscript.Shell")
Set oDict = WScript.CreateObject("Scripting.Dictionary")
Set wmiRoot = GetObject("WinMgmts:root/cimv2")
Set objNet = CreateObject("WScript.NetWork")
u1 = objNet.UserName

'Finds SEP service, see if it's "Running" (case is important)
Set objWMI = GetObject("winmgmts:\\.\root\cimv2")

'Determine if SEP is Running
Set colServices2 = objWMI.ExecQuery("SELECT State, StartMode FROM Win32_Service WHERE Name='Symantec Endpoint Protection'")
For Each objService In colServices2
strState2 = objService.State
If strState2 = "Running" Then
' WScript.Echo strState2
sErrorMsg3 = ""
Else
' WScript.Echo strState2
sErrorMsg3 = "SEP is not running."
End If

Next

'Get Computer Name
Set wmiColl = wmiRoot.ExecQuery("Select Name FROM Win32_ComputerSystem")
For Each wmiObj In wmiColl
sComputerName = wmiObj.Name
Next

If sErrorMsg3 <> "" Then ' if SEP service is not running - send mail
' **** Send Email About This Computer ***''
Set objMessage = CreateObject("CDO.Message")
' WScript.Echo "AntiVirus Error(s) found. Sending Email To Admin"
objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = cEmailServer
objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") =cdoNTLM
objMessage.Configuration.Fields.Update

objMessage.Subject = "Symantec Endpoint Protection error on " & sComputerName
objMessage.From = cMailFrom
objMessage.To = cSendTo
objMessage.TextBody = "The following error(s) were found on " & sComputerName & ":" & sErrorMsg3 & vbCrlf & vbCrlf & "From user: " & u1
objMessage.Send
End If