Saturday, February 4, 2012

SCEP2012-Validate Antimalware Policy and Date of Policy Applied Remotely


Description

Well, the good news is that SCCM now integrates seamlessly with SCEP therefore, you have a single tool to manage inventory, deploy payloads, and manage antivirus definitions / policies. As a security expert, one key requirement that may come your way is to validate the antimalware settings on a local machine remotely. This may be required for end user computing devices remotely connecting to your network via VPN etc.

Solution

Most of the Antimalware settings on the local machine are saved under the following registry hive:


 HKLM\Software\Microsoft\Microsoft Antimalware

There are 2 things that we want to check in our script:
  1. The Antivirus Definition Version
  2. The Date that the definition was updated

The Antivirus Definition Version

Below is a vbscript code that reads the registry and displays the Antivirus Definition version:

Option Explicit

 Dim regPath, regValue
Dim WSHShell
Dim value, a, i
Dim dtmDate, lngBias, lngHigh, lngLow

 ' Read the registry value
Set WSHShell = CreateObject("WScript.Shell")
regPath = "HKLM\SOFTWARE\Microsoft\Microsoft
Antimalware\Signature Updates\AVSignatureVersion"
value=WSHShell.RegRead(regPath)

wscript.echo "Antivirus Definition Version = " & value

 The Date that the definition was updated

Below is a vbscript code that reads the registry for the date on which the definition was applied and converts the FILETIME value to readable dates:


regPath = "HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates\SignaturesLastUpdated"
value=WSHShell.RegRead(regPath)
a=value

' Convert the FILETIME HEX values to readable date
  
lngBias=0
lngHigh=0
lngLow=0
for i=7 to 4 step -1
lngHigh=lngHigh*256+a(i)
next

for i=3 to 0 step -1
lngLow=lngLow*256+a(i)
next

if err.number<>0 then
dtmDate = #1/1/1601#
err.clear
else

If lngLow < 0 Then
lngHigh = lngHigh + 1
End If

If (lngHigh = 0) And (lngLow = 0 ) Then
dtmDate = #1/1/1601#
Else
dtmDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) +
lngLow)/600000000 - lngBias)/1440
End If
End If

on error goto 0

'The antivirus definition date is
wscript.echo "Antivirus Definition Date = " &dtmDate 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)