Freigeben über

OMS Security malware assessment adds support for more antimalware vendors

  • Artikel

FAST FACT: OMS Security is adding support for Symantec Endpoint Protection and Trend Micro Deep Security to its Antimalware assessment solution. This service update adds support for assessing whether servers are protected by anti-malware solutions from these vendors and whether these solutions are operational. The OMS Antimalware dashboard now reflects this new feature.

========================================

Microsoft Operations Management Security is improving its support for antimalware assessment by adding support for antimalware partner solutions. This service update adds support for detecting when monitored servers are protected by Symantec Endpoint Protection or Trend Micro Deep Security agents. The release adds support for detecting all supported Symantec Endpoint Protection 12.x and 14.x versions and all supported Trend Micro Deep Security version 9.6.

In addition to detecting when these partner solutions are installed, an additional assessment is also done to determine whether protection by these agents is operational. Specifically, OMS Security will test to see if the antimalware agents from these vendors on the monitored servers are:

  • Enabled
  • Running scans at regular intervals
  • Using signatures no older than seven days

This enables you to plan for and ensure that the servers in your infrastructure are adequately protected. The Antimalware dashboard in Log Analytics has been updated to report on this assessment for partner antimalware solutions.

The Antimalware dashboard categorizes information about the malware assessment into four tiles:

  • Threat Status
  • Detected Threats
  • Protection Status
  • Type of Protection

Monitored servers that are protected by these third-party antimalware solutions are displayed in the Type of Protection tile. The solution workspace that’s displayed here has three servers with Symantec Endpoint Protection and one with Trend Micro Deep Security.

Type of Protection tile

The Protection Status tile in the malware assessment will reflect whether the protection of these servers is operational. For instance, if for any reason the Antimalware agent is disabled or if the server has not been scanned for more than seven days, the tile will report that the server is missing real-time protection as shown in the following screenshot:

Protection Status tile

When we drill down, we can see that there are servers with No real time protection.

For example, in the figure below you can see that the server has the Trend Micro Deep Security agent installed, but real-time protection is not available.

This may because an agent is installed but not configured or because the antimalware module was disabled.

Trend Micro Deep Security agent installed, but real-time protection is not available

Here you can see a server where the Symantec Endpoint Protection agent is disabled.

4-oms-011917

 

OMS Security also checks to see if an antimalware scan hasn’t been done recently. For example, in the following figure, you can see that the server shows Latest scan older than 7 days.

Server shows Latest scan older than 7 days

 

Also, OMS Security will check to see if antimalware signatures might be out-of-date. In the following figure, you can see that the server shows Signatures out of date and Signature older than 7 days.

Signatures out of date and Signature older than 7 days

 

In all these scenarios, you can take appropriate action to investigate and fix the problems.

Note that threat assessment is not a part of this service update. Threat assessment support for Symantec Endpoint Protection and Trend Micro Deep Security will appear in a future service update. At that time the Antimalware dashboard will display this information in the Threats Status and the Detected Threats tiles.

Tom Shinder
Program Manager,
Azure Security Engineering

Comments

  • Anonymous
    January 19, 2017
    Wow, Thank you.I will share this blog with our customers which use Symantec Endpoint Protection, Trend Micro Deep Security
  • Anonymous
    January 19, 2017
    This is good news. Are ESET products support also on future release timeline? One of often questions from Czech customers.
  • Anonymous
    January 25, 2017
    Great news Tom! Hope to see support for other AV products in the future. 
  • Anonymous
    February 26, 2017
    Does it support Deep Security running on Linux(RHEL)?
  • Anonymous
    March 15, 2017
    Hi, there,Great improvement!However, I believe there might be a bug with Symantec Endpoint : in my environment, HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus reports the value "2" which is detected as incorrect by the powershell script that gather all the info; but everything seems to be OK from a Symantec point of view.Also, they say (here : https://support.symantec.com/en_US/article.HOWTO75109.html ) that this registry key may be redundant with the "AVRunningStatus" key, which in my environment shows the correct value of 1.
  • Anonymous
    April 14, 2017
    will they be supporting McAfee Move/VSE or Cisco AMP soon or do they currently
  • Anonymous
    September 05, 2017
    This is a great step in the right direction! I was curious if there were plans to expand support by offering the ability to target a specific executable, and possibly offer the ability to run CLI commands on the AV client to grab a substring which would validate current definitions. The latter would no doubt be pretty involved, but as we already appear to be using an array of values for the AV product installation with this expansion, the ability to add another value through PS or UI doesn't seem like a huge step.