Sometimes it’s easy: OMS malware assessment
Summary: Ed Wilson talks about using the Microsoft Operations Management Suite Malware Assessment tool.
Good morning everyone. Ed Wilson here. Today is a bit of a strange one. The Scripting Wife (aka Teresa Wilson) is in North Carolina fighting snow storms, and I am sitting here in central Florida with the doors and windows open, enjoying a sunny, warm morning. As you can see, it is a beautiful day.
I have the Black Label Society cranked up about as loud as I can have it without being a public nuisance, and I am sipping an awesome cup of English Breakfast tea with licorice root, fresh peppermint, spearmint, lemon grass, and local honey that I scored at the farmer’s market last weekend. It is awesome, but somewhat contrarian to heavy metal music. Although the music is great for writing.
Super simple malware assessment
The Windows PowerShell cmdlet Get-MpComputerStatus was introduced in Windows 8. It works great to let me know the status of my malware protection. But the output needs to be parsed—especially when working with more than one computer.
In the Microsoft Operations Management Suite, I have the Malware Assessment tool. It is accessible directly from the Overview page and it is way easy-to-use. Here is an image of the Overview > Antimalware screen:
This tells me that at this time, there are no active threats detected on my 54 servers. But it also tells me that 61% of my servers (or 33 out of my 54 servers) do not have adequate protection. I click the No Real Time Protection status message and find the 33 servers.
The screen goes to a search page, and provides me with the server names:
Obtaining a bit more information
At this point, all I know is that MS OMS thinks 33 of my 54 servers have inadequate protection. But I would like to know more. So I choose the first server listed under DeviceName in my search results. The page flips to Scanning for about a second, and then returns with the 97 results shown here:
To me, this is pretty good news. It tells me that the type of protection is the Malicious Software Removal tool, the last scan date was last night, and that no infection was found. That is why the circle is half blue instead of red or yellow. The servers at least have a modicum of protection, just not real-time protection.
Yeah, I could have done this with Windows PowerShell, but the one thing that I would not have found is that the Malicious Software Removal tool was there. That is not reported by the Get-MpComputerStatus cmdlet, so I would have had to do a bit of research to get to this point. As it is, I simply clicked and “sweet, it is done.”
That is all I have for you today. Join me tomorrow when I’ll talk about using Microsoft Operations Management Suite to perform a configuration assessment. It is a really powerful technique, and rather cool if I do say so myself.
I invite you to follow me on Twitter and the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy! Blog. If you have any questions, send email to me at scripter@microsoft.com. I wish you a wonderful day, and I’ll see you tomorrow.
Ed Wilson
Microsoft Operations Management Team
Comments
- Anonymous
January 14, 2016
Microsoft Malicious Software Removal Tool is free and effective.- Anonymous
January 29, 2016
Yes it is. I use it on all of my computers. Even my mom uses it :-)
- Anonymous
- Anonymous
February 11, 2016
What about 3rd party antivirus ? It looks like OMS is not able to detect my Trend Officescan antivirus! - Anonymous
April 18, 2016
Currently OMS is limited to only 1 AV. The 99% of all servers out there will now be reported as unprotected. https://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519211-windows-server-2008-r2-sp1-servers-are-shown-as-n - Anonymous
May 17, 2017
Our systems are showing Wrong "Trend Micro Deep Security format. Version: 9.6.7888" for a particular period of time. I have checked all other servers. But all are having same version. But those status are shown like protected. Please help me