Monday, November 18, 2019

Windows Defender Virus Definitions and more information via SCCM

With  Windows Defender gaining more and more popularity as the product to protect Windows 10 machines, getting visibility of what is managed is a key element.
The information an administrator needs will include virus definitions, last scan dates etc.

What is the best way to do it? For me as SCCM is deployed in my environment hence it is a no-brainer to use it.
Here's the problem, SCCM by default do not contain this information but we do have a way to add it in. How?
By adding a Class to be discovered.

The below powershell will show that you can extract a whole load of information from the namespace, root\Microsoft\SecurityClient.

Get-WmiObject -Namespace root\Microsoft\SecurityClient -class AntimalwareHealthStatus

Result:

__GENUS                            : 2
__CLASS                            : AntimalwareHealthStatus
__SUPERCLASS                       : ProtectionTechnologyStatus
__DYNASTY                          : SerializableToXml
__RELPATH                          : AntimalwareHealthStatus=@
__PROPERTY_COUNT                   : 31
__DERIVATION                       : {ProtectionTechnologyStatus, SerializableToXml}
__SERVER                           : DESKTOP01
__NAMESPACE                        : root\Microsoft\SecurityClient
__PATH                             : \\DESKTOP01\root\Microsoft\SecurityClient:AntimalwareHealthStatus=@
AntispywareEnabled                 : True
AntispywareSignatureAge            : 0
AntispywareSignatureUpdateDateTime : 2018-12-09T14:58:32.000Z
AntispywareSignatureVersion        : 1.283.218.0
AntivirusEnabled                   : True
AntivirusSignatureAge              : 0
AntivirusSignatureUpdateDateTime   : 2018-12-09T14:58:32.000Z
AntivirusSignatureVersion          : 1.283.218.0
BehaviorMonitorEnabled             : True
Enabled                            : True
EngineVersion                      : 1.1.15500.2
IoavProtectionEnabled              : True
LastFullScanAge                    : 4294967295
LastFullScanDateTimeEnd            :
LastFullScanDateTimeStart          :
LastFullScanSource                 : 0
LastQuickScanAge                   : 4294967295
LastQuickScanDateTimeEnd           :
LastQuickScanDateTimeStart         :
LastQuickScanSource                : 0
Name                               : Antimalware
NisEnabled                         : True
NisEngineVersion                   : 1.1.15500.2
NisSignatureVersion                : 1.283.218.0
OnAccessProtectionEnabled          : True
ProductStatus                      : 524288
RealTimeScanDirection              : 0
RtpEnabled                         : True
SchemaVersion                      : 1.0.0.1
Version                            : 4.18.1810.5
PSComputerName                     : DESKTOP01

So what you need to do is to add the above name space to be included in the hardware inventory cycle.

1) Go to SCCM Client settings and select "Hardware Inventory" then followed by "Set Class".


 2) Next, enter "root\Microsoft\SecurityClient" in the WMI namespace and click Connect
























3) Select the class, "AntimalwareDetectionStatus", click OK.

4) You are done now. If you expand the class, you will see tons of information.
All that is needed now is wait for the next hardware inventory cycle for the information to be sent back to SCCM.
5) The table that will created in SQL will be as dboANTIMALWAREHEALTHSTATUS_DATA.
You can get the information needed from here.

No comments:

Post a Comment