Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 3:01 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 
Author Message
PostPosted: Fri Mar 21, 2008 12:48 am 
Offline
Newbie

Joined: Fri Mar 21, 2008 12:31 am
Posts: 16
Location: Denver, Colorado
I'm the System Admin for the Company I work for.
I run the audit script every night, and check the "SP2 without up to date AntiVirus" every morning.
I finally notice that if one of our Tech's re-images a computer, it will continue to report that it's Antivirus is up to date, even though it has no Antivirus installed.

Is there a way to change the Antivirus part of the audit script so it rescans all previously detected antivirus software.

I do have the latest version of the Audit script, and Open-Audit 08.02.01.

My setup:
I'm hosting Open Audit on a Ubuntu Linux Server.
I run the Audit script from my XP workstation.
All Computers and Servers are Windows XP, and Server 2003.
We use Mcafee as our antivirus software.


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 25, 2008 7:17 am 
Offline
Newbie

Joined: Fri Mar 21, 2008 12:31 am
Posts: 16
Location: Denver, Colorado
Since Nobody showed no interest, I figured it out for myself.
When the Audit.vbs script runs, if it finds no Antivirus products, it skips the entry for antivirus, so it does not update the MySql Database with an empty entry.

So I added this to my audit.vbs script, where the comment says: AV Settings.
Below is the whole AV Settings part, the highlighted part is my addition.

'''''''''''''''''
' AV Settings '
'''''''''''''''''
if ((ServicePack = "2" AND SystemBuildNumber = "2600") OR (SystemBuildNumber = "6000")) then
Set objWMIService_AV = GetObject("winmgmts:\\" & strComputer & "\root\SecurityCenter")
comment = "AV - Security Center Settings"
if verbose = "y" then
wscript.echo comment
end if
Set colItems = objWMIService_AV.ExecQuery("Select * from AntiVirusProduct")

[color=#FF0000] if colItems = "" then
av_prod = ""
av_disp = ""
av_vers = ""
av_up2d = ""
form_input = "system10^^^" & av_prod & "^^^" & av_disp & "^^^" _
& av_up2d & "^^^" & av_vers & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
end if
[/color]

For Each objAntiVirusProduct In colItems
av_prod = Clean(objAntiVirusProduct.companyName)
av_disp = Clean(objAntiVirusProduct.displayName)
av_vers = Clean(objAntiVirusProduct.versionNumber)
av_up2d = Clean(objAntiVirusProduct.productUptoDate)

If av_up2d Then
av_up2d = "True"
Else
av_up2d = "False"
End If

form_input = "system10^^^" & av_prod & "^^^" & av_disp & "^^^" _
& av_up2d & "^^^" & av_vers & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
Next
end if


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 25, 2008 7:01 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Thanks for that, added the change in to SVN version 1031 :D

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 17, 2009 11:18 am 
Offline
Newbie

Joined: Fri Apr 03, 2009 2:37 pm
Posts: 13
I'm not getting any reporting for Symantec AV 10 or 11 (Symantec End Point) on Windows 2003 devices. XP boxes report fine. Is this functionality workable for W2k3?


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 17, 2009 9:58 pm 
Offline
Helper

Joined: Wed Sep 05, 2007 1:43 am
Posts: 55
[code]if ((SystemBuildNumber = "2600" AND CInt(ServicePack) > 1) OR (SystemBuildNumber = "6000")) then
comment = "AV - Security Center Settings"
Echo(comment)
Set objWMIService_AV = GetObject("winmgmts:\\" & strComputer & "\root\SecurityCenter")
Set colItems = objWMIService_AV.ExecQuery("Select * from AntiVirusProduct")
[/code]
Here it is.
[quote]Operating System: 2003 Server R2, Std
Build Number: 3790

I am unsure what actually they filter out, co i cant give a solution.

Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 21, 2009 9:53 am 
Offline
Newbie

Joined: Fri Apr 03, 2009 2:37 pm
Posts: 13
Well system build 2600 is XP and 6000 is Vista so it would appear that they are the only two OS's that currently support this feature. I was hoping that there was something we could do for Win2k3.


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 21, 2009 7:16 pm 
Offline
Helper

Joined: Wed Sep 05, 2007 1:43 am
Posts: 55
[quote="Ben"]Well system build 2600 is XP and 6000 is Vista so it would appear that they are the only two OS's that currently support this feature. I was hoping that there was something we could do for Win2k3.

I try say the same.
As i an unfriend with WMI only thing i can suggest - digg forum about custom audit, it is some examples about Symantec in registry.

Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group