Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 12:20 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 
Author Message
PostPosted: Fri May 20, 2011 1:33 am 
Offline
Newbie

Joined: Fri Jan 08, 2010 9:48 am
Posts: 6
Hi

Ive got an issue populating the sql with AV information for all of my Windows Servers (2003 standard, R2, 2008, x86, x64; basically all flavors of Win Server under the sun). I have one WndowsXp unit in scope in this environment and the AV data is populating properly. So i guess my question is where does open audit gather this information? I can probably figure it out from there but i just dont know where (which file specifically) is pulling the information to insert into the sql.

Thanks!
Nicholas


Top
 Profile  
Reply with quote  
PostPosted: Fri May 20, 2011 2:30 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
It [url=http://blogs.msdn.com/b/alejacma/archive/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript.aspx]looks like the method[/url] that OpenAudit uses is no longer supported in recent versions of Windows. From reading the linked blog comments an AV vendor can support this but yours probably doesn't. We use TrendMicro and the SecurityCenter namespace isn't available on our servers.


Top
 Profile  
Reply with quote  
PostPosted: Fri May 20, 2011 2:44 am 
Offline
Newbie

Joined: Fri Jan 08, 2010 9:48 am
Posts: 6
We are using Mcafee Enterprise with AntiSpyware module and Host Intrusion Prevention. All of these items show up in the All Software query with systems assigned so Im not sure how to get this information into the sql for the related fields under table 'system' in the columns virus_manufacturer, virus_version, virus_name and virus_uptodate. Basically I want to have a dashboard with this information available on the home page. The view already exists and I changed the sql query in 'index_data.php' to include system_os_name LIKE "Microsoft(R) Windows(R) Server%" which is populating the view with the servers instead XP. Is this information being pulled via wmi or is there something else happening? Where are the wmi object classes being called, which file specifically?

thanks


Top
 Profile  
Reply with quote  
PostPosted: Fri May 20, 2011 2:56 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
All auditing is done in audit.vbs. In this case OpenAudit is doing it almost exactly like in the blog post I linked. Not supported in recent versions of Windows.

You could change the audit.vbs to audit the AV differently if the audit is run on a version of Windows that doesn't support the SecurityCenter namespace. You'd need to search through the registry entries of your AV product and pull the info from there.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group