Collects information about Antimalware for the Antimalware Intelligence Pack

CollectAntiMalwareInformation (Rule)

Element properties:

TargetMicrosoft.Windows.Server.Computer
CategoryCustom
EnabledFalse
Alert GenerateFalse
RemotableFalse

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource TimedPowershellPropertyBagProvider Default
WA2 WriteAction Microsoft.SystemCenter.AntiMalwareInformationDataWriteAction Default

Source Code:

<Rule ID="CollectAntiMalwareInformation" Enabled="false" Target="Windows!Microsoft.Windows.Server.Computer" ConfirmDelivery="false" Remotable="false">
<Category>Custom</Category>
<DataSources>
<DataSource ID="DS" TypeID="TimedPowershellPropertyBagProvider">
<IntervalSeconds>3600</IntervalSeconds>
<SyncTime/>
<ScriptName>CollectLastUpdateTime</ScriptName>
<ScriptBody><Script>

Param(
[parameter(Mandatory=$false, ValueFromPipeline=$true)]
[string]$logfile = "$env:windir\debug\mrt.log",
[parameter(Mandatory=$false, ValueFromPipeline=$false)]
[int]$timeWindowInHours = 24,
[parameter(Mandatory=$false, ValueFromPipeline=$false)]
[string]$showCount = "false",
[parameter(Mandatory=$false, ValueFromPipeline=$false)]
[int]$retryTimeInSeconds = 10
)

#
# Returns "Defender" if Defender is present and should be used, "Msrt" otherwise"
#

Function Import-MpModule
{
$mpModulePaths = @(
"$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1"
);

foreach ($mpModulePath in $mpModulePaths)
{
$path = [System.Environment]::ExpandEnvironmentVariables($mpModulePath)
if (Test-Path $path)
{
$mpModule = Import-Module $path -PassThru
if ($mpModule -ne $null)
{
return $mpModule;
}
}
}

return $null;
}

Function Get-ActiveEngine
{
$module = Import-MpModule
if ($module -ne $null)
{
return "Defender";
}
else
{
return "Msrt";
}
}
&lt;#
.SYNOPSIS

Parses the Malicious Software Removal Tool logfile

.DESCRIPTION

Outputs a summary from each run of the Malicious Software Removal Tool, showing:
* return code
* signature version or build number
* scan date
* protection status
* threat status
* malware found
* action taken

.PARAMETER logfile

Path to the logfile to be read.
Default is %windir%\debug\mrt.log

.PARAMETER timeWindowInHours

Controls how many hours in the past to look for scans. (Always returns latest scan)

Default is 24

.PARAMETER showCount

Controls whether the count of total records parsed is output

#&gt;

Function Scan-MsrtLog
{
Param(
[parameter(Mandatory=$false, ValueFromPipeline=$true)]
[string]$logfile = "$env:windir\debug\mrt.log",
[parameter(Mandatory=$false, ValueFromPipeline=$false)]
[int]$timeWindowInHours = 24,
[parameter(Mandatory=$false, ValueFromPipeline=$false)]
[string]$showCount = "false"
)

#Object that contains the malware scan information for a given period
$global:malwareScans = @();

Set-StrictMode -Version 2

#region ProtectionCodes
$ThreatDetectedProtectionCode = @( 550, "Threat detected" )
$UnknownProtectionCode = @( 470, "Unknown" )
$NotReportingProtectionCode = @( 450, "Not reporting" )
$ActionRequiredProtectionCode = @( 350, "Action required" )
$NoRealTimeProtectionProtectionCode = @( 270, "No real time protection" )

$ProtectionStatusFromStatusCode = @{
"-1" = $NotReportingProtectionCode;
"0" = $NoRealTimeProtectionProtectionCode;
"1" = $NotReportingProtectionCode;
"2" = $NotReportingProtectionCode;
"3" = $NotReportingProtectionCode;
"4" = $NotReportingProtectionCode;
"5" = $UnknownProtectionCode;
"6" = $ThreatDetectedProtectionCode;
"7" = $ThreatDetectedProtectionCode;
"8" = $ActionRequiredProtectionCode;
"9" = $ActionRequiredProtectionCode;
"10" = $ActionRequiredProtectionCode;
"11" = $ActionRequiredProtectionCode;
"12" = $ActionRequiredProtectionCode;
"13" = $ActionRequiredProtectionCode;
}
#endregion

#region ThreatCodes
$ActiveThreatThreatCode = @( 550, "Active threat" )
$UnknownThreatCode = @( 470, "Unknown" )
$RemediatedThreatThreatCode = @( 370, "Remediated threat" )
$NoThreatsDetectedThreatCode = @( 150, "No threats detected" )

#endregion

#region MSRTCodes
# MSRT protection status return code taken from http://support.microsoft.com/kb/891716
$DescriptionFromStatusCode = @{
"-1" = "Not reporting - Unable to collect data";
"0" = "No infection found";
"1" = "Not reporting - OS Environment Error";
"2" = "Not reporting - Not running as an Administrator";
"3" = "Not reporting - Not a supported OS";
"4" = "Not reporting - Error Initializing the scanner. (Download a new copy of the tool)";
"5" = "Unknown";
"6" = "At least one infection detected.";
"7" = "At least one infection was detected, but errors were encountered.";
"8" = "Manual steps are required for a complete removal.";
"9" = "Manual steps are required for complete removal and errors were encountered.";
"10" = "Restart is required for complete removal";
"11" = "Restart is required for complete removal and errors were encountered";
"12" = "Manual steps and a restart is required for complete removal.";
"13" = "Restart is required.";
}
#endregion

$build = ""
$returnCode = ""
$signatureVersion = ""
$scanDate = ""
$malware = @()
$malware_found = ""
$malware_details_found = ""


$countRecords = 0

if (!(Test-Path $logfile))
{
Write-Warning "File does not exist: $logfile"
Add-Line -1 "" "" "" $malware $true
}
else
{
foreach ($line in (Get-Content $logfile) )
{
Write-Debug "&gt;$line"
switch -regex ($line)
{
"^-{87}$" # record separator is 87 -, reset values
{
if ($countRecords -gt 0 ) # top of file has record separator, but we haven't read a record yet
{
Add-Line $returnCode $build $signatureVersion $scanDate $malware $false
}

$countRecords++
Write-Debug "New record"
$build = ""
$returnCode = ""
$signatureVersion = ""
$scanDate = ""
$malware = @()
$malware_found = ""
$malware_details_found = ""
}

"build ([\d.]+)"
{
$build = $Matches[1]
Write-Debug "Build = $build"
}

"^Started On (.+)"
{
$scanDate = $Matches[1]
Write-Debug "ScanDate = $scanDate"
}

"^Signatures: ([\d.]+)"
{
$signatureVersion = $Matches[1]
Write-Debug "Signature Version = $signatureVersion"
}

"^Threat Detected: (\S+?)(, | and )(.*)$"
{
$malware_found = $Matches[1]
$malware_details_found = $Matches[3]
Write-Debug "Malware: $malware_found, Details: $malware_details_found"
}

" Action: (\w+), Result: ([\d\w]+)"
{
$action = $Matches[1]
$actionCode = $Matches[2]
if (($action -eq "Remove" -or $action -eq "Clean") -and $actionCode -eq "0x00000000")
{
$threat_status = $RemediatedThreatThreatCode
}
else
{
$threat_status = $ActiveThreatThreatCode
}

$item = @{};
$item.Threat = $malware_found;
($item.ThreatStatusRank, $item.ThreatStatus) = $threat_status;
$item.ThreatStatusDetails = $malware_details_found;

$malware += $item
Write-Debug "$malware_found : $item"
}

"^Return code: (\d+)"
{
$returnCode = $Matches[1]
Write-Debug "Return code = $returnCode"
}
}
}

Add-Line $returnCode $build $signatureVersion $scanDate $malware $true
}

if ($showCount -eq "true")
{
Write-Host "$countRecords processed"
}

$global:malwareScans
}

function Add-Line
{
param(
$returnCode,
$build,
$signatureVersion,
$scanDate,
$malware,
$isLastScan)

Write-Debug "$returnCode, $build, $signatureVersion, $scanDate, $malware, $isLastScan"

$scanDateTime = (Get-Date).ToUniversalTime().Date.ToLocalTime() # scanDateTime will default to 12:00:00AM of the current date if log file doesn't exist or if it cannot parse the format of the MSRT log file
$threatStatus = ""
$returnProtectionStatus = ""
$returnProtectionRank = ""
$returnScanDate = ""

if ($scanDate -ne "")
{
try
{
$scanDateTime = ([datetime]::ParseExact($scandate, 'ddd MMM dd HH:mm:ss yyyy', [System.Globalization.CultureInfo]::InvariantCulture)) # MSRT Date format is not a standard format
}
catch
{
Write-Verbose "Scan date not valid: $scanDate"
}
}

$nowMinusTimeWindow = (Get-Date).AddHours(-$timeWindowInHours)
if (($scanDateTime -gt $nowMinusTimeWindow) -or $isLastScan)
{
if ($returnCode -eq "")
{
$returnCode = -1;
}

($returnProtectionRank, $returnProtectionStatus) = $ProtectionStatusFromStatusCode[$returnCode];

if ($signatureVersion -eq "")
{
if ($build -ne "")
{
$signatureVersion = $build
}
else
{
$signatureVersion = "Unknown"
}
}

$DateCollected = Get-Date -Format "yyyy-MM-dd" (Get-Date).ToUniversalTime();
if ($isLastScan -eq $false)
{
$DateCollected = Get-Date -Format "yyyy-MM-dd" $scanDateTime.ToUniversalTime();
}

if ($malware.Count -gt 0 )
{
foreach ($item in $malware)
{
$malware_scan = @{};
$malware_scan.ProtectionStatusRank = $returnProtectionRank;
$malware_scan.ProtectionStatus = $returnProtectionStatus;
$malware_scan.ProtectionStatusDetails = $DescriptionFromStatusCode[$returnCode];
$malware_scan.Signature = $signatureVersion;
$malware_scan.ScanDate = $scanDateTime.ToUniversalTime().ToString("G", [System.Globalization.CultureInfo]::InvariantCulture);
$malware_scan.DateCollected = $DateCollected;
$malware_scan.Tool = "Malicious Software Removal Tool";

$malware_scan.Threat = $item.Threat;
$malware_scan.ThreatStatusRank = $item.ThreatStatusRank;
$malware_scan.ThreatStatus = $item.ThreatStatus;
$malware_scan.ThreatStatusDetails = $item.ThreatStatusDetails;
$malware_scan.DetectionId = [System.Guid]::NewGuid().ToString()

$global:malwareScans += $malware_scan;
}
}
else
{
$malware_scan = @{};
$malware_scan.DetectionId = "";
$malware_scan.Threat = "";
$malware_scan.ThreatStatusDetails = "";
($malware_scan.ThreatStatusRank, $malware_scan.ThreatStatus) = $NoThreatsDetectedThreatCode
$malware_scan.ProtectionStatusRank = $returnProtectionRank;
$malware_scan.ProtectionStatus = $returnProtectionStatus;
$malware_scan.ProtectionStatusDetails = $DescriptionFromStatusCode[$returnCode];
$malware_scan.Signature = $signatureVersion;
$malware_scan.ScanDate = $scanDateTime.ToUniversalTime().ToString("G", [System.Globalization.CultureInfo]::InvariantCulture);
$malware_scan.DateCollected = $DateCollected;
$malware_scan.Tool = "Malicious Software Removal Tool";

$global:malwareScans += $malware_scan;
}
}
}
$global:retryTimeoutInSeconds = 10;
$global:timeWindowInHours = 24;
$global:malwareScans = @();

Function Scan-DefenderStatus
{
Param(
[parameter(Mandatory=$false, ValueFromPipeline=$false)]
[int]$retryTimeoutInSeconds = 10,
[parameter(Mandatory=$false, ValueFromPipeline=$false)]
[int]$timeWindowInHours = 24
)

$global:retryTimeoutInSeconds = $retryTimeoutInSeconds;
$global:timeWindowInHours = $timeWindowInHours;

#Object that contains the malware scan information for a given period
$global:malwareScans = @();

#region Protection Status Codes and Rankings
$ThreatDetectedProtectionCode = @( 550, "Threat Detected" )
$UnknownProtectionCode = @( 470, "Unknown" )
$NotReportingProtectionCode = @( 450, "Not Reporting" )
$ActionRequiredProtectionCode = @( 350, "Action Required" )
$NoRealTimeProtectionProtectionCode = @( 270, "No real time protection" )
$SignaturesOutOfDateProtectionCode = @( 250, "Signatures out of date" )
$RealTimeProtectionCode = @( 150, "Real time protection" )
#endregion

#region Threat Status Codes and Rankings
$ActiveThreatCode = @( 550, "Active" )
$UnknownThreatCode = @( 470, "Unknown" )
$RemediatedThreatThreatCode = @( 370, "Remediated" )
$QuarantinedThreatCode = @( 350, "Quarantined" )
$BlockedThreatCode = @( 330, "Blocked" )
$AllowedThreatCode = @( 250, "Allowed" )
$NoThreatsDetectedThreatCode = @( 150, "No threats detected" )
#endregion

$ThreatStatusFromStatusCode = @{
"0" = $UnknownThreatCode, "Unknown";
"1" = $ActiveThreatCode, "Detected";
"2" = $RemediatedThreatThreatCode, "Cleaned";
"3" = $QuarantinedThreatCode, "Quarantined";
"4" = $RemediatedThreatThreatCode, "Removed";
"5" = $AllowedThreatCode, "Allowed";
"6" = $BlockedThreatCode, "Blocked";
"Blocked" = $BlockedThreatCode, "CleanFailed";
"102" = $ActiveThreatCode, "QuarantineFailed";
"103" = $ActiveThreatCode, "RemoveFailed";
"104" = $QuarantinedThreatCode, "AllowFailed";
"105" = $UnknownThreatCode, "Abandoned";
"107" = $RemediatedThreatThreatCode, "BlockedFailed";
}

Set-StrictMode -Version 2

$currentTime = (Get-Date);

$protectionStatusCode = @(0, "");
$protectionStatusDetails = "";
$computerStatus = $null;
$threatDetections = $null;

# Get all information needed - Computer Status and Threat Detections
try {
$computerStatus = Collect-ComputerStatus
}
catch {
#
# Just go to not reporting and continue - if threats detected, this status will be forced to "threats detected"
#
Write-Warning "Failed to collect computer status"
$protectionStatusCode = $NotReportingProtectionCode;
$protectionStatusDetails = "Unable to determine status";
}

try {

$threatDetections = Collect-DetectionStatus
}
catch {
#
# Something bad happened - Everything goes to not reporting status
#
Write-Warning "Failed to collect threat detections"

($protectionRank, $protectionStatus) = $NotReportingProtectionCode;
$protectionStatusDetails = "Unable to determine status";
($returnThreatStatusRank, $returnThreatStatus) = $NoThreatsDetectedThreatCode

Add-MalwareScan $protectionRank $protectionStatus $protectionStatusDetails "" "" $returnThreatStatusRank $returnThreatStatus "" "" $currentTime $currentTime

$global:malwareScans
return
}

#
# First, detect if we have active threats
#
$activeThreatDetections = $threatDetections | Where-Object { $_.ThreatStatusID -eq 1 }
$activeThreatCount = ($activeThreatDetections | Measure-Object).Count

if ($activeThreatCount -gt 0) {
$protectionStatusCode = $ThreatDetectedProtectionCode
$protectionStatusDetails = "At least one threat detected"
} else {
#
# See if any of the protection aspects are disabled
#
if ($computerStatus -ne $null) {
if (
$computerStatus.AMServiceEnabled -eq $false -or
$computerStatus.OnAccessProtectionEnabled -eq $false -or
$computerStatus.AntivirusEnabled -eq $false -or
$computerStatus.AntispywareEnabled -eq $false -or
$computerStatus.RealTimeProtectionEnabled -eq $false
) {
$protectionStatusDetails = "";
$protectionStatusDetailsArray = @();
$protectionStatusCode = $NoRealTimeProtectionProtectionCode;
if ($computerStatus.AMServiceEnabled -eq $false) {
$protectionStatusDetailsArray += "Antimalware disabled";
}
if ($computerStatus.OnAccessProtectionEnabled -eq $false) {
$protectionStatusDetailsArray += "On access protection disabled";
}
if ($computerStatus.IoavProtectionEnabled -eq $false) {
$protectionStatusDetailsArray += "Ioav protection disabled";
}
if ($computerStatus.BehaviorMonitorEnabled -eq $false) {
$protectionStatusDetailsArray += "Behavior monitor disabled";
}
if ($computerStatus.AntivirusEnabled -eq $false) {
$protectionStatusDetailsArray += "Antivirus disabled";
}
if ($computerStatus.AntispywareEnabled -eq $false) {
$protectionStatusDetailsArray += "Antispyware disabled";
}
if ($computerStatus.RealTimeProtectionEnabled -eq $false) {
$protectionStatusDetailsArray += "Real-time protection disabled";
}
$protectionStatusDetails = [string]::join('; ', $protectionStatusDetailsArray);
} else {
#
# Check currency of signatures and quick scan
#
if (
($computerStatus.AntispywareSignatureAge -gt 7) -or
($computerStatus.AntivirusSignatureAge -gt 7)
) {
$protectionStatusCode = $SignaturesOutOfDateProtectionCode
$protectionStatusDetailsArray = @();
$protectionStatusDetails = "Signatures older than 7 days: ";
if ($computerStatus.AntispywareSignatureAge -gt 7) {
$protectionStatusDetailsArray += "Antispyware";
}
if ($computerStatus.AntivirusSignatureAge -gt 7) {
$protectionStatusDetailsArray += "Antivirus";
}
$protectionStatusDetails += [string]::join('; ', $protectionStatusDetailsArray);
} else {
#
# Everything is good
#
$protectionStatusCode = $RealTimeProtectionCode
$protectionStatusDetails = "No active threats detected"
}
}
}
}

($protectionRank, $protectionStatus) = $protectionStatusCode;

#
# Check Detected Threats Information
#
$returnScanDate = $currentTime;
$latestLastChangeTime = $currentTime.ToUniversalTime().Date.ToLocalTime();
$pastDateTime = (Get-Date).AddHours(-$global:timeWindowInHours);
$signature = Get-SignatureFromComputerStatus $computerStatus;

try {
if ($threatDetections -eq $null) {
# No threatdetections returned by Defender API
($returnThreatStatusRank, $returnThreatStatus) = $NoThreatsDetectedThreatCode
Add-MalwareScan $protectionRank $protectionStatus $protectionStatusDetails "" "" $returnThreatStatusRank $returnThreatStatus "" $signature $latestLastChangeTime $currentTime
} else
{
foreach ($threatDetection in $threatDetections) {
# Determine the threat categories based on ThreatStatusID
(($returnThreatStatusRank, $returnThreatStatus), $returnThreatStatusDetails) = $ThreatStatusFromStatusCode[$threatDetection.ThreatStatusID.ToString()];

if ($returnThreatStatus -eq $ActiveThreatCode[1]) {
# Active Threat
# set the scandate to the InitialDetectionTime
$returnScanDate = $threatDetection.InitialDetectionTime;
$threatName = Get-ThreatById $threatDetection.ThreatID
Add-MalwareScan $protectionRank $protectionStatus $protectionStatusDetails $threatDetection.DetectionID $threatName $returnThreatStatusRank $returnThreatStatus $returnThreatStatusDetails $signature $returnScanDate $currentTime
} else {
if ($threatDetection.InitialDetectionTime -ge $pastDateTime) {
# Reporting the rising edge of threat detection
# Force Protection Status to be active
($localProtectionRank, $localProtectionStatus) = $ThreatDetectedProtectionCode
$localProtectionStatusDetails = "At least one threat detected"

# Force Threat Status to be active
(($localThreatStatusRank, $localThreatStatus), $localThreatStatusDetails) = $ThreatStatusFromStatusCode["1"];

# set the scandate to the LastThreatStatusChangeTime
$returnScanDate = $threatDetection.InitialDetectionTime
$threatName = Get-ThreatById $threatDetection.ThreatID
Add-MalwareScan $localProtectionRank $localProtectionStatus $localProtectionStatusDetails $threatDetection.DetectionID $threatName $localThreatStatusRank $localThreatStatus $localThreatStatusDetails $signature $returnScanDate $returnScanDate
}

# Filter to detected threats that happened in the last period
if ($threatDetection.LastThreatStatusChangeTime -ge $pastDateTime) {
# Reporting the falling edge of threat detection with Protection Status set to global state
# set the scandate to the LastThreatStatusChangeTime
$returnScanDate = $threatDetection.LastThreatStatusChangeTime
$threatName = Get-ThreatById $threatDetection.ThreatID
Add-MalwareScan $protectionRank $protectionStatus $protectionStatusDetails $threatDetection.DetectionID $threatName $returnThreatStatusRank $returnThreatStatus $returnThreatStatusDetails $signature $returnScanDate $returnScanDate
}

if ($threatDetection.LastThreatStatusChangeTime -ge $latestLastChangeTime) {
$latestLastChangeTime = $threatDetection.LastThreatStatusChangeTime;
}
($returnThreatStatusRank, $returnThreatStatus) = $NoThreatsDetectedThreatCode
Add-MalwareScan $protectionRank $protectionStatus $protectionStatusDetails "" "" $returnThreatStatusRank $returnThreatStatus "" $signature $latestLastChangeTime $currentTime
}
}
}
}
catch {
Write-Warning "Failed to collect detection status"
(($returnThreatStatusRank, $returnThreatStatus), $returnThreatStatusDetails) = $ThreatStatusFromStatusCode["0"]; # set threat status to unknown
Add-MalwareScan $protectionRank $protectionStatus $protectionStatusDetails "" "" $returnThreatStatusRank $returnThreatStatus "Failed to collect detection status" $signature $currentTime.ToUniversalTime().Date.ToLocalTime() $currentTime
}

$global:malwareScans
}

function Get-SignatureFromComputerStatus {
param(
$ComputerStatus
)
$Signature = ""
if ($ComputerStatus -ne $null) {
$Signature = $ComputerStatus.AntivirusSignatureVersion;
}
$Signature
}

function Get-ThreatById {
param(
$ThreatID
)
# get the threat associated with detection
$threatName = "Unknown"; # defaults to unknown threat name
try {
$threats = Collect-Threats
$threat = $threats | Where-Object { $_.ThreatID -eq $ThreatID }
if ($threat -ne $null) {
$threatName = $threat.ThreatName;
}
}
catch {
Write-Warning "Failed to collect threat information"
throw
}
$threatName
}

function Add-MalwareScan {
param(
$ProtectionRank,
$ProtectionStatus,
$ProtectionStatusDetails,
$DetectionId,
$Threat,
$ThreatStatusRank,
$ThreatStatus,
$ThreatStatusDetails,
$Signature,
$ScanDate,
$DateCollected
)
$malware_scan = @{};
$malware_scan.ProtectionStatusRank = $ProtectionRank;
$malware_scan.ProtectionStatus = $ProtectionStatus;
$malware_scan.ProtectionStatusDetails = $ProtectionStatusDetails;
$malware_scan.DetectionId = $DetectionId;
$malware_scan.Threat = $Threat;
$malware_scan.ThreatStatusRank = $ThreatStatusRank;
$malware_scan.ThreatStatus = $ThreatStatus;
$malware_scan.ThreatStatusDetails = $ThreatStatusDetails;
$malware_scan.Signature = $Signature;
$malware_scan.Tool = "System Center Endpoint Protection";
$malware_scan.ScanDate = $ScanDate.ToUniversalTime().ToString("G", [System.Globalization.CultureInfo]::InvariantCulture);
$malware_scan.DateCollected = Get-Date -Date $DateCollected.ToUniversalTime() -Format "yyyy-MM-dd";
$global:malwareScans += $malware_scan;
}

function Collect-ComputerStatus {
foreach ($attempt in 1..5) {
try {
$status = Get-MProtComputerStatus
return $status;
}
catch {
if ($attempt -ne 5) {
Start-Sleep -s $global:retryTimeoutInSeconds
} else {
throw
}
}
}
}

function Collect-Threats {
foreach ($attempt in 1..5) {
try {
$threats = Get-MProtThreat
return $threats;
}
catch {
if ($attempt -ne 5) {
Start-Sleep -s $global:retryTimeoutInSeconds
} else {
throw
}
}
}
}

function Collect-DetectionStatus {
foreach ($attempt in 1..5) {
try {
$threatsDetections = @()
$threatsDetectionInfo = Get-MProtThreatDetection
foreach ($tdi in $threatsDetectionInfo)
{
$threatsDetections += $tdi
}
if($threatsDetections.Count -eq 1)
{
return ,$threatsDetections
}
return $threatsDetections
}
catch {
Write-Warning "Failed to call get-mprotthreatdetection"
if ($attempt -ne 5) {
Start-Sleep -s $global:retryTimeoutInSeconds
} else {
throw
}
}
}
}

$oAPI = new-object -comObject "MOM.ScriptAPI";

$oAPI.LogScriptEvent("AntiMalware Collection Script Started", 9999, 0, "");

$engine = Get-ActiveEngine

$oAPI.LogScriptEvent("AntiMalware Collection Script Detected Engine", 9999, 0, "Engine: " + $engine);

if ($engine -eq "Defender") {
Scan-DefenderStatus $retryTimeInSeconds $timeWindowInHours
}
else {
$oAPI.LogScriptEvent("MSRT Logfile Path" , 9999, 0, $logfile);
Scan-MsrtLog $logfile $timeWindowInHours $showCount
}

foreach ($scan in $global:malwareScans) {
$oPropertyBag = $oAPI.CreatePropertyBag();

$oPropertyBag.AddValue("DeviceName", "$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$");
$oPropertyBag.AddValue("DetectionId", $scan.DetectionId);
$oPropertyBag.AddValue("Threat", $scan.Threat);
$oPropertyBag.AddValue("ThreatStatusRank", $scan.ThreatStatusRank);
$oPropertyBag.AddValue("ThreatStatus", $scan.ThreatStatus);
$oPropertyBag.AddValue("ThreatStatusDetails", $scan.ThreatStatusDetails);
$oPropertyBag.AddValue("ProtectionStatusRank", $scan.ProtectionStatusRank);
$oPropertyBag.AddValue("ProtectionStatus", $scan.ProtectionStatus);
$oPropertyBag.AddValue("ProtectionStatusDetails", $scan.ProtectionStatusDetails);
$oPropertyBag.AddValue("Signature", $scan.Signature);
$oPropertyBag.AddValue("Tool", $scan.Tool);
$oPropertyBag.AddValue("ScanDate", $scan.ScanDate);
$oPropertyBag.AddValue("DateCollected", $scan.DateCollected);
$oAPI.LogScriptEvent("AntiMalware Collection Script scan", 9999, 0, "device name " + "$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$" + " Threat: " + $scan.Threat + " rank: " + $scan.ProtectionStatusRank + " status: " + $scan.ProtectionStatus + " status details: " + $scan.ProtectionStatusDetails + " signature: " + $scan.Signature + " date: " + $scan.ScanDate + " tool:" + $scan.Tool);
$oPropertyBag
}

$oAPI.LogScriptEvent("AntiMalware Collection Script Finished", 9999, 0, "AntiMalware Collection Script Returned");

</Script></ScriptBody>
<TimeoutSeconds>600</TimeoutSeconds>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WA2" TypeID="Types!Microsoft.SystemCenter.AntiMalwareInformationDataWriteAction"/>
</WriteActions>
</Rule>