<ProbeActionModuleType ID="Microsoft.FEP.SecurityRootCause.MalwareActivity.GetInfectionStatusWmiProbeType" Accessibility="Internal" Batching="false" PassThrough="false">
<Configuration>
<xsd:element minOccurs="1" name="IsInfoIncluded" type="xsd:boolean"/>
<xsd:element minOccurs="1" name="ThreatSeverity" type="xsd:string"/>
<xsd:element minOccurs="1" name="ThreatCategory" type="xsd:string"/>
<xsd:element minOccurs="1" name="ThreatFWLink" type="xsd:string"/>
<xsd:element minOccurs="1" name="ThreatPath" type="xsd:string"/>
<xsd:element minOccurs="1" name="ThreatAdditionalActions" type="xsd:string"/>
<xsd:element minOccurs="1" name="TimeoutSeconds" type="xsd:positiveInteger"/>
</Configuration>
<OverrideableParameters>
<OverrideableParameter ID="TimeoutSeconds" Selector="$Config/TimeoutSeconds$" ParameterType="int"/>
</OverrideableParameters>
<ModuleImplementation Isolation="Any">
<Composite>
<MemberModules>
<ProbeAction ID="PassThrough" TypeID="System!System.PassThroughProbe"/>
<ProbeAction ID="Probe" TypeID="Windows!Microsoft.Windows.ScriptPropertyBagProbe">
<ScriptName>Microsoft.FEP.SecurityRootCause.MalwareActivity.GetInfectionStatus.vbs</ScriptName>
<Arguments>"$Config/IsInfoIncluded$" "$Config/ThreatSeverity$" "$Config/ThreatCategory$" "$Config/ThreatFWLink$" "$Config/ThreatPath$" "$Config/ThreatAdditionalActions$"</Arguments>
<ScriptBody><Script>
' GetInfectionStatus.vbs
'
' Queries the common client WMI interfaces and returns
' basic information about the infection status of the machine
'
' Input: (none)
' Output:
' SCOM property bag containing the following properties
' * ComputerStatus - enum for pending actions, active malware, etc.
' * PendingFullScan - bool for whether the computer requires a full scan
' * PendingManualSteps - bool for whether the computer requires manual steps
' * PendingOfflineScan - bool for whether the computer requires an offline scan (Calisto scan)
' * PendingReboot - bool for whether the computer requires reboot
' * CriticallyFailedDetectionTime - (optional) time of detection for a malware in critically failed list
' * CriticallyFailedThreatName - (optional) name of a malware in critically failed list
' * CriticallyFailedSeverity - (optional) severity of a malware detection in critically failed list
' * CriticallyFailedCategory - (optional) category of a malware detection in pending action list
' * CriticallyFailedFWLink - (optional) more information URL of a malware detection in critically failed list
' * CriticallyFailedPath - (optional) path of a malware detection in critically failed list
' * CriticallyFailedAdditionalAction - (optional) additional actions of a malware detection in critically failed list
' * PendingActionDetectionTime - (optional) time of detection for a malware in pending action list
' * PendingActionThreatName - (optional) name of a malware in pending action list
' * PendingActionSeverity - (optional) severity of a malware detection in pending action list
' * PendingActionCategory - (optional) category of a malware detection in pending action list
' * PendingActionFWLink - (optional) more information URL of a malware detection in pending action list
' * PendingActionPath - (optional) path of a malware detection in pending action list
' * PendingActionAdditionalAction - (optional) additional actions of a malware detection in pending action list
'
Const ACTEXEC_CMD_ABORTSCAN = "abortscan"
Const ACTEXEC_CMD_APPLY_CCSETTS = "apply_cc_settings"
Const ACTEXEC_CMD_SCAN = "scan"
Const ACTEXEC_CMD_START_AMSERVICE = "start_service"
Const ACTEXEC_CMD_UNKNOWN = "unknown command"
Const ACTEXEC_CMD_UPDATE = "update"
Const AM_POLICY_BLOCKALL_INBOUND_TRAFFIC = "BlockAllInboundTraffic"
Const AM_POLICY_DEFAULTINBOUND_ACTION_ISDENY = "DefaultInboundActionIsDeny"
Const AM_POLICY_DISABLEBEHAVIOUR = "DisableBehaviorMonitoring"
Const AM_POLICY_DISABLEINBOUND_NOTIFICATIONS = "DisableInboundNotifications"
Const AM_POLICY_DISABLEONACCESSPROTECTION = "DisableOnAccessProtection"
Const AM_POLICY_DISABLERTM = "DisableRealtimeMonitoring"
Const AM_POLICY_DISABLESCRIPTSCANNING = "DisableScriptScanning"
Const AM_POLICY_DISABLE_IPS = "DisableIntrusionPreventionSystem"
Const AM_POLICY_ENABLEFIREWALL = "EnableFirewall"
Const AM_POLICY_REGKEY_ROOT = "SOFTWARE\Policies\Microsoft\Microsoft Antimalware"
Const AM_POLICY_RTSDIRECTION = "RealTimeScanDirection"
Const AM_POLICY_SIGNATURE_UPD_CATCHUP_INTERVAL = "SignatureUpdateCatchupInterval"
Const AM_POLICY_SIGNATURE_UPD_INTERVAL = "SignatureUpdateInterval"
Const AM_REGKEY_CLIENT_INSTKEY = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client"
Const AM_REGKEY_EXCLUDED_EXTS = "\Exclusions\Extensions"
Const AM_REGKEY_EXCLUDED_PATHS = "\Exclusions\Paths"
Const AM_REGKEY_EXCLUDED_PROCESSES = "\Exclusions\Processes"
Const AM_REGKEY_FULL_SIGNATURE_UPDATES = "SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Signature Updates"
Const AM_REGKEY_POLICY_RTP = "SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection"
Const AM_REGKEY_ROOT = "SOFTWARE\Microsoft\Microsoft Antimalware"
Const AM_REGKEY_SCAN = "\Scan"
Const AM_REGKEY_SIGNATURE_UPDATES = "\Signature Updates"
Const AM_REGKEY_SIG_UPDATES_POLICY = "SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Signature Updates"
Const AM_REGVALUE_CLIENT_CONFIGPOLICY = "ConfigSecurityPolicy.exe"
Const AM_REGVALUE_CLIENT_INSTDATE = "InstallDate"
Const AM_REGVALUE_CLIENT_INSTLOCATION = "InstallLocation"
Const AM_REGVALUE_CLIENT_MPCMDRUN = "MpCmdRun.exe"
Const AM_REGVALUE_CLIENT_NAME = "DisplayName"
Const AM_REGVALUE_CLIENT_VERSION = "DisplayVersion"
Const AM_REGVALUE_SCANPARAMETERS = "ScanParameters"
Const AM_REGVALUE_SCHEDULEDAY = "ScheduleDay"
Const AM_REGVALUE_SCHEDULETIME = "ScheduleTime"
Const AM_REGVALUE_SCHEDULE_QUICK_SCAN_TIME = "ScheduleQuickScanTime"
Const AM_REGVALUE_SIGNATURE_DOWNLOAD_LOC = "FallbackOrder"
Const AM_RTPSTATUS_OFF = "Off"
Const AM_RTPSTATUS_ON = "On"
Const AM_RTS_DIRECTION_BOTH = "Both incoming and outgoing"
Const AM_RTS_DIRECTION_INCOMING = "Incoming"
Const AM_RTS_DIRECTION_OUTCOMING = "Outgoing"
Const AM_RTS_DIRECTION_UNKNOWN = "Unknown"
Const AM_SERVICE_NAME = "MsMpSvc"
Const AM_STATUS_DISABLED = "Disabled"
Const AM_STATUS_ENABLED = "Enabled"
Const AM_WMI_HEALTH_STATUS_QUERY = "Select * from AntimalwareHealthStatus"
Const AM_WMI_INFECT_STATUS_QUERY = "SELECT * FROM AntimalwareInfectionStatus"
Const AM_WMI_NAMESPACE = "winmgmts:\\.\root\Microsoft\SecurityClient"
Const CIMV2_WMI_NAMESPACE = "winmgmts:\\.\root\cimv2"
Const CLIENT_REGKEY_ROOT = "SOFTWARE\Microsoft\Microsoft Security Client"
Const DEPLOY_FAILED_HRESULT_CANCEL = "0x8004FF0A"
Const DEPLOY_FAILED_HRESULT_RESTART = "0x0004FF00"
Const DEPLOY_FAILED_HRESULT_RESTART2 = "0x8004FF25"
Const DEPLOY_FAILED_HRESULT_SUCCESS = "0x00000000"
Const DEPLOY_FAILED_MONITOR_CRITICAL = 3
Const DEPLOY_FAILED_MONITOR_HEALTHY = 1
Const DEPLOY_FAILED_MONITOR_WARNING = 2
Const DEPLOY_FAIL_ERROR_CODE_NAME = "DeploymentErrorCode"
Const DEPLOY_FAIL_INFO_NAME = "DeploymentInfo"
Const DEPLOY_FAIL_RESULT_NAME = "DeploymentResult"
Const DEPLOY_FAIL_STATE_NAME = "DeploymentState"
Const EVTLOG_MW_DETECTION_WMI_QUERY = "Select * from Win32_NTLogEvent WHERE Logfile = 'System' AND SourceName='Microsoft Antimalware' AND (EventCode='1119' OR EventCode='1118' OR EventCode='1117')"
Const FAILED_POLICY_DATE_REGKEY = "LastFailedToApplyPolicyTimeUTC"
Const FAILED_POLICY_ERR_DESC_REGKEY = "LastPolicyErrorMessage"
Const FAILED_POLICY_NAME_REGKEY = "LastFailedToApplyPolicy"
Const FEP_DEPLOYMENT_REBOOT_IS_NOT_REQUIRED = "No"
Const FEP_DEPLOYMENT_REBOOT_IS_REQUIRED = "Yes"
Const FEP_DEPLOY_ERROR_FILE_NAME = "EppSetupResult.ini"
Const FEP_DEPLOY_STATUS_FAILED = "Installation Failed"
Const FEP_DEPLOY_STATUS_INSTALLED = "Installed"
Const FEP_DEPLOY_STATUS_NO_INSTALL_DETECTED = "Never Installed"
Const FEP_DEPLOY_STATUS_REBOOT_REQUIRED = "Restart Required"
Const FEP_DEPLOY_STATUS_UNINSTALLED = "Uninstalled"
Const FEP_DEPLOY_STATUS_USER_CANCELED = "User Canceled Installation"
Const FEP_SUPPRT_DIR_PATH = "%ProgramData%\Microsoft\Microsoft Security Client\Support"
Const FEP_SUPPRT_XP_DIR_PATH = "%ALLUSERSPROFILE%\Application Data\Microsoft\Microsoft Security Client\Support"
Const FULL_SCAN = "Full scan"
Const FW_GENERIC_QUERY = "Select * from "
Const FW_POLICY_CLASS_PROF_DOMAIN = "Firewall_Profile_Domain"
Const FW_POLICY_CLASS_PROF_PRIVATE = "Firewall_Profile_Private"
Const FW_POLICY_CLASS_PROF_PUBLIC = "Firewall_Profile_Public"
Const FW_REGKEY_ROOT = "Root\Microsoft\PolicyPlatform\WindowsFirewallConfiguration"
Const FW_STATUS_OFF = "Off"
Const FW_STATUS_ON = "On"
Const FW_STATUS_UNINSTALLED = "Uninstalled"
Const FW_WMI_NAMESPACE = "winmgmts:{impersonationLevel=impersonate}!\\.\Root\Microsoft\PolicyPlatform\WindowsFirewallConfiguration"
Const FW_WMI_QUERY = "Select * from FirewallState"
Const LOG_REGKEY = "SOFTWARE\Microsoft\FEPS\Log"
Const LOG_REGVALUE_ENABLED = "Enabled"
Const LOG_SUBFOLDER_NAME = "FEP 2010 Security MP"
Const MPCMDRUN_CMD_FULLSCAN = " -scan -scantype 2"
Const MPCMDRUN_CMD_QUICKSCAN = " -scan -scantype 1"
Const MPCMDRUN_CMD_SIGUPDATE = " -SignatureUpdate"
Const NIS_STATUS_NOT_SUPPORTED = "Not Supported"
Const NIS_STATUS_NOT_UNKNOWN = "Unknown"
Const NIS_STATUS_OFF = "Off"
Const NIS_STATUS_ON = "On"
Const OS_REGKEY_ARCHITECTURE = "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"
Const OS_REGVALUE_ARCHITECTURE = "PROCESSOR_ARCHITECTURE"
Const POLICY_DATE_REGKEY = "LastSuccessfullyAppliedPolicyTimeUTC"
Const POLICY_LOCAL_SETTINGS_OVERRIDE_PREFIX = "LocalSettingOverride"
Const POLICY_NAME = "SCOM applied FEP-S Policy"
Const POLICY_NAME_REGKEY = "LastSuccessfullyAppliedPolicy"
Const POLICY_SECTION_AM = "FEP.AmPolicy"
Const POLICY_SECTION_FW = "FEP.HostFirewallPolicy"
Const QUICK_SCAN = "Quick scan"
Const REG_VALUE_APPLIED_POLICY = "LastSuccessfullyAppliedPolicy"
Const REG_WMICLASS_PROVIDERNAME = "StdRegProv"
Const REG_WMI_NAMESPACE = "root\default"
Const RETRIEVAL_TITLE_ANTIMALWARE_ENGINE = "Antimalware Engine"
Const RETRIEVAL_TITLE_ANTISPYWARE_DEFINITIONS_AGE = "Antispyware Definitions Age (days)"
Const RETRIEVAL_TITLE_ANTISPYWARE_DEFINITIONS_VERSION = "Antispyware Definitions Version"
Const RETRIEVAL_TITLE_ANTISPYWARE_DEFINITIONS__DATE = "Antispyware Definitions Creation (GMT)"
Const RETRIEVAL_TITLE_ANTIVIRUS_DEFINITIONS_AGE = "Antivirus Definitions Age (days)"
Const RETRIEVAL_TITLE_ANTIVIRUS_DEFINITIONS_DATE = "Antivirus Definitions Creation (GMT)"
Const RETRIEVAL_TITLE_ANTIVIRUS_DEFINITIONS_VERSION = "Antivirus Definitions Version"
Const RETRIEVAL_TITLE_CLIENT_VERSION = "Client Version"
Const RETRIEVAL_TITLE_DOWNLOAD_LOCATION = "Definitions Download Location"
Const RETRIEVAL_TITLE_EXCLUDED_EXTENTIONS = "Excluded Extensions"
Const RETRIEVAL_TITLE_EXCLUDED_FOLDERS = "Excluded Folders"
Const RETRIEVAL_TITLE_EXCLUDED_PROCESSES = "Excluded Processes"
Const RETRIEVAL_TITLE_FAILED_POLICY_DATE = "Failed Policy Date"
Const RETRIEVAL_TITLE_FAILED_POLICY_DETAIL = "Policy Failure Details"
Const RETRIEVAL_TITLE_FAILED_POLICY_NAME = "Failed Policy Name"
Const RETRIEVAL_TITLE_FIREWALL = "Windows Firewall"
Const RETRIEVAL_TITLE_FULL_AGE = "Last Full Scan Age (days)"
Const RETRIEVAL_TITLE_FULL_END = "Last Full Scan End (GMT)"
Const RETRIEVAL_TITLE_FULL_START = "Last Full Scan Start (GMT)"
Const RETRIEVAL_TITLE_NIS = "NIS"
Const RETRIEVAL_TITLE_NIS_DEFINITIONS_VERSION = "NIS Definitions Version"
Const RETRIEVAL_TITLE_POLICY_DATE = "Policy Date"
Const RETRIEVAL_TITLE_POLICY_NAME = "Policy Name"
Const RETRIEVAL_TITLE_QUICK_AGE = "Last Quick Scan Age (days)"
Const RETRIEVAL_TITLE_QUICK_END = "Last Quick Scan End (GMT)"
Const RETRIEVAL_TITLE_QUICK_START = "Last Quick Scan Start (GMT)"
Const RETRIEVAL_TITLE_RTP = "Real-time Protection"
Const RETRIEVAL_TITLE_RTP_DIRECTION = "Real-time Protection Scan Direction"
Const RETRIEVAL_TITLE_SCAN_SCHDULE = "Scan schedule"
Const RETRIEVAL_TITLE_UPDATE_SCHEDULE = "Antimalware definitions update schedule"
Const SCHEDULE_DAILY = "Daily"
Const SCHEDULE_SCAN_SCHEDULE_STRING = "{0} around {1} ({2})"
Const SCHEDULE_SCAN_SCHEDULE_WITH_QUICK_STRING = "{0} around {1} ({2}); Quick scan daily around {3}"
Const SCHEDULE_UNDEFINED = "undefined"
Const TASK_ERROR_ABORT_SCAN_FAILED = "The Stop Scan task has failed. Error (0x{1:X}) {2}. Unable to stop the scan running by the process ID {0}. Log on to the computer and confirm that the FEP2010 client is installed and operating properly."
Const TASK_ERROR_APPLY_SETTINGS = "The task has failed to change settings. Error 0x{0:x}. Log on to the computer and confirm that the FEP2010 client is installed and operating properly, and then change settings locally."
Const TASK_ERROR_NOT_LSA = "This task must be run using a Local System account."
Const TASK_ERROR_NOT_SUPPORTED = "This FEP2010 client version is not supported."
Const TASK_ERROR_OPERATION_FAILED = "The task has failed. Error 0x{0:x}."
Const TASK_ERROR_SCAN_ABORTED = "The scan was stopped."
Const TASK_ERROR_SCAN_FAILED = "The Scan task has failed. Error 0x{0:X}. Log on to the computer and confirm that the FEP2010 client is installed and operating properly, and then launch a scan locally."
Const TASK_ERROR_SCAN_IN_PROGRESS = "A scan is already in progress."
Const TASK_ERROR_START_SERVICE = "The Enable Real-time Protection task has failed. Log on to the computer and confirm that the FEP2010 client is installed and operating properly, and then start the service locally."
Const TASK_ERROR_UPDATE_ERROR = "The Update Antimalware Definitions task has failed. Error 0x{0:X}. Log on to the computer and attempt to run the update locally. If updates fail, verify that WSUS is running and that the client computer has connectivity to Windows Update."
Const TASK_ERROR_UPDATE_ERROR_FOR_OPTION = "The Update Antimalware Definitions task with option {0} has failed. Error 0x{1:X}."
Const TASK_WARNING_ABORT_SCAN_NO_SCAN = "There is no scan in progress."
Const WIN32OS_WMI_QUERY = "select * from Win32_OperatingSystem"
Const WIN32PROCSTUP_WMICLASS_PROVIDERNAME = "Win32_ProcessStartup"
Const WIN32PROC_BYID_WMI_QUERY = "Select * from Win32_Process Where ID = {0}"
Const WIN32PROC_BYNAME_WMI_QUERY = "Select * from Win32_Process Where Name = '{0}'"
Const WIN32PROC_WMICLASS_PROVIDERNAME = "Win32_Process"
Const WIN32PROC_WMI_NAMESPACE = "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2"
Const WIN32SERV_BYNAME_WMI_QUERY = "Select * from Win32_Service Where Name = '{0}'"
' Include common logging utilities
Function UTCTimeToDate(strDateTime)
Dim objDate, iDateSepInd, iSecTermInd
Dim strDate, strTime
If Err.Number <> 0 Then
g_objLog.WriteLog "UTCTimeToDate", LOG_ERROR, "Wrong format of data"
UTCTimeToDate = Null
Exit Function
Err.Clear
End If
End Function
Function CommonClientTimeToDate(strDateTime)
Dim objDate, strTmpDate
' Format of the input string: "20100429" meaning 29/04/2010
On Error Resume Next
If IsNull(strDateTime) or IsEmpty(strDateTime) Then
strDateTime = ""
End If
If Len(strDateTime) <> 8 Then
CommonClientTimeToDate = Null
Exit Function
End If
' Check that this is a valid date
strTmpDate = Left(strDateTime, 6) + "-" + Right(strDateTime, 2)
strTmpDate = Left(strTmpDate, 4) + "-" + Right(strTmpDate, 5)
objDate = CDate(strTmpDate)
If Err.Number <> 0 Then
g_objLog.WriteLog "CommonClientTimeToDate", LOG_ERROR, "Wrong format of data"
CommonClientTimeToDate = Null
Exit Function
Err.Clear
End If
' Get the date right
CommonClientTimeToDate = Right(strDateTime, 2) + "/" + Mid(strDateTime, 5, 2) + "/" + Left(strDateTime, 4)
End Function
Function IsError(value)
If Err.Number <> 0 Or TypeName(value) = "Nothing" Or TypeName(value) = "Null" Then
IsError = True
Else
IsError = False
End If
End Function
Function IsOS64Bit()
Dim strOSArchitecture
strOSArchitecture = GetOSArchitecture()
If Not IsNull(strOSArchitecture) Then
If InStr(strOSArchitecture, "64") <> 0 Then
IsOS64Bit = True
Else
IsOS64Bit = False
End If
Else
IsOS64Bit = Null
End If
End Function
Function IsStringHollow(strVal)
If Not IsNull(strVal) and (strVal <> "") and Not IsEmpty (strVal) and (strVal <> "-1") Then
IsStringHollow = false
Else
IsStringHollow = true
End If
End Function
Function GetValidStringValue(strVal)
' Empty string is not accepted by SCOM as part of the discovery, it will throw away the entire discovery and nothing will be shown in SCOM.
' If we won't fill out at all the fields we do not have a value for them, SCOM will keep the old discovered value which will cause wrong information to be shown in the UI.
' Only possibility is to fill out a white space to "delete" the old value by an empty space.
If Not IsStringHollow(strVal) Then
GetValidStringValue = strVal
Else
GetValidStringValue = " "
End If
End Function
Function GetValidDateString(dateVal)
If Not IsNull(dateVal) And TypeName(dateVal) = "Date" Then
GetValidDateString = CStr(dateVal)
Else
GetValidDateString = " "
End If
End Function
Function GetValidNumberValue(nValue, nDefault)
If IsNull(nValue) Or Not IsNumeric(nValue) Or Len(nValue) = 0 Then
GetValidNumberValue = nDefault
Else
GetValidNumberValue = CInt(nValue)
End If
End Function
Function GetOSArchitecture()
Dim strArchitecture
strArchitecture = g_objRegistry.ReadValue("HKEY_LOCAL_MACHINE", OS_REGKEY_ARCHITECTURE, OS_REGVALUE_ARCHITECTURE, "String", False)
If IsNull(strArchitecture) Then
g_objLog.WriteLog "GetOSArchitecture", LOG_FATALERROR, "Cannot retrieve OS architecture"
End If
GetOSArchitecture = strArchitecture
End Function
Class OSInfo
Public m_strName
Public m_strVersion
Public m_strServicePack
Public m_iProductType ' 1- Desktop, 2 - DC, 3 - Server
Public m_strBuildNumber
End Class
Function GetWindowsInfo()
On Error Resume Next
Dim strComputername, objWMIService, objQrySetting, objOS, objOSInfo
strComputername = "." ' Local computer
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputername & "\root\cimv2")
If Err.Number <> 0 Then
Set GetWindowsInfo = Null
g_objLog.WriteLog "GetWindowsInfo", LOG_ERROR, "Cannot create WMI error=" + CStr(Err.Number)
Err.Clear
Exit Function
End If
Set objQrySetting = objWMIService.ExecQuery(WIN32OS_WMI_QUERY)
If Not IsObject(objQrySetting) Then
Set GetWindowsInfo = Null
g_objLog.WriteLog "GetWindowsInfo", LOG_ERROR, "Error query execution:" + CStr(Err.Number)
Err.Clear
Exit Function
End If
Set objOSInfo = new OSInfo
For Each objOS In objQrySetting
If Not IsObject(objOS) Then
Set GetWindowsInfo = Null
g_objLog.WriteLog "GetWindowsInfo", LOG_ERROR, "Error query execution:" + CStr(Err.Number)
Err.Clear
Exit Function
End If
If Not IsObject(objOSInfo) Then
GetOS = Null
g_objLog.WriteLog "GetOS", LOG_ERROR, "invalid object:" + CStr(Err.Number)
Err.Clear
Exit Function
End If
Dim verArray, osMajorVersion
verArray = Split(objOSInfo.m_strVersion, ".", -1, 1)
osMajorVersion = verArray(0) + "." + verArray(1)
If (objOSInfo.m_iProductType = "3") Then
' 3 is server OS
If (osMajorVersion = "6.1") Then
GetOS = Windows_2008R2
ElseIf (osMajorVersion = "6.0") Then
GetOS = Windows_2008
ElseIf (osMajorVersion = "5.2") Then
GetOS = Windows_2003
Else
GetOS = Null
End If
ElseIf (objOSInfo.m_iProductType = "1") Then
' 1 is desktop OS
If (osMajorVersion = "6.1") Then
GetOS = Windows_Windows7
ElseIf (osMajorVersion = "6.0") Then
GetOS = Windows_Vista
ElseIf ((osMajorVersion = "5.1") or (osMajorVersion = "5.2")) Then
GetOS = Windows_XP
Else
GetOS = Null
End If
Else
GetOS = Null
End If
Private Function CreateWMIRegProvider(bIs64Bit)
Dim objReg, objCtx, objLocator, objServices
On Error Resume Next
Err.Clear
Set objCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
If Err.Number <> 0 Then
g_objLog.WriteLog "CreateWMIRegProvider", LOG_ERROR, "Cannot create object WbemScripting.SWbemNamedValueSet, error=" + CStr(Err.Number)
CreateWMIRegProvider = Null
Err.Clear
Exit Function
End If
If bIs64Bit Then
objCtx.Add "__ProviderArchitecture", 64
Else
objCtx.Add "__ProviderArchitecture", 32
End If
Set objLocator = CreateObject("Wbemscripting.SWbemLocator")
If Err.Number <> 0 Then
g_objLog.WriteLog "CreateWMIRegProvider", LOG_ERROR, "Cannot create object WbemScripting.SWbemLocator, error=" + CStr(Err.Number)
CreateWMIRegProvider = Null
Err.Clear
Exit Function
End If
Set objServices = objLocator.ConnectServer("", REG_WMI_NAMESPACE,"","",,,,objCtx)
Set objReg = objServices.Get(REG_WMICLASS_PROVIDERNAME)
If Err.Number = 0 Then
Set CreateWMIRegProvider = objReg
Else
g_objLog.WriteLog "CreateWMIRegProvider", LOG_ERROR, "Cannot create WMI registry provider, error=" + CStr(Err.Number)
Set CreateWMIRegProvider = Null
Err.Clear
End If
End Function
Private Function DecodeHive(strHive)
Dim lHive
If strHive = "HKEY_CLASSES_ROOT" Then
lHive = HKEY_CLASSES_ROOT
ElseIf strHive = "HKEY_CURRENT_USER" Then
lHive = HKEY_CURRENT_USER
ElseIf strHive = "HKEY_LOCAL_MACHINE" Then
lHive = HKEY_LOCAL_MACHINE
ElseIf strHive = "HKEY_USERS" Then
lHive = HKEY_USERS
ElseIf strHive = "HKEY_CURRENT_CONFIG" Then
lHive = HKEY_CURRENT_CONFIG
Else
g_objLog.WriteLog "DecodeHive", LOG_ERROR, "Can't decode hive value " + strHive
lHive = Null
End If
DecodeHive = lHive
End Function
Private Function ReadEnumRegistryValue(strHive, strKey, strValueType, bIs64Bit)
Dim objReg, lHive, iValue, strWholeValue, strValue, strValueName, dwValue, abValue(), astrValue(), arrValueNames, arrValueTypes, i
Const C_Delimiter = ";"
On Error Resume Next
Err.Clear
lHive = DecodeHive(strHive)
If IsNull(lHive) Then
ReadEnumRegistryValue = Null
Exit Function
End If
Set objReg = CreateWMIRegProvider(bIs64Bit)
If IsNull(objReg) Then
ReadEnumRegistryValue = Null
Exit Function
End If
strWholeValue = ""
objReg.EnumValues lHive, strKey, arrValueNames, arrValueTypes
If Err.Number <> 0 Then
g_objLog.WriteLog "ReadEnumRegistryValue", LOG_ERROR, "Cannot enumerate registry key: " + strKey
ReadEnumRegistryValue = Null
Err.Clear
Exit Function
End If
If IsNull(arrValueNames) Or IsNull(arrValueTypes) Then
ReadEnumRegistryValue = strWholeValue
Exit Function
End If
For i=0 To UBound(arrValueNames)
strValueName = arrValueNames(i)
If strValueType = "*" Then
AddToDelimitedString strWholeValue, strValueName, C_Delimiter
Else
Select Case arrValueTypes(i)
Case REG_SZ
If strValueType = "String" Then
objReg.GetStringValue lHive,strKey,strValueName,strValue
If Err.Number <> 0 Then
g_objLog.WriteLog "ReadEnumRegistryValue", LOG_ERROR, "Cannot read registry key: " + strKey + ", value name: " + strValueName + ", type: " + strValueType
ReadEnumRegistryValue = Null
Err.Clear
Exit Function
End If
AddToDelimitedString strWholeValue, strValueName, C_Delimiter
End If
Case REG_DWORD
If strValueType = "DWORD" Then
objReg.GetDWORDValue lHive,strKey,strValueName,strValue
If Err.Number <> 0 Then
g_objLog.WriteLog "ReadEnumRegistryValue", LOG_ERROR, "Cannot read registry key: " + strKey + ", value name: " + strValueName + ", type: " + strValueType
ReadEnumRegistryValue = Null
Err.Clear
Exit Function
End If
AddToDelimitedString strWholeValue, strValueName, C_Delimiter
End If
End Select
End If
Next
ReadEnumRegistryValue = strWholeValue
End Function
Private Function ReadRegistryValue(strHive, strKey, strValueName, strValueType, bIs64Bit)
Dim objReg, lHive, strComputer, strValue, dwValue, abValue(), astrValue(), dwError
On Error Resume Next
Const ERROR_ACCESS_DENIED = 5 ' The only error code that will be translated as an error for logging
Err.Clear
If strValueName = "*" Then
ReadRegistryValue = ReadEnumRegistryValue(strHive, strKey, strValueType, bIs64Bit)
Exit Function
End If
lHive = DecodeHive(strHive)
If IsNull(lHive) Then
ReadRegistryValue = Null
Exit Function
End If
Set objReg = CreateWMIRegProvider(bIs64Bit)
If IsNull(objReg) Then
ReadRegistryValue = Null
Exit Function
End If
ReadRegistryValue = Null
If strValueType = "String" Then
dwError = objReg.GetStringValue( lHive,strKey,strValueName,strValue )
If dwError <> 0 Then
g_objLog.WriteLog "ReadRegistryValue", ConditionHelper(ERROR_ACCESS_DENIED=dwError, LOG_ERROR, LOG_INFO), FormatString4("Cannot read registry key: {0}, value name: {1}, type: {2}, error: {3}", strKey, strValueName, strValueType, dwError)
ReadRegistryValue = Null
Err.Clear
Exit Function
End If
ElseIf strValueType = "MultiString" Then
dwError = objReg.GetMultiStringValue( lHive,strKey,strValueName,astrValue )
If dwError <> 0 Then
g_objLog.WriteLog "ReadRegistryValue", ConditionHelper(ERROR_ACCESS_DENIED=dwError, LOG_ERROR, LOG_INFO), FormatString4("Cannot read registry key: {0}, value name: {1}, type: {2}, error: {3}", strKey, strValueName, strValueType, dwError)
ReadRegistryValue = Null
Err.Clear
Exit Function
End If
If Not IsNull(astrValue) Then
strValue = astrValue
Else
strValue = Null
End If
ElseIf strValueType = "ExpandedString" Then
dwError = objReg.GetExpandedStringValue( lHive,strKey,strValueName,strValue )
If dwError <> 0 Then
g_objLog.WriteLog "ReadRegistryValue", ConditionHelper(ERROR_ACCESS_DENIED=dwError, LOG_ERROR, LOG_INFO), FormatString4("Cannot read registry key: {0}, value name: {1}, type: {2}, error: {3}", strKey, strValueName, strValueType, dwError)
ReadRegistryValue = Null
Err.Clear
Exit Function
End If
ElseIf strValueType = "DWORD" Then
dwError = objReg.GetDWORDValue( lHive,strKey,strValueName,dwValue )
If dwError <> 0 Then
g_objLog.WriteLog "ReadRegistryValue", ConditionHelper(ERROR_ACCESS_DENIED=dwError, LOG_ERROR, LOG_INFO), FormatString4("Cannot read registry key: {0}, value name: {1}, type: {2}, error: {3}", strKey, strValueName, strValueType, dwError)
ReadRegistryValue = Null
Err.Clear
Exit Function
End If
If Not IsNull(dwValue) Then
strValue = CLng(dwValue)
Else
strValue = Null
End If
ElseIf strValueType = "QWORD" Then
dwError = objReg.GetQWORDValue( lHive,strKey,strValueName,dwValue )
If dwError <> 0 Then
g_objLog.WriteLog "ReadRegistryValue", ConditionHelper(ERROR_ACCESS_DENIED=dwError, LOG_ERROR, LOG_INFO), FormatString4("Cannot read registry key: {0}, value name: {1}, type: {2}, error: {3}", strKey, strValueName, strValueType, dwError)
ReadRegistryValue = Null
Err.Clear
Exit Function
End If
If Not IsNull(dwValue) Then
strValue = CStr(dwValue)
Else
strValue = Null
End If
ElseIf strValueType = "Binary" Then
dwError = objReg.GetBinaryValue( lHive,strKey,strValueName,abValue )
If dwError <> 0 Then
g_objLog.WriteLog "ReadRegistryValue", ConditionHelper(ERROR_ACCESS_DENIED=dwError, LOG_ERROR, LOG_INFO), FormatString4("Cannot read registry key: {0}, value name: {1}, type: {2}, error: {3}", strKey, strValueName, strValueType, dwError)
ReadRegistryValue = Null
Err.Clear
Exit Function
End If
If Not IsNull(abValue) Then
strValue = abValue
Else
strValue = Null
End If
Else
strValue = Null
End If
If Err.Number = 0 Then
ReadRegistryValue = strValue
Else
ReadRegistryValue = Null
Err.Clear
End If
End Function
Public Function ReadValue(strHive, strKey, strValueName, strValueType, bIs64Bit)
ReadValue = ReadRegistryValue(strHive, strKey, strValueName, strValueType,bIs64Bit)
End Function
Public Sub WriteValue(strHive, strKey, strValueName, strValueData, strValueType, bIs64Bit)
Dim objReg, lHive
Set objReg = CreateWMIRegProvider(bIs64Bit)
lHive = DecodeHive(strHive)
If IsNull(lHive) Then
g_objLog.WriteLog "WriteValue", LOG_ERROR, "Cannot decode a hive name: " + strHive
Exit Sub
End If
If strValueType = "String" Then
objReg.SetStringValue lHive,strKey,strValueName,strValueData
If Err.Number <> 0 Then
g_objLog.WriteLog "WriteValue", LOG_ERROR, "Cannot write registry key: " + strKey + ", value name: " + strValueName + ", type: " + strValueType
Exit Sub
End If
ElseIf strValueType = "DWORD" Then
objReg.SetDWORDValue lHive,strKey,strValueName,strValueData
If Err.Number <> 0 Then
g_objLog.WriteLog "WriteValue", LOG_ERROR, "Cannot write registry key: " + strKey + ", value name: " + strValueName + ", type: " + strValueType
Exit Sub
End If
Else
Err.Raise 87, "CRegistry", "Unsupported type: " + strValueType, "", ""
End If
End Sub
Function DeleteValue(strHive, strKey, strValueName, bIs64Bit)
Dim objReg, lHive
Set objReg = CreateWMIRegProvider(bIs64Bit)
lHive = DecodeHive(strHive)
If IsNull(lHive) Then
g_objLog.WriteLog "DeleteValue", LOG_ERROR, "Cannot decode a hive name: " + strHive
DeleteValue = 87 ' Invalid parameter
Exit Function
End If
DeleteValue = objReg.DeleteValue(lHive,strKey,strValueName)
End Function
End Class
iEnabled = g_objRegistry.ReadValue("HKEY_LOCAL_MACHINE", strRootRegKey, LOG_REGVALUE_ENABLED, "DWORD", g_bIs64Bit)
If Not IsNull(iEnabled) Then
If iEnabled = 1 Then
m_bEnabled = True
End If
End If
m_iMaxLogSize = g_objRegistry.ReadValue("HKEY_LOCAL_MACHINE", strRootRegKey, "max_size", "DWORD", g_bIs64Bit)
If IsNull(m_iMaxLogSize) Then
m_iMaxLogSize = 1000000
Else
m_iMaxLogSize = m_iMaxLogSize
End If
If m_bEnabled = True Then
InitializeScriptingAPI()
Set m_objFSO = CreateObject("Scripting.FileSystemObject")
If Err.Number <> 0 Then
g_objLog.WriteLog "CLog.Init", LOG_ERROR, "Cannot initialize"
Init = False
Err.Clear
Exit Function
End If
If m_objFSO.FileExists(m_strFName) Then
Set objLogFile = m_objFSO.GetFile(m_strFName)
If Err.Number <> 0 Then
g_objLog.WriteLog "CLog.Init", LOG_ERROR, "Cannot get log file"
Init = False
Err.Clear
Exit Function
End If
If objLogFile.Size > m_iMaxLogSize Then
m_objFSO.DeleteFile m_strFName
End If
If Err.Number <> 0 Then
g_objLog.WriteLog "CLog.Init", LOG_ERROR, "Cannot delete file"
Init = False
Err.Clear
Exit Function
End If
End If
End If
Function InitializeScriptingAPI()
On Error Resume Next
Err.Clear
Set m_objAPI = CreateObject("MOM.ScriptAPI")
If Err.Number = 0 Then
m_bAPIEnabled = True
Else
Err.Clear
m_bAPIEnabled = False
End If
End Function
Public Function IsFatalErrorIssued()
IsFatalErrorIssued = m_bIsFatalErrorIssued
End Function
Public Sub WriteLog(strFuncName, iSeverity, strMessage)
Dim objShell, strFmtMessage, strErrSeverityMessage, iLogSeverity, strEntityMsg
Dim iEffort, strTime
If m_bAPIEnabled Then 'Write to ops manager log as well
m_objAPI.LogScriptEvent "Forefront Endpoint Protection", 1000, iLogSeverity, strFmtMessage
End If
End If
End Sub
Public Function SaveLogToDisk()
On Error Resume Next
Dim objTextFile
Dim iEffort
If m_bEnabled = False Then
Exit Function
End If
SaveLogToDisk = False
For iEffort = 0 To m_iEffortCount
If Not m_objFSO.FolderExists(m_strLogLocation) Then
m_objFSO.CreateFolder m_strLogLocation
End If
Err.Clear
Set objTextFile = m_objFSO.OpenTextFile (m_strFName, 8, True, 0)
If Err.Number = 0 Then
objTextFile.WriteLine(m_strMessageBuffer)
objTextFile.Close
If Err.Number = 0 Then
SaveLogToDisk = True
Exit For
End If
End If
Next
End Function
End Class
Const SW_HIDE = 0
Class CWmiProcess
Private m_bIsInitialized
Private m_objWMIService
Public Sub Class_Initialize
m_bIsInitialized = False
Set m_objWMIService = GetObject(WIN32PROC_WMI_NAMESPACE)
If Err.Number <> 0 Then
g_objLog.WriteLog "CWmiProcess::Class_Initialize", LOG_ERROR, "Cannot create object WScript.Shell, error=" + CStr(Err.Number)
Err.Clear
Exit Sub
End If
m_bIsInitialized = True
End Sub
Public Function Execute(strCmdLine, bWaitExit, dwTimeout)
Const WBEM_S_TIMEDOUT = &H40004
Const WBEM_PROCESS_CREATE_INVALID_PARAMETER = 21
Dim strProcessName, dwExitCode, objProcess, objStartup, objConfig, intProcessID
On Error Resume Next
Err.Clear
If Not m_bIsInitialized Then
Execute = WBEM_PROCESS_CREATE_INVALID_PARAMETER
Exit Function
End If
Set objStartup = m_objWMIService.Get(WIN32PROCSTUP_WMICLASS_PROVIDERNAME)
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = SW_HIDE
Set objProcess = m_objWMIService.Get("Win32_Process")
Execute = objProcess.Create(strCmdLine, Null, objConfig, intProcessID)
If Execute <> 0 Then
g_objLog.WriteLog "CWmiProcess::Execute", LOG_ERROR, "Cannot create process, error=" + Execute
Err.Clear
Exit Function
End If
If Not bWaitExit Then
Exit Function
End If
Do While DoesProcessRunByID(intProcessID) And dwTimeout > 0
WScript.Sleep 1
dwTimeout = dwTimeout - 1
Loop
If DoesProcessRunByID(intProcessID) Then
g_objLog.WriteLog "CWmiProcess::Execute", LOG_ERROR, "TimeOut exceeded"
Execute = WBEM_S_TIMEDOUT ' Play with WMI's agenda
Err.Clear
Exit Function
End If
End Function
Public Function GetProcess(strProcessName)
Dim objProcess, objcolProcess
On Error Resume Next
Err.Clear
If Not m_bIsInitialized Then
Set GetProcess = Nothing
Exit Function
End If
Set objcolProcess = m_objWMIService.ExecQuery (FormatString1(WIN32PROC_BYNAME_WMI_QUERY, strProcessName))
Set GetProcess = objcolProcess
If Err.Number <> 0 Then
g_objLog.WriteLog "CWmiProcess::GetProcess", LOG_ERROR, "Cannot enumerate processes, error=" + CStr(Err.Number)
Err.Clear
Exit Function
End If
End Function
Public Function GetProcessByID(intProcessID)
Dim objProcess, objcolProcess
On Error Resume Next
Err.Clear
If Not m_bIsInitialized Then
Set GetProcessByID = Nothing
Exit Function
End If
Set objcolProcess = m_objWMIService.ExecQuery _
(WIN32PROC_BYID_WMI_QUERY, CStr(intProcessID))
Set GetProcessByID = objcolProcess
If Err.Number <> 0 Then
g_objLog.WriteLog "CWmiProcess::GetProcessByID", LOG_ERROR, "Cannot enumerate processes, error=" + CStr(Err.Number)
Err.Clear
Exit Function
End If
End Function
Public Function DoesProcessRunByID(intProcessID)
On Error Resume Next
Err.Clear
Dim objProcess, objcolProcess
If Not m_bIsInitialized Then
DoesProcessRunByID = False
Exit Function
End If
Set objcolProcess = GetProcessByID(intProcessID)
If IsError(objcolProcess) Then
DoesProcessRunByID = False
Exit Function
End If
For Each objProcess In objcolProcess
DoesProcessRunByID = True
Next
If Err.Number <> 0 Then
g_objLog.WriteLog "CWmiProcess::DoesProcessRunByID", LOG_ERROR, "DoesProcessRunByID failed, error=" + CStr(Err.Number)
DoesProcessRunByID = False
Err.Clear
End If
End Function
Public Function KillProcess(strProcessName)
On Error Resume Next
Dim objProcess, objcolProcess
If Not m_bIsInitialized Then
KillProcess = False
Exit Function
End If
Set objcolProcess = GetProcess(strProcessName)
If IsError(objcolProcess) Then
g_objLog.WriteLog "CWmiProcess::DoesProcessRun", LOG_WARNING, "processes doesn't run:" + strProcessName
KillProcess = False
Exit Function
End If
For Each objProcess In objcolProcess
objProcess.Terminate()
Next
If Err.Number <> 0 Then
g_objLog.WriteLog "CWmiProcess::KillProcess", LOG_ERROR, "KillProcess failed, error=" + CStr(Err.Number)
KillProcess = False
Err.Clear
Exit Function
End If
KillProcess = True
End Function
End Class
' Partial simulation of String.Format method
' Supports {n}, {n:x} and {n:X} where n is a place holder for the paramter position number
Function FormatString1(strFormat, param1)
FormatString1 = FormatString(strFormat, Array(param1))
End Function
Function FormatString2(strFormat, param1, param2)
FormatString2 = FormatString(strFormat, Array(param1, param2))
End Function
Function FormatString3(strFormat, param1, param2, param3)
FormatString3 = FormatString(strFormat, Array(param1, param2, param3))
End Function
Function FormatString4(strFormat, param1, param2, param3, param4)
FormatString4 = FormatString(strFormat, Array(param1, param2, param3, param4))
End Function
Function FormatString5(strFormat, param1, param2, param3, param4, param5)
FormatString5 = FormatString(strFormat, Array(param1, param2, param3, param4, param5))
End Function
' Most generic version which accepts Array
Function FormatString(strFormat, arrayParams)
Dim param, i
FormatString = strFormat
i = 0
For Each param in arrayParams
Dim paramToOutput
If IsNull(param) Then
paramToOutput = "null"
Else
paramToOutput = param
End If
If TypeName(param)="Byte" Or TypeName(param)="Integer" Or TypeName(param)="Long" Or TypeName(param)="Decimal" Then
' Try x formating
FormatString = Replace(FormatString, "{" & CStr(i) & ":x}", LCase(Hex(paramToOutput)), 1, -1, vbBinaryCompare)
' Try X formating (Hex returns upper case string by default)
FormatString = Replace(FormatString, "{" & CStr(i) & ":X}", Hex(paramToOutput), 1, -1, vbBinaryCompare)
End If
FormatString = Replace(FormatString, "{" & CStr(i) & "}", CStr(paramToOutput), 1, -1, vbTextCompare)
i = i + 1
Next
End Function
Function IsVersionSupported(strMinVersion, strVersion)
Dim aMinVer, aVer, cMinVer, cVer, cMin, i
If strMinVersion = strVersion Then
IsVersionSupported = True
End If
If IsNull(strMinVersion) Or IsNull(strVersion) Or Len(strMinVersion)=0 Or Len(strVersion)=0 Then
IsVersionSupported = False
End If
aMinVer = Split(strMinVersion,".")
aVer = Split(strVersion,".")
cMinVer = UBound(aMinVer)
cVer = UBound(aVer)
If cVer>cMinVer Then
cMin = cMinVer
Else
cMin = cVer
End If
For i=0 To cMin
If aMinVer(i)<aVer(i) Then
Exit For
End If
If aMinVer(i)>aVer(i) Then
IsVersionSupported = False
Exit Function
End If
Next
If cVer>=cMinVer Then
IsVersionSupported = True
Exit Function
End If
If cVer<cMinVer Then
For i=cMin+1 To cMinVer
If aMinVer(i) <> 0 Then
IsVersionSupported = False
Exit Function
End If
Next
IsVersionSupported = True
Exit Function
End If
IsVersionSupported = False
End Function
Function ConditionHelper(cond, op1, op2)
If cond Then
ConditionHelper = op1
Else
ConditionHelper = op2
End If
End Function
Sub AddToDelimitedString(ByRef strDelimitedString, strNewValue, strDelimiter)
If Len(strDelimitedString) > 0 Then
strDelimitedString = strDelimitedString & strDelimiter
End If
strDelimitedString = strDelimitedString & strNewValue
End Sub
Public Property Get Path
Path = m_Path
End Property
Public Property Get FWLink
FWLink = m_FWLink
End Property
Public Property Get Category
Category = m_Category
End Property
Public Property Get Severity
Severity = m_Severity
End Property
Public Property Get AdditionalActions
AdditionalActions = m_AdditionalActions
End Property
Public Function LoadMetadataFromEventLog(strDetectionID)
Dim oEventLogWmi
Set oEventLogWmi = GetObject(CIMV2_WMI_NAMESPACE)
If Not IsObject(oEventLogWmi) Then
g_objLog.WriteLog "CMalwareDetection::LoadMetadataFromEventLog", LOG_ERROR, "Unable to connect to WMI"
LoadMetadataFromEventLog = False
Exit Function
End If
Dim colLoggedEvents
Set colLoggedEvents = oEventLogWmi.ExecQuery(EVTLOG_MW_DETECTION_WMI_QUERY)
If Not IsObject(colLoggedEvents) Then
g_objLog.WriteLog "CMalwareDetection::LoadMetadataFromEventLog", LOG_ERROR, "Unable to query for malware clean success/failure events"
LoadMetadataFromEventLog = False
Exit Function
End If
For Each objEvent in colLoggedEvents
' Verify that the event has the expected number of parameters
If Not IsArray(objEvent.InsertionStrings) Or Ubound(objEvent.InsertionStrings) < 37 Then
g_objLog.WriteLog "CMalwareDetection::LoadMetadataFromEventLog", LOG_WARNING, "Found a detection event with missing metadata, skipping..."
Else
Dim strEventDetectionID
strEventDetectionID = objEvent.InsertionStrings(2)
If strEventDetectionID = strDetectionID Then
m_Severity = objEvent.InsertionStrings(9)
m_Category = objEvent.InsertionStrings(11)
m_FWLink = objEvent.InsertionStrings(12)
m_Path = objEvent.InsertionStrings(21)
m_AdditionalActions = objEvent.InsertionStrings(37)
g_objLog.WriteLog "CMalwareDetection::LoadMetadataFromEventLog", LOG_INFO, "Found metadata for detection ID (" & strDetectionID & "): " & vbNewLine _
& "Severity: " & m_Severity & vbNewLine _
& "Category: " & m_Category & vbNewLine _
& "FWLink: " & m_FWLink & vbNewLine _
& "Path: " & m_Path & vbNewLine _
& "Additional Actions: " & m_AdditionalActions & vbNewLine
LoadMetadataFromEventLog = True
Exit Function
End If
End If
Next
' Unable to find detection ID
g_objLog.WriteLog "CMalwareDetection::LoadMetadataFromEventLog", LOG_ERROR, "Unable to find desired detection ID: " & strDetectionID
LoadMetadataFromEventLog = False
End Function
End Class
' Initialize the log
Dim g_objLog, g_objRegistry, g_bIs64Bit
Set g_objLog = New CLog
Set g_objRegistry = New CRegistry
g_bIs64Bit = IsOS64Bit()
g_objLog.Init("GetActiveMalwareStatusRule.log")
g_objLog.WriteLog "GetInfectionStatus.vbs", LOG_INFO, "Started"
' Create MOM script
Dim oAPI
Set oAPI = CreateObject("MOM.ScriptAPI")
' Build the propery bag for output
Dim oPropertyBag
Set oPropertyBag = oAPI.CreatePropertyBag()
' Get arguments
' Arg 0 : Is additional info included in the arguments or is it a dummy data
' Arg 1 : Threat Severity
' Arg 2 : Threat Category
' Arg 3 : Threat FWLink
' Arg 4 : Threat Path
' Arg 5 : Threat Additional Actions
Dim oArgs
Dim g_bIsInfoIncluded, g_strThreatSeverity, g_strThreatCategory , g_strThreatFWLink , g_strThreatPath , g_strThreatAdditionalActions
Set oArgs = WScript.Arguments
If oArgs.Count = 6 Then
g_bIsInfoIncluded = oArgs(0)
g_strThreatSeverity = oArgs(1)
g_strThreatCategory = oArgs(2)
g_strThreatFWLink = oArgs(3)
g_strThreatPath = oArgs(4)
g_strThreatAdditionalActions = oArgs(5)
ElseIf oArgs.Count = 5 Then 'sometimes there are no additional actions
g_bIsInfoIncluded = oArgs(0)
g_strThreatSeverity = oArgs(1)
g_strThreatCategory = oArgs(2)
g_strThreatFWLink = oArgs(3)
g_strThreatPath = oArgs(4)
g_strThreatAdditionalActions = ""
Else
g_objLog.WriteLog "GetInfectionStatus.vbs", LOG_ERROR, "Arguments error, expected 5 or 6, received:" + CStr(oArgs.Count)
Call oAPI.Return(oPropertyBag) ' Return an empty property bag to avoid SCOM errors
WScript.Quit
End If
' Query CC for infection status
g_objLog.WriteLog "GetInfectionStatus.vbs", LOG_INFO, "Querying WMI for infection status..."
Dim oWMIService, colInfectionStatus
Set oWMIService = GetObject(AM_WMI_NAMESPACE)
If Not IsObject(oWMIService) Then
g_objLog.WriteLog "GetInfectionStatus.vbs", LOG_ERROR, "Unable to get WMI object, quitting with error"
Call oAPI.Return(oPropertyBag) ' Return an empty property bag to avoid SCOM errors
WScript.Quit
End If
Set colInfectionStatus = oWMIService.ExecQuery(AM_WMI_INFECT_STATUS_QUERY)
If Not IsObject(colInfectionStatus) Then
g_objLog.WriteLog "GetInfectionStatus.vbs", LOG_ERROR, "Unable to run WMI query, quitting with error"
Call oAPI.Return(oPropertyBag) ' Return an empty property bag to avoid SCOM errors
WScript.Quit
End If
Dim computerStatus, pendingFullScan, pendingManualSteps, pendingOfflineScan, pendingReboot
Dim criticallyFailedDetectionID, criticallyFailedDetectionTime, criticallyFailedThreatName, criticallyFailedSeverity, criticallyFailedCategory, criticallyFailedFWLink, criticallyFailedPath, criticallyFailedAdditionalActions
Dim pendingActionDetectionID, pendingActionDetectionTime, pendingActionThreatName, pendingActionSeverity, pendingActionCategory, pendingActionFWLink, pendingActionPath, pendingActionAdditionalActions
' Get the infection status of the machine
Dim oInfectionStatus
For Each oInfectionStatus in colInfectionStatus
computerStatus = oInfectionStatus.ComputerStatus
pendingFullScan = oInfectionStatus.PendingFullScan
pendingManualSteps = oInfectionStatus.PendingManualSteps
pendingOfflineScan = oInfectionStatus.PendingOfflineScan
pendingReboot = oInfectionStatus.PendingReboot
' Log overall status properties:
g_objLog.WriteLog "GetInfectionStatus.vbs", LOG_INFO, "Computer Status: " & computerStatus
g_objLog.WriteLog "GetInfectionStatus.vbs", LOG_INFO, "Pending Full Scan: " & pendingFullScan
g_objLog.WriteLog "GetInfectionStatus.vbs", LOG_INFO, "Pending Manual Steps: " & pendingManualSteps
g_objLog.WriteLog "GetInfectionStatus.vbs", LOG_INFO, "Pending Offline Scan: " & pendingOfflineScan
g_objLog.WriteLog "GetInfectionStatus.vbs", LOG_INFO, "Pending Reboot: " & pendingReboot
' Copy information about one of the critically failed detections (if critically failed detections exist)
Dim colCriticallyFailedDetections, oCriticallyFailedDetection
colCriticallyFailedDetections = oInfectionStatus.CriticallyFailedDetections
For Each oCriticallyFailedDetection in colCriticallyFailedDetections
criticallyFailedDetectionID = oCriticallyFailedDetection.DetectionID
criticallyFailedDetectionTime = UTCTimeToDate(oCriticallyFailedDetection.DetectionTime)
criticallyFailedThreatName = oCriticallyFailedDetection.ThreatName
If g_bIsInfoIncluded Then
criticallyFailedSeverity = g_strThreatSeverity
criticallyFailedCategory = g_strThreatCategory
criticallyFailedFWLink = g_strThreatFWLink
criticallyFailedPath = g_strThreatPath
criticallyFailedAdditionalActions = g_strThreatAdditionalActions
Else
' For now do nothing - so in the alert there will be empty information
' Collecting additional metadata from the event log is best-effort
End If
' Now that we have one example malware, we can bail out of the loop
Exit For
Next
' Copy information about one of the pending action detections (if pending action detections exist)
Dim colPendingActionDetections, oPendingActionDetection
colPendingActionDetections = oInfectionStatus.PendingActionDetections
For Each oPendingActionDetection in colPendingActionDetections
pendingActionDetectionID = oPendingActionDetection.DetectionID
pendingActionDetectionTime = UTCTimeToDate(oPendingActionDetection.DetectionTime)
pendingActionThreatName = oPendingActionDetection.ThreatName
If g_bIsInfoIncluded Then
pendingActionSeverity = g_strThreatSeverity
pendingActionCategory = g_strThreatCategory
pendingActionFWLink = g_strThreatFWLink
pendingActionPath = g_strThreatPath
pendingActionAdditionalActions = g_strThreatAdditionalActions
Else
' For now do nothing - so in the alert there will be empty information
' Collecting additional metadata from the event log is best-effort
End If
Home
ENU 
Show References: