Jump to content

Simple AV exclusion Script


Recommended Posts

Someone asked me for this earlier so I packed it up and uploaded it if anyone needs it.

 

It's just a script that creates a dummy av called AV Exlcude

 

It will allow you to exclude a workstation or server that cannot have AV on it and will not show up as "Missing Anti-Virus"

 

The device will have the date excluded as the definition date and will have a text file with the date, user, and reason for exclusion. The detection template uses this file. You can easily just delete it to de exclude it or create a EDF check box to set or unset it.

 

file.php?id=1057

 

Update 3/18/15

Just updated the file on here, it's the version that updates the current date as the definition and shows auto protection is on.

AV Exclude v2.zip

Edited by Guest
Link to post
Share on other sites
  • 1 month later...

Joseph,

 

This does work well, however, I have noticed on problem that I am trying to solve. When an agent has the AV Exclude configured it reports as AV Disabled in the internal monitor called AV - Disabled. From what I can tell, this is based on the value in the table 'computers' under property 'virusap' with a value of 0. Problem I am having is each time I change that value to 1 to indicate AV is enabled, the value reverts back to 0. From what I can, this is because the 'virusscanners' table does not have a value for the 'AutoProtect' property.

 

I'm trying to figure out a way to create a fake service that deploys with your script and update the property value with a service name so ultimately it will have a value of 1 in the internal monitor so tickets won't be created for these agents.

 

If you have any thoughts on this before I spend too much effort, please advise. Thanks.

 

-jeff

Link to post
Share on other sites
  • 2 months later...

Hey lads,

 

I applied this to my LAB instance yesterday and the install went great and the AV Exclude does show on the agent, however, I'll second Jeff's feedback with "it still does raise an Alert for AV Disabled"

 

iDLLRSM.jpg

 

I'm going to create a script for the "dummy service" and post it when I'm done... but if you have found a way around the "AV Disabled Alert" by now... then please do share! :)

 

Thanks

Link to post
Share on other sites

Update: No script yet, but... here is how i'm creating that dummy service....

 

pF6L1wI.jpg

 

**FYI: I have started the Friendly name with MK, so that all service that i run on the agent are all together in the Services.msc list. That is all. The content of the avexclude.bat is just : CALL C:\windows\explorer.exe - just a simple batch/comamnd. You could probably just point the binPath directly at explorer.exe ? :shock:

 

IOg56hg.jpg

 

3 things:

 

1) PLEASE correct me if I'm wrong but, the service doesn't have to be running for the Virus Scan definition to work, it just needs to be present.

 

2) I blacklisted this custom service, so that i dont get alerts about it, as it's just for the sake of the "AV Exclude" functioning correctly.

 

3) I edited my Virus Scan def to the following:

 

6PE8mKv.jpg

 

Thanks,

Link to post
Share on other sites

When I've added this script to systems i have always made duplicates of the AV Disabled & AV out of Date monitor and added an exclusion to the Monitor for anything that is using the Virus Scanner 'AV Exclude'.

 

in my Examples the ID 150 relates to the AV Exclude definition that was added when the script was first run, you can obtain this ID using SQLYog and running the following Query

 

SELECT VScanID FROM virusscanners WHERE NAME = 'AV Exclude'

 

Example - AV Out of Date

 

zyoL1bi.png

 

Example - AV Disabled

 

0O1q9Hb.png

 

Regards,

Michael Priest

http://www.ninitesolution.com

Link to post
Share on other sites
  • 2 weeks later...

I got a little curious earlier and tried to figure it out a way to do the definition dates. Seems to work, but I will be able to tell tomorrow once the date has changed.

 

I created a bat file, that just puts the date in the date.txt file, then echo's the path for labtech to read it.

This bat is ran automatically when labtech expands the definition location to find the path of the definition file.

 

The location is hardcoded right now because for some reason I kept messing it up but I'll create a script tomorrow when I get some time so it auto creates all of this.

 

Bat file

 

 

AV template

excludebat.PNG.1a35ff0e60c81cd929c5331a4a728763.PNG

avtemplate.PNG.6a87b4e0f07ef6df6192acf31cc7bdf1.PNG

Link to post
Share on other sites
So, I ran this script against one of our machines, but they still show as not having any AV installed. What might I be missing?

 

You probably already figured this out, but after you run the script you need to update the config and resend the software and system info inventory to update the agent. These are located in Commands > Inventory > Update Config, Resend Software, Resend System Info. Also you have to run them in that order and make sure the previous command is finished before you issue the next. Any time you update your virus scanners for example, a new config.gz file is written to your LTShare and that config file is pushed to the agent where it writes the new virus scanner configuration into the registry of the agent. Resending the inventory will check these registry keys and populate your database.

Link to post
Share on other sites
I'm going to create a script for the "dummy service" and post it when I'm done... but if you have found a way around the "AV Disabled Alert" by now... then please do share! :)

 

I'm wondering if it would be easier to just use explorer* as the ap instead of creating a service?

Link to post
Share on other sites

I setup the Netlogon as the AP Process service to mitigate this problem, so I'm sure using Explorer would work as well. I am working on updating based on the latest information provided by Martyn and Joseph. I like the idea of creating a fake service and haveing and option to keep the defs updated via a batch file. This will keep reports from reflecting negatively in the customers eyes and keeps the overall client health scores up.

 

-jeff

Link to post
Share on other sites

The way I've been keeping the defs up to date is using a LabTech script assigned to our AV Exclusion group to write the current date into a text file and overwrite the existing file so the modified date changes. This then reflects on the agent under the defs with the current date. We've been doing this with no issues since the original post.

Link to post
Share on other sites
  • 2 weeks later...
  • 11 months later...
  • 1 month later...
  • 2 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...