Sometimes it’s easy: OMS malware assessment

  • Article

Summary: Ed Wilson talks about using the Microsoft Operations Management Suite Malware Assessment tool.

Good morning everyone. Ed Wilson here. Today is a bit of a strange one. The Scripting Wife (aka Teresa Wilson) is in North Carolina fighting snow storms, and I am sitting here in central Florida with the doors and windows open, enjoying a sunny, warm morning. As you can see, it is a beautiful day.

Photo of tree

I have the Black Label Society cranked up about as loud as I can have it without being a public nuisance, and I am sipping an awesome cup of English Breakfast tea with licorice root, fresh peppermint, spearmint, lemon grass, and local honey that I scored at the farmer’s market last weekend. It is awesome, but somewhat contrarian to heavy metal music. Although the music is great for writing.

Super simple malware assessment

The Windows PowerShell cmdlet Get-MpComputerStatus was introduced in Windows 8. It works great to let me know the status of my malware protection. But the output needs to be parsed—especially when working with more than one computer.

In the Microsoft Operations Management Suite, I have the Malware Assessment tool. It is accessible directly from the Overview page and it is way easy-to-use. Here is an image of the Overview > Antimalware screen:

Image of menu

This tells me that at this time, there are no active threats detected on my 54 servers. But it also tells me that 61% of my servers (or 33 out of my 54 servers) do not have adequate protection. I click the No Real Time Protection status message and find the 33 servers.

The screen goes to a search page, and provides me with the server names:

Image of menu

Obtaining a bit more information

At this point, all I know is that MS OMS thinks 33 of my 54 servers have inadequate protection. But I would like to know more. So I choose the first server listed under DeviceName in my search results. The page flips to Scanning for about a second, and then returns with the 97 results shown here:

Image of menu

To me, this is pretty good news. It tells me that the type of protection is the Malicious Software Removal tool, the last scan date was last night, and that no infection was found. That is why the circle is half blue instead of red or yellow. The servers at least have a modicum of protection, just not real-time protection.

Yeah, I could have done this with Windows PowerShell, but the one thing that I would not have found is that the Malicious Software Removal tool was there. That is not reported by the Get-MpComputerStatus cmdlet, so I would have had to do a bit of research to get to this point. As it is, I simply clicked and “sweet, it is done.”

That is all I have for you today. Join me tomorrow when I’ll talk about using Microsoft Operations Management Suite to perform a configuration assessment. It is a really powerful technique, and rather cool if I do say so myself.

I invite you to follow me on Twitter and the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy! Blog. If you have any questions, send email to me at scripter@microsoft.com. I wish you a wonderful day, and I’ll see you tomorrow.

Ed Wilson
Microsoft Operations Management Team