OMS Security malware assessment adds support for more antimalware vendors

FAST FACT: OMS Security is adding support for Symantec Endpoint Protection and Trend Micro Deep Security to its Antimalware assessment solution. This service update adds support for assessing whether servers are protected by anti-malware solutions from these vendors and whether these solutions are operational. The OMS Antimalware dashboard now reflects this new feature.

========================================

Microsoft Operations Management Security is improving its support for antimalware assessment by adding support for antimalware partner solutions. This service update adds support for detecting when monitored servers are protected by Symantec Endpoint Protection or Trend Micro Deep Security agents. The release adds support for detecting all supported Symantec Endpoint Protection 12.x and 14.x versions and all supported Trend Micro Deep Security version 9.6.

In addition to detecting when these partner solutions are installed, an additional assessment is also done to determine whether protection by these agents is operational. Specifically, OMS Security will test to see if the antimalware agents from these vendors on the monitored servers are:

• Enabled
• Running scans at regular intervals
• Using signatures no older than seven days

This enables you to plan for and ensure that the servers in your infrastructure are adequately protected. The Antimalware dashboard in Log Analytics has been updated to report on this assessment for partner antimalware solutions.

The Antimalware dashboard categorizes information about the malware assessment into four tiles:

• Threat Status
• Detected Threats
• Protection Status
• Type of Protection

Monitored servers that are protected by these third-party antimalware solutions are displayed in the Type of Protection tile. The solution workspace that’s displayed here has three servers with Symantec Endpoint Protection and one with Trend Micro Deep Security.

The Protection Status tile in the malware assessment will reflect whether the protection of these servers is operational. For instance, if for any reason the Antimalware agent is disabled or if the server has not been scanned for more than seven days, the tile will report that the server is missing real-time protection as shown in the following screenshot:

When we drill down, we can see that there are servers with No real time protection.

For example, in the figure below you can see that the server has the Trend Micro Deep Security agent installed, but real-time protection is not available.

This may because an agent is installed but not configured or because the antimalware module was disabled.

Here you can see a server where the Symantec Endpoint Protection agent is disabled.

OMS Security also checks to see if an antimalware scan hasn’t been done recently. For example, in the following figure, you can see that the server shows Latest scan older than 7 days.

Also, OMS Security will check to see if antimalware signatures might be out-of-date. In the following figure, you can see that the server shows Signatures out of date and Signature older than 7 days.

In all these scenarios, you can take appropriate action to investigate and fix the problems.

Note that threat assessment is not a part of this service update. Threat assessment support for Symantec Endpoint Protection and Trend Micro Deep Security will appear in a future service update. At that time the Antimalware dashboard will display this information in the Threats Status and the Detected Threats tiles.

Tom Shinder
Program Manager,
Azure Security Engineering