As an alternative to running SCCM for Forefront Endpoint Protection alert notices (since you can easily control the client with GPOs and WSUS for status) I wrote up a C# console application that parses the system log to look for virus\malware notifications from the FEP client and then emails the alert message(s) to the system admins. This is just a proof of concept. Ideally you would want to create a Windows service that run this code to parse the log every hour or so.
using System;
using System.Collections.Generic;
using System.Text;
using System.Diagnostics;
using System.Net.Mail;
namespace FEP_Status_Check
{
class Program
{
static void Main(string[] args)
{
//Counter for FEP Alerts
int x = 0;
//String Building for FEP Log Entry Data
StringBuilder stbFEPNotice = new StringBuilder();
//Create Collection of System Log Entries
EventLog elSys = new EventLog("System", ".");
EventLogEntryCollection elecSystem = elSys.Entries;
//Loop Through System Events Collection
foreach (EventLogEntry sysLogEntry in elecSystem)
{
//Check to See if From FEP
if (sysLogEntry.Source.ToString() == "Microsoft Antimalware")
{
//Check to See if Event Took Place Within 2 Hours
if (DateTime.Compare(DateTime.Now.AddMinutes(-60), sysLogEntry.TimeGenerated) < 0)
{
//Check for Virus\Malware Alert or Remediation Action Alert
if (sysLogEntry.InstanceId.ToString() == "1116" || sysLogEntry.InstanceId.ToString() == "1117")
{
//Add Log Entry Text to FEP Notice
stbFEPNotice.Append(sysLogEntry.Message.ToString());
stbFEPNotice.Append("\n\n\n");
//Increment Counter
x++;
}
}
}
}
//Notify Network Admins of Any FEP Alerts
if (x > 0)
{
//Pull Computer Name
string strHostName = System.Environment.MachineName.ToString();
//Create and Send Email Notice
MailMessage mmFEPNotice = new MailMessage("DCAdmins@my.company.com", "admins@my.company.com");
mmFEPNotice.Subject = "FEP Alert Notice from " + strHostName + " on " + DateTime.Now.ToShortDateString();
mmFEPNotice.IsBodyHtml = false;
mmFEPNotice.Body = stbFEPNotice.ToString();
SmtpClient scMail = new SmtpClient("smtp.my.company.com");
scMail.Send(mmFEPNotice);
}
}
}
}
No comments:
Post a Comment