Thursday, July 28, 2011

C#: FEP Client Alert Notice

As an alternative to running SCCM for Forefront Endpoint Protection alert notices (since you can easily control the client with GPOs and WSUS for status) I wrote up a C# console application that parses the system log to look for virus\malware notifications from the FEP client and then emails the alert message(s) to the system admins. This is just a proof of concept. Ideally you would want to create a Windows service that run this code to parse the log every hour or so.

using System;
using System.Collections.Generic;
using System.Text;
using System.Diagnostics;
using System.Net.Mail;

namespace FEP_Status_Check
class Program
static void Main(string[] args)
//Counter for FEP Alerts
int x = 0;

//String Building for FEP Log Entry Data
StringBuilder stbFEPNotice = new StringBuilder();

//Create Collection of System Log Entries
EventLog elSys = new EventLog("System", ".");
EventLogEntryCollection elecSystem = elSys.Entries;

//Loop Through System Events Collection
foreach (EventLogEntry sysLogEntry in elecSystem)
//Check to See if From FEP
if (sysLogEntry.Source.ToString() == "Microsoft Antimalware")
//Check to See if Event Took Place Within 2 Hours
if (DateTime.Compare(DateTime.Now.AddMinutes(-60), sysLogEntry.TimeGenerated) < 0)
//Check for Virus\Malware Alert or Remediation Action Alert
if (sysLogEntry.InstanceId.ToString() == "1116" || sysLogEntry.InstanceId.ToString() == "1117")
//Add Log Entry Text to FEP Notice
//Increment Counter



//Notify Network Admins of Any FEP Alerts
if (x > 0)

//Pull Computer Name
string strHostName = System.Environment.MachineName.ToString();
//Create and Send Email Notice
MailMessage mmFEPNotice = new MailMessage("", "");
mmFEPNotice.Subject = "FEP Alert Notice from " + strHostName + " on " + DateTime.Now.ToShortDateString();
mmFEPNotice.IsBodyHtml = false;
mmFEPNotice.Body = stbFEPNotice.ToString();
SmtpClient scMail = new SmtpClient("");



No comments: