Microsoft OMS: Antimalware Assessment Not Reporting/Unknown Clients

Posted by Ahmed Nabil | 0 comments»
Microsoft OMS (Operations Management Suite) offers a very nice solution in its gallery which is the Antimalware assessment.  After installing the OMS agent on all your servers (On-premise or Azure) this solution will check the Antimalware/AV status, whether its lacking real time protection, not updated............etc.

For more information on this solution please check the below link

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-malware

I noticed in my environment that i have several clients with insufficient protection




After clicking the assessment for more details, i noticed that these 13 clients have status of Not Reporting. Upon checking them one by one i noticed that most of them are 2008 and 2008 R2 servers. They have Antimalware client updated and real time protection configured. I suspected the AV client as some of them are not microsoft client but rather Symantec and/or Trend Micro however these clients were approved and added to the list queried by OMS

https://blogs.technet.microsoft.com/msoms/2017/01/19/oms-security-malware-assessment-adds-support-for-more-antimalware-vendors/

So to make the story short one of the major requirements for OMS Antimalware Assessment that these clients should have Windows Management Framework 3 or higher installed which includes Power shell V3 which is not installed by default on Server 2008R2.

So the fix was simply installing the WMF 3 update on the 2008 Servers from the below link (6.1 for 2008R2 and 6 for 2008)


https://www.microsoft.com/en-us/download/details.aspx?id=34595

After updating these clients and installing the WMF 3, i expected the issue will be resolved and they will get reporting to the OMS assessment however their status turned to be Unknown !!

A very common case for this Unknown status after checking with Microsoft team is that the WMI provider is not registered.

So the resolution is as follows:


  1. Open administrator Powershell on these Unknown computers                                                                 
  2. Ensure the "Execution Policy" allows running scripts. You can check it by running get-executionpolicy                                                                                                                                           
  3. Import the needed Power Shell module by running                                                                                                                                                                                                                       Import-module "$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1"
                                                                                                                                                             
  4. Run the command  Get-MProtComputerStatus                                                                                          
  5. Most probably you will get invalid Namespace error                                                                               
  6. If so then you need to run the below command to register the WMI provider                                
    Register-CimProvider.exe -ProviderName ProtectionManagement -Namespace root\microsoft\ProtectionManagement -Path "C:\Program Files\Microsoft Security Client\ProtectionMgmt.dll" -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate                                                                                                                                                                                  
  7. This will register the ProtectionManagement provider and fix the agent Unknown problem.                    
  8. If you changed the execution policy to allow running scripts, you may need to turn it back to the default restricted mode or at least remotesigned.



Hopefully this post is useful for anyone encountering the same issue.




0 Comments
Comments

0 comments:

Post a Comment