Powershell. Состояние антивирусной защиты.
14 Mar 2016
local_offer
powershell
local_offer
Icinga2
Текст скрипта для Icinga2:
<#
.SYNOPSIS
Скрипт для Icinga 2 - мониторинг Антивирус
.DESCRIPTION
.PARAMETER ComputerName
Имя компьютера
.OUTPUTS
.EXAMPLE
.LINK
https://webnote.satin-pl.com
.NOTES
Version: 0.1
Author: Pavel Satin
Email: plsatin@yandex.ru
Creation Date: 17.02.2018
Purpose/Change: Initial script development
#>
Param(
[Parameter(Mandatory = $false)]
[string]$ComputerName = "localhost"
)
#$icinga2ScriptsPath = "C:\ProgramData\icinga2\Scripts\icinga2"
#Import-Module "$icinga2ScriptsPath\icinga2scripts.psm1" #-Verbose
$returnStateOK = 0
$returnStateWarning = 1
$returnStateCritical = 2
$returnStateUnknown = 3
#$ErrorActionPreference = "SilentlyContinue"
$returnState = $returnStateUnknown
$icinga2_status = ""
function Get-AntiVirusProduct {
[CmdletBinding()]
param (
[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
[Alias('name')]
$computername=$env:computername
)
$AntiVirusProduct = Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct -ComputerName $computername
#Switch to determine the status of antivirus definitions and real-time protection.
#The values in this switch-statement are retrieved from the following website: http://community.kaseya.com/resources/m/knowexch/1020.aspx
<#
switch ($AntiVirusProduct.productState) {
"262144" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
"262160" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
"401664" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
"266256" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
"393216" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
"393232" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
"393488" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
"397312" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
"397328" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
"397584" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
"397568" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
"393472" {$defstatus = "Up to date" ;$rtstatus = "Disabled"} #Windows Defender - Disabled
"266240" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
default {$defstatus = "Unknown" ;$rtstatus = "Unknown"}
}
#>
$productState = $AntiVirusProduct.productState
$hex = [System.Convert]::ToString($productState[0], 16)
$hex = $hex.PadLeft(6, '0')
# Substring(int startIndex, int length)
$WSC_SECURITY_PROVIDER = $hex.Substring(0,2)
$WSC_SECURITY_PRODUCT_STATE = $hex.Substring(2,2)
$WSC_SECURITY_SIGNATURE_STATUS = $hex.Substring(4,2)
# not used yet
$SECURITY_PROVIDER = switch ($WSC_SECURITY_PROVIDER)
{
0 {"NONE"}
1 {"FIREWALL"}
2 {"AUTOUPDATE_SETTINGS"}
4 {"ANTIVIRUS"}
8 {"ANTISPYWARE"}
16 {"INTERNET_SETTINGS"}
32 {"USER_ACCOUNT_CONTROL"}
64 {"SERVICE"}
default {"UNKNOWN"}
}
$RealTimeProtectionStatus = switch ($WSC_SECURITY_PRODUCT_STATE)
{
"00" {"OFF"}
"01" {"EXPIRED"}
"10" {"ON"}
"11" {"SNOOZED"}
default {"UNKNOWN"}
}
$DefinitionStatus = switch ($WSC_SECURITY_SIGNATURE_STATUS)
{
"00" {"UP_TO_DATE"}
"10" {"OUT_OF_DATE"}
default {"UNKNOWN"}
}
#Create hash-table for each computer
$ht = @{}
$ht.Computername = $AntiVirusProduct.__Server
$ht.Name = $AntiVirusProduct.displayName
$ht.ProductExecutable = $AntiVirusProduct.pathToSignedProductExe
$ht.'Definition Status' = $DefinitionStatus
$ht.'Real-time Protection Status' = $RealTimeProtectionStatus
$ht.productState = $AntiVirusProduct.productState
#Create a new object for each computer
New-Object -TypeName PSObject -Property $ht
} #End Get-AntiVirusProduct
$result = Test-Connection -ComputerName $ComputerName -Count 2 -Quiet
if ($result) {
$computerSystem = Get-WmiObject Win32_ComputerSystem -computer $ComputerName -ErrorAction SilentlyContinue -Errorvariable err
if (!$computerSystem) {
#Запрос не выполнен завершаем!
Write-Host $err.Message
$returnState = $returnStateUnknown
[System.Environment]::Exit($returnState)
} else {
$returnState = $returnStateOK
}
$antivirus = Get-AntiVirusProduct $ComputerName
if ( $antivirus.'Real-time Protection Status' -eq "ON" ) {
if ( $antivirus.'Definition Status' -eq "UP_TO_DATE" ) {
$definationIcon = "IconSuccessEncoded"
$protectionIcon = "IconSuccessEncoded"
$returnState = $returnStateOK
} else {
$definationIcon = "IconErrorEncoded"
$protectionIcon = "IconSuccessEncoded"
$returnState = $returnStateWarning
}
} else {
if ( $antivirus.'Definition Status' -eq "UP_TO_DATE" ) {
$definationIcon = "IconSuccessEncoded"
$protectionIcon = "IconErrorEncoded"
$returnState = $returnStateCritical
} else {
$definationIcon = "IconErrorEncoded"
$protectionIcon = "IconErrorEncoded"
$returnState = $returnStateCritical
}
}
$icinga2_status += "<div class='plsatin-ps-style'><table>"
$icinga2_status += "<tr><td class='$definationIcon'></td><td>Definition Status:</td><td>" + $antivirus.'Definition Status' + "</td></tr>"
$icinga2_status += "<tr><td class='$protectionIcon'></td><td>Real-time Protection Status:</td><td>" + $antivirus.'Real-time Protection Status' + "</td></tr>"
$icinga2_status += "<tr><td class='IconInfoEncoded'></td><td>Product Name:</td><td>" + $antivirus.Name + "</td></tr>"
$icinga2_status += "<tr><td class='IconInfoEncoded'></td><td>Product State:</td><td>" + $antivirus.productState + "</td></tr>"
$icinga2_status += "</table></div>"
Write-Host $icinga2_status
[System.Environment]::Exit($returnState)
#End if test-connection result
} else {
Write-Host "Host $ComputerName is not available."
[System.Environment]::Exit($returnStateUnknown)
}