Method to required a/v software to be running at logon time?

I'm trying to find a method to check a PC to verify that our antivirus software (Trend Officescan) is installed and running either at startup or at logon.  Does anyone know a good method for doing this?

Thanks,
Kerry
kerrydavisAsked:
Who is Participating?
 
Rich RumbleSecurity SamuraiCommented:
A logon script may be the best (free)way, now that I think about it... your logon script can check for the running process easily, and you can shutdown the machine or disable their nic, or kill the VPN client. What are your specfic needs?
Do you want to make sure that AV is running before allowing user to VPN into work?
Or do you wnat to make sure it's running before they can sign-in on the domain at work, on the lan?
Both?

This is what you could do with a logon script (they are very underutilized)
First, the user log's in, be it on the lan, or via vpn-
Then the logon script runs, it could be a batch file and this vbs file that does the following:

This would only work on an XP machine or a 2003 as wmic.exe is native to them only... the second example should run on win2k and above
EXAMPLE1 (this will use NET SEND to send a pop-up to Kerrydavis (if that is a valid logon name) and the local user alerting them to contact kerry davis.... you can modify what you need to, the "percent"username"percent" is a variable as is %computername% and %time% and %date%
If the AV product is running then nothing is sent to anyone. If you need to locate the service name run this in a CMD window
wmic.exe SERVICE GET Name, State | findstr /I Running  (you should see the Trend program running)

@echo off
FOR /F "tokens=2 delims= " %%i IN ('"wmic.exe SERVICE GET Name, State" ^| findstr /I Running ^| findstr /I Mcshield') DO if %%i==Running goto :end
:ca
FOR /F "tokens=2 delims= " %%i IN ('"wmic.exe SERVICE GET Name, State" ^| findstr /I Stopped ^| findstr /I Mcshield') DO if %%i==Stopped goto :send
:send
net send %username% ALERT! You've signed in the domain with your AntiVirus software disabled. Contact Kerry Davis as soon as possible at 123.456.7890 ext 009
net send kerrydavis User: %username% logged on Computer: %computername% at Time: %time%  Date: %date%, but is not running AV!!!
:end

EXAMPLE2 (this example looks for the process Mcshield, if it's running, then no message is sent.
If the mcshield process isn't running, then using SC.exe the mcafee service (mcafeeframework) is checked for the stopped state, and a message is sent to you and the user.

@echo off
FOR /F "tokens=1 delims= " %%i IN ('"pulist %computername%" ^| findstr /I Mcshield') DO if /I %%i==Mcshield goto :end
:ca
FOR /F "tokens=2 delims= " %%i IN ('"sc query McAfeeFramework" ^| findstr /I RUNNING') DO if /I %%i==RUNNING goto :send
:send
net send %username% ALERT! You've signed in the domain with your AntiVirus software disabled. Contact Kerry Davis as soon as possible at 123.456.7890 ext 009
net send kerrydavis User: %username% logged on Computer: %computername% at Time: %time%  Date: %date%, but is not running AV!!!
:end

Will that work? Let me know if you have any trouble with these.
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
There are a few ways, scheduled tasks spring to mind, there are many services that can be told to retry or restart if shut down or crashed, you can use a wmi loop to look for a change of state, snmp traps or snmp polling etc...

I assume you want to require that AV is running at all times, or just before/during logging on to the domain. THis is a common question with VPN's, "how can I require updated virus definitions and a scan, BEFORE the users are able to auth to our lan" For the VPN question I listed, Cisco's vpn can use another product from cisco that requires just that before users are allowed to auth to the lan/vpn. Cisco calls the product "Secure Desktop" it also checks for things like keyloggers etc..

Back to your main question.
http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept04/hey0903.mspx
http://www.microsoft.com/technet/community/columns/scripts/sg0103.mspx (interesting idea, but too complicated)
http://support.microsoft.com/default.aspx?scid=kb;en-us;308569&sd=tech
http://www.iopus.com/guides/winscheduler.htm

If users are not administrators of their machines, there are process's that can noot be stopped by them if they are started with the system account.
-rich
0
 
kerrydavisAuthor Commented:
Checking to make sure a service starts is good, but if the service does not exist, I don't want to allow the machine to log in and ideally, I'd like to be notified.  Any apps/tools out there for this?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
kerrydavisAuthor Commented:
I'll give these batch file commands a shot.  I think you're right that this will accomplish what I want.  Thanks for the detailed examples!

Kerry
0
 
Rich RumbleSecurity SamuraiCommented:
Took a few hours of testing with different commands (tasklist, pulist,sc, wmic), but they should get the job done,let me know if you have any problems with them.
Messenger service will have to be turned on all computers sending/recieving "net send" messages.
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
FYI I've wirtten a few scripting tutorials at my website here:
http://xinn.org/logonscripting101.html
and
http://xinn.org/logonscripting102.html (under construction)

I've included the script I created for you and went on to update our own scripts at work.
Again, let me know if you need any further help with these.
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.