2

I am using Microsoft System Center Endpoint Protection on all of the workstations I manage. For all three major platforms, it is a pain to get it to report on when it was last updated and last scanned. By parsing the system logs, I was able to retrieve dates for Mac and Linux, but Windows has been very elusive.

I can see the dates and times in the GUI, but that is impractical to run an automated report on dozens of computers. Does anyone know of a way (preferably using PowerShell, but I can make anything work) to output this data using some sort of script?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Jason Bray
  • 131
  • 1
  • 6

2 Answers2

1

Okay so I wrote the following powershell script to extract the date of most recent update from the log. There's a typo in the logging function of SCEP "succesfully" so when you notice that I also have a typo in my below code it's to match the one in the logs I am searching.

$a=Select-String -Pattern "Update completed succesfully" -Path C:\Windows\Temp\MpCmdRun.log | Foreach {($_ -split ':')[2]}

$lineNumber = $($a | measure -Maximum).Maximum + 1

$lastUpdate = Get-Content -Path C:\Windows\Temp\MpCmdRun.log | Select-Object -Index $lineNumber | Foreach {($_ -split ':\s')[2]}

$lastUpdate = $lastUpdate.Replace("$([char]8206)","")

Write-Host "scep_last_update=$lastUpdate"
Jason Bray
  • 131
  • 1
  • 6
0

Well, according to this Technet Page on Forefront Enterprise Protection (Which is the same product as SCEP, which is the same product as Security Essentials, etc., etc.), the following log locations exist for the product, which you could parse with some PowerShell for the information you seek:

  • %allusersprofile%\Microsoft\Microsoft Antimalware\Support
    • Log files specific for the antimalware service
  • %allusersprofile%\Microsoft\Microsoft Security Client\Support
    • Log files specific for the SCEP client software
  • %windir%\WindowsUpdate.log
    • Windows Update log files, which include information about definition updates
  • %windir%\CCM\Logs\EndpointProtectionagent.log
    • Shows Endpoint version and policies applied
  • %windir%\temp\MpCmdRun.log
    • Activity when performing scans and signature updates
  • %windir%\temp\MpSigStub.log
    • Update progress for signature and Engine updates

I also stumbled across the native cmdlets for SCEP, which you can list with: Get-Command -Module MpProvider, but they wouldn't behave for me, I couldn't do an Update-Help or find info about them on Microsoft sites... so I gave up. Maybe you'll have better luck - they seem to be basically the same as the cmdlets for Windows Defender.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209