Created
November 13, 2013 14:47
-
-
Save gnumoksha/7450269 to your computer and use it in GitHub Desktop.
Obtém informações do Microsoft Security Essentials e exibe de uma forma compreensível ao Zabbix
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
' Obtém informações do Microsoft Security Essentials | |
' e exibe de uma forma compreensível ao Zabbix | |
' execute com: cscript.exe //nologo mse.vbs | |
' Este post foi de grande ajuda: | |
' http://serverfault.com/questions/230368/timestamp-of-last-definition-update-for-microsoft-security-essentials-via-script | |
' Tobias 12/11/13 | |
set objetoShell = CreateObject( "WScript.Shell" ) | |
set objetoFS = CreateObject("Scripting.FileSystemObject") | |
diretorioProgramas = objetoShell.ExpandEnvironmentStrings("%programfiles%") | |
diretorioDadosProgramas = objetoShell.ExpandEnvironmentStrings("%programdata%") | |
diretorioTemp = objetoShell.ExpandEnvironmentStrings("%temp%") ' muda de acordo com o usuario | |
diretorioQuarentena = diretorioDadosProgramas & "\Microsoft\Microsoft Antimalware\Quarantine\Entries\" | |
diretorioAtualizacao = diretorioDadosProgramas & "\Microsoft\Microsoft Antimalware\Definition Updates\" | |
itemDeteccao = diretorioDadosProgramas & "\Microsoft\Microsoft Antimalware\Scans\History\Service\Detections.log" | |
diretorioComandos = diretorioProgramas & "\Microsoft Security Client\" | |
arquivoTemporario = diretorioTemp & "\MpCmdRun.saida.txt" | |
' http://serverfault.com/questions/230368/timestamp-of-last-definition-update-for-microsoft-security-essentials-via-script | |
chaveRegistro = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" | |
chaveScan = chaveRegistro & "\Scan" | |
chaveAtualizacaoAssinatura = chaveRegistro & "\Signature Updates" | |
caminhoInstalacao = chaveRegistro & "\InstallLocation" | |
valorVersaoAV = chaveAtualizacaoAssinatura &"\AVSignatureVersion" | |
valorVersaoAS = chaveAtualizacaoAssinatura &"\ASSignatureVersion" | |
valorVersaoEngine = chaveAtualizacaoAssinatura &"\EngineVersion" | |
dataAV = chaveAtualizacaoAssinatura &"\AVSignatureApplied" | |
dataAS = chaveAtualizacaoAssinatura &"\ASSignatureApplied" | |
tempoUltimoScan = chaveScan & "\LastScanRun" | |
tipoUltimoScan = chaveScan & "\LastScanType" | |
valorEngineNIS = chaveAtualizacaoAssinatura &"\NISEngineVersion" | |
valorVersaoAssinaturaNIS = chaveAtualizacaoAssinatura &"\NISSignatureVersion" | |
dataAssinaturaNIS = chaveAtualizacaoAssinatura &"\NISSignatureApplied" | |
dataUltimaAtualizacao = chaveAtualizacaoAssinatura &"\SignaturesLastUpdated" | |
const NAO_SUPORTADO="ZBX_NOTSUPPORTED" | |
if WScript.Arguments.Count = 0 then | |
wscript.echo NAO_SUPORTADO | |
wscript.Quit | |
End if | |
Select Case wscript.arguments(0) | |
Case "--help" | |
Uso | |
Case "-h" | |
Uso | |
Case "/?" | |
Uso | |
Case "number_quarantine_items" | |
set dadosDiretorio = objetoFS.GetFolder(diretorioQuarentena) | |
set dadosArquivos = dadosDiretorio.Files | |
wscript.echo dadosArquivos.Count | |
Case "list_quarantine_items" | |
'wscript.echo Enquote(diretorioComandos) & "\MpCmdRun.exe -Restore --ListAll > " & arquivoTemporario | |
'wscript.quit | |
objetoShell.Run Enquote(diretorioComandos) & "\MpCmdRun.exe -Restore --ListAll > " & arquivoTemporario, 0, false | |
' nao da para esperar o comando retornar, dá erro | |
WScript.Sleep 3000 | |
if objetoFS.FileExists(arquivoTemporario) then | |
set arquivoSaida = objetoFS.OpenTextFile(arquivoTemporario,1) | |
wscript.echo arquivoSaida.readAll | |
arquivoSaida.close | |
objetoFS.DeleteFile arquivoTemporario | |
else | |
wscript.echo NAO_SUPORTADO | |
end if | |
Case "client_version" 'Versão do Cliente Antimalware | |
wscript.echo GetProductVersion(caminhoInstalacao) | |
Case "engine_version" 'Versão do Mecanismo | |
wscript.echo objetoShell.RegRead(valorVersaoEngine) | |
Case "antivirus_definition_version" 'Definição de antivírus | |
wscript.echo objetoShell.RegRead(valorVersaoAV) | |
Case "antivirus_definition_time" | |
wscript.echo dataParaTimestamp(BinaryToDate(objetoShell.RegRead(dataAV))) | |
Case "antispyware_definition_version" 'Definição de antispyware | |
wscript.echo objetoShell.RegRead(valorVersaoAS) | |
Case "antispyware_definition_time" | |
wscript.echo dataParaTimestamp(BinaryToDate(objetoShell.RegRead(dataAS))) | |
Case "nis_engine_version" 'Versão do Mecanismo de Sistema de Inspeção de Rede | |
wscript.echo objetoShell.RegRead(valorEngineNIS) | |
Case "nis_signature_version" 'Versão da Definição do Sistema de Inspeção de Rede | |
wscript.echo objetoShell.RegRead(valorVersaoAssinaturaNIS) | |
Case "nis_signature_time" | |
wscript.echo dataParaTimestamp(BinaryToDate(objetoShell.RegRead(dataAssinaturaNIS))) | |
Case "last_scan_time" | |
wscript.echo dataParaTimestamp(BinaryToDate(objetoShell.RegRead(tempoUltimoScan))) | |
Case "last_scan_type" | |
wscript.echo GetScanType(objetoShell.RegRead(tipoUltimoScan)) | |
Case "last_update_time" | |
'set dadosDiretorio = objetoFS.GetFolder(diretorioAtualizacao) | |
'wscript.echo dataParaTimestamp(dadosDiretorio.DateLastModified) | |
wscript.echo dataParaTimestamp(BinaryToDate(objetoShell.RegRead(dataUltimaAtualizacao))) | |
Case "last_detection_time" | |
set dadosItem = objetoFS.GetFile(itemDeteccao) | |
wscript.echo dataParaTimestamp(dadosItem.DateLastModified) | |
Case "teste" | |
wscript.echo "1384274861" | |
'wscript.echo DateDiff("s", "01/01/1970 00:00:00", "12/11/2013 16:47:41") | |
SecsSince = CLng(DateDiff("s", "01/01/1970 00:00:00", "12/11/2013 16:47:41")) | |
wscript.echo SecsSince - 3600 * -2 | |
Case Else | |
wscript.echo NAO_SUPORTADO | |
End Select | |
Sub Uso() | |
wscript.echo "number_quarantine_items exibe o numero de arquivos na quarentena" | |
wscript.echo "list_quarantine_items lista (todo) o historico de itens na quarentena" | |
wscript.echo "client_version exibe a versao do cliente antimalware" | |
wscript.echo "engine_version exibe a versao do mecanismo" | |
wscript.echo "antivirus_definition_version exibe a versao da definicao de antivirus" | |
wscript.echo "antivirus_definition_time exibe o timestamp da definicao de antivirus" | |
wscript.echo "antispyware_definition_version exibe a versao da definicao de antispyware" | |
wscript.echo "antispyware_definition_time exibe o timestamp da definicao do antispyware" | |
wscript.echo "nis_engine_version exibe a versao do mecanismo de sistema de inspecao de rede" | |
wscript.echo "nis_signature_version exibe a versao da definicao do sistema de inspecao de rede" | |
wscript.echo "nis_signature_time exibe o timestamp da definicao do sistema de ispecao de rede" | |
wscript.echo "last_scan_time timestamp do ultimo scan" | |
wscript.echo "last_scan_type exibe tipo do ultimo scan" | |
wscript.echo "last_update_time timestamp da ultima atualizacao" | |
wscript.echo "last_detection_time timestamp da ultima deteccao de malware" | |
End Sub | |
Function dataParaTimestamp(data) | |
' http://www.paulsadowski.com/wsh/timestamp.htm | |
segundosDesdeInicio = CLng(DateDiff("s", "01/01/1970 00:00:00", data)) | |
' removi abs(GetTimeZoneOffset) | |
dataParaTimestamp = segundosDesdeInicio - 3600 * GetTimeZoneOffset | |
Exit Function | |
End function | |
'=============================================================== | |
'Function BinaryToDate will covert a binary DATE_TIME structure into a Variant date set to the local time | |
' Parameter: bArray - a VARIANT array of bytes | |
' Return: a VARIANT date | |
' http://serverfault.com/questions/230368/timestamp-of-last-definition-update-for-microsoft-security-essentials-via-script | |
Function BinaryToDate(bArray) | |
dim Seconds,Days,dateTime | |
Set dateTime = CreateObject("WbemScripting.SWbemDateTime") | |
Seconds = bArray(7)*(2^56) + bArray(6)*(2^48) + bArray(5)*(2^40) + bArray(4)*(2^32) _ | |
+ bArray(3)*(2^24) + bArray(2)*(2^16) + bArray(1)*(2^8) + bArray(0) | |
Days = Seconds/(1E7*86400) | |
dateTime.SetVarDate CDate(DateSerial(1601, 1, 1) + Days ), false | |
BinaryToDate = dateTime.GetVarDate () | |
End Function | |
'=============================================================== | |
'Function GetProductVersion will query a registry key for the file location and then return the version from the filesystem | |
' Parameter: strRegPath - path to the registry pointing to the installation location | |
' Return: a VARIANT string containing the product version | |
' http://serverfault.com/questions/230368/timestamp-of-last-definition-update-for-microsoft-security-essentials-via-script | |
Function GetProductVersion(regPath) | |
const FILE_TO_CHECK = "\msmpeng.exe" | |
dim strFilePath, objFSO | |
strFilePath = objetoShell.RegRead(regPath) & FILE_TO_CHECK | |
GetProductVersion = objetoFS.GetFileVersion(strFilePath) | |
End Function | |
'=============================================================== | |
'Function GetScanType will return a string with the scan type that corresponds to the enum | |
' Parameter: iScanType - type of scan | |
' Return: a VARIANT string containing text type of scan | |
' http://serverfault.com/questions/230368/timestamp-of-last-definition-update-for-microsoft-security-essentials-via-script | |
Function GetScanType(iScanType) | |
Select case(iScanType) | |
Case 1 : GetScanType= "Quick" | |
Case 2 : GetScanType= "Full" | |
Case Else GetScanType= "Invalid" | |
End Select | |
End Function | |
' http://www.edugeek.net/forums/scripts/5251-escape-quotations-vbs.html | |
function Enquote(sSource) | |
Enquote = chr(34) & sSource & chr(34) | |
end function | |
' http://stackoverflow.com/questions/13980541/how-can-i-determine-my-time-zone-offset-using-vbscript | |
Function GetTimeZoneOffset() | |
Const sComputer = "." | |
Dim oWmiService : Set oWmiService = _ | |
GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _ | |
& sComputer & "\root\cimv2") | |
Set cItems = oWmiService.ExecQuery("SELECT * FROM Win32_ComputerSystem") | |
For Each oItem In cItems | |
GetTimeZoneOffset = oItem.CurrentTimeZone / 60 | |
Exit For | |
Next | |
End Function | |
' EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment