Anti-Virus – Matt's Blog

Following on from my Symantec AV check I have written a first version of a similar check for E-Trust virus definitions. The format and structure to the check is the same as this check but it should return the relevant information for Computer Assoicates E-Trust Antivirus product.

For details on installation and configuration please check out the previous post. For the source code please check out the details below. If you wish to download this from Monitoring Exchange please use this link.

' Script: check_etrust_av.vbs
' Author: Matt White
' Version: 1.0
' Date: 12-03-2010
' Details: Check the current definitions for E-Trust AntiVirus are within acceptable bounds
' Usage: cscript /nologo check_etrust_av.vbs -w:<days> -c:<days>

' Define Constants for the script exiting
Const intOK = 0
Const intWarning = 1
Const intCritical = 2
Const intUnknown = 3

' Parse Arguments to find Warning and Critical Levels
If Wscript.Arguments.Named.Exists("w") Then
  intWarnLevel = Cint(Wscript.Arguments.Named("w"))
Else
  intWarnLevel = 2
End If

If Wscript.Arguments.Named.Exists("c") Then
  intCritLevel = Cint(Wscript.Arguments.Named("c"))
Else
  intCritLevel = 4
End If

' Define Date Regular Expression
Const strDateRegExp = "(0[1-9]|1[012])[- /.](0[1-9]|[12][0-9]|3[01])[- /.](19|20)dd"

' Create required objects
Set objShell = CreateObject("Wscript.Shell")
Set ObjProcess = ObjShell.Environment("Process")
Set objRegExp = New RegExp
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv")

const HKEY_CURRENT_USER = &H80000001
const HKEY_LOCAL_MACHINE = &H80000002


' read the path of E-Trust Anti-Virus from the registry
strKeyPath = "SOFTWAREComputerAssociatesScanEnginePath"
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,"Engine",strScanEnginePath

If TypeName(StrScanEnginePath) = "Null" Then
  WScript.Echo "UKNOWN: Cannot read registry Info. Is E-Trust installed?"
  Wscript.Quit(intUnknown)
End If

'strScanEnginePath = ObjShell.RegRead("HKLMSOFTWAREComputerAssociatesScanEnginePathEngine")

' Determine CPU architecture for correct executable to run
strCPUArch = objProcess("PROCESSOR_ARCHITECTURE")
If InStr(1, strCPUArch, "x86") > 0 Then
strExecutable = "inocmd32.exe"
ElseIf InStr(1, strCPUArch, "64") > 0 Then
strExecutable = "inocmd64.exe"
End If


' If the path doesnt exist Exit with an Unknown status
If Len(StrScanEnginePath) = 0 Then
  Wscript.Echo "UNKNOWN: Unable to read registry path"
  Wscript.Quit(intUnknown)
End If

' Run the command and read the output into a string
Set objExec = objShell.Exec(strScanEnginePath & strExecutable & " /sig")
strVirusDefs = objExec.StdOut.ReadAll()

' Search the Virus definition for the date using Regular Expression
objRegExp.Pattern = strDateRegExp
objRegExp.Global = True
objRegExp.IgnoreCase = True
Set regExpMatch = objRegExp.Execute(strVirusDefs)

' If date not found in the output. Exit with a warning
If regExpMatch.Count = 0 Then
  Wscript.Echo "UNKNOWN: Unable to read date from the output"
  Wscript.Quit(intUnknown)
End If

intDateDifference = DateDiff("d",CDate(regExpMatch(0).Value), Date)

Wscript.Echo strVirusDefs
If intDateDifference > intCritLevel Then
  Wscript.Quit(intCritical)
ElseIf intDateDifference > intWarnLevel Then
  Wscript.Quit(intWarning)
ElseIf intDateDifference <= intWarnLevel Then
  Wscript.Quit(intOK)
End If
Wscript.Quit(intUnknown)

' Script: check_etrust_av.vbs

' Author: Matt White

' Version: 1.0

' Date: 12-03-2010

' Details: Check the current definitions for E-Trust AntiVirus are within acceptable bounds

' Usage: cscript /nologo check_etrust_av.vbs -w:<days> -c:<days>

' Define Constants for the script exiting

Const intOK = 0

Const intWarning = 1

Const intCritical = 2

Const intUnknown = 3

' Parse Arguments to find Warning and Critical Levels

If Wscript.Arguments.Named.Exists("w") Then

intWarnLevel = Cint(Wscript.Arguments.Named("w"))

Else

intWarnLevel = 2

End If

If Wscript.Arguments.Named.Exists("c") Then

intCritLevel = Cint(Wscript.Arguments.Named("c"))

Else

intCritLevel = 4

End If

' Define Date Regular Expression

Const strDateRegExp = "(0[1-9]|1[012])[- /.](0[1-9]|[12][0-9]|3[01])[- /.](19|20)dd"

' Create required objects

Set objShell = CreateObject("Wscript.Shell")

Set ObjProcess = ObjShell.Environment("Process")

Set objRegExp = New RegExp

Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv")

const HKEY_CURRENT_USER = &H80000001

const HKEY_LOCAL_MACHINE = &H80000002

' read the path of E-Trust Anti-Virus from the registry

strKeyPath = "SOFTWAREComputerAssociatesScanEnginePath"

objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,"Engine",strScanEnginePath

If TypeName(StrScanEnginePath) = "Null" Then

WScript.Echo "UKNOWN: Cannot read registry Info. Is E-Trust installed?"

Wscript.Quit(intUnknown)

End If

'strScanEnginePath = ObjShell.RegRead("HKLMSOFTWAREComputerAssociatesScanEnginePathEngine")

' Determine CPU architecture for correct executable to run

strCPUArch = objProcess("PROCESSOR_ARCHITECTURE")

If InStr(1, strCPUArch, "x86") > 0 Then

strExecutable = "inocmd32.exe"

ElseIf InStr(1, strCPUArch, "64") > 0 Then

strExecutable = "inocmd64.exe"

End If

' If the path doesnt exist Exit with an Unknown status

If Len(StrScanEnginePath) = 0 Then

Wscript.Echo "UNKNOWN: Unable to read registry path"

Wscript.Quit(intUnknown)

End If

' Run the command and read the output into a string

Set objExec = objShell.Exec(strScanEnginePath & strExecutable & " /sig")

strVirusDefs = objExec.StdOut.ReadAll()

' Search the Virus definition for the date using Regular Expression

objRegExp.Pattern = strDateRegExp

objRegExp.Global = True

objRegExp.IgnoreCase = True

Set regExpMatch = objRegExp.Execute(strVirusDefs)

' If date not found in the output. Exit with a warning

If regExpMatch.Count = 0 Then

Wscript.Echo "UNKNOWN: Unable to read date from the output"

Wscript.Quit(intUnknown)

End If

intDateDifference = DateDiff("d",CDate(regExpMatch(0).Value), Date)

Wscript.Echo strVirusDefs

If intDateDifference > intCritLevel Then

Wscript.Quit(intCritical)

ElseIf intDateDifference > intWarnLevel Then

Wscript.Quit(intWarning)

ElseIf intDateDifference <= intWarnLevel Then

Wscript.Quit(intOK)

End If

Wscript.Quit(intUnknown)

This morning whilst deploying a modified version of the Symantec Anti-Virus check from MonitoringExchange.org I noticed that on my 64-bit hosts that the check was not returning the correct data and instead of the expected output I was receiving the following error code:

check_av.vbs(51, 1) Microsoft VBScript runtime error: Type mismatch: 'strValue'

1	check_av.vbs(51, 1) Microsoft VBScript runtime error: Type mismatch: 'strValue'

Initially I thought this could be a change due to the new installs being Symantec Endpoint Protection compared to the previous times I had implemented this using Symantec Anti-Virus 10.x but the SEP installs on the 32-bit systems were working fine however the 64-bit versions were not.

A quick look in the registry showed me that the value that is read by the script is not there on the 64-bit version and has been moved to another location (HKEY_LOCAL_MACHINESOFTWAREWow6432NodeSymantecSharedDefsDefWatch). I sat down with the script and quickly wrote in some extra code that would allow me to change the search path depending on the Operating System Architecture. I also added in some more error checking so if the key didnt exist then rather than exiting with an OK status it returns an UNKNOWN status and a relevant error message.

As I use NSClient++ to enable me to monitor my Windows servers I simply save the script to the NSClient++scripts folder and add the following line into my NSCI.ini under [NRPE Handlers]

check_av=cscript.exe //NoLogo scriptscheck_av.vbs /W:$ARG1$ /c:$ARG2$

1	check_av=cscript.exe //NoLogo scriptscheck_av.vbs /W:$ARG1$ /c:$ARG2$

Then from within Nagios or Opsview define the command for check_nrpe

check_nrpe -H $HOSTADDRESS$ -c check_av -a 2 3

The full script is listed below and is also available on Monitoring Exchange (link):

' Script: check_av.vbs
' Author: Matt White
' Version: 1.1
' Date: 01-03-2010
' Details: Check the current definitions for Symantec AntiVirus are within acceptable bounds
' Usage: cscript /nologo check_av.vbs -w:&lt;days&gt; -c:&lt;days&gt;

' Define Constants for the script exiting
Const intOK = 0
Const intWarning = 1
Const intCritical = 2
Const intUnknown = 3

' Create required objects
Set ObjShell = CreateObject("WScript.Shell")
Set ObjProcess = ObjShell.Environment("Process")

const HKEY_CURRENT_USER = &amp;H80000001
const HKEY_LOCAL_MACHINE = &amp;H80000002

Dim strKeyPath, strSymantecVer
Dim intWarnLevel, intCritLevel, intYear, intMonth , intDay, intVer_Major, intDateDifference
Dim year, Month , Day, Ver_Major
Dim arrValue

' Parse Arguments to find Warning and Critical Levels
If Wscript.Arguments.Named.Exists("w") Then
intWarnLevel = Cint(Wscript.Arguments.Named("w"))
Else
intWarnLevel = 2
End If

If Wscript.Arguments.Named.Exists("c") Then
intCritLevel = Cint(Wscript.Arguments.Named("c"))
Else
intCritLevel = 4
End If

' Determine CPU architecture for correct location of the registry key
strCPUArch = objProcess("PROCESSOR_ARCHITECTURE")
If InStr(1, strCPUArch, "x86") &gt; 0 Then
strKeyPath = "SOFTWARESymantecSharedDefsDefWatch"
ElseIf InStr(1, strCPUArch, "64") &gt; 0 Then
strKeyPath = "SOFTWAREWow6432NodeSymantecSharedDefsDefWatch"
End If

' Query Registry using WMI to obtain the definition value
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv")
oReg.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath,"DefVersion",arrValue

' If the query doesnt return an array Quit - Unknown
If isArray(arrValue) = vbFalse Then
Wscript.Echo "UNKNOWN - Unable to read Definitions from the Registry"
Wscript.Quit(intUnknown)
End If

' Generate output from the registry value
intYear = CLng("&amp;H" &amp; hex(arrValue(1)) &amp; hex(arrValue(0)))
intMonth = CLng("&amp;H" &amp; hex(arrValue(3)) &amp; hex(arrValue(2)))
intDay = CLng("&amp;H" &amp; hex(arrValue(7)) &amp; hex(arrValue(6)))
intVer_Major = CLng("&amp;H" &amp; hex(arrValue(17)) &amp; hex(arrValue(16)))
strSymantecVer= intYear &amp; "-" &amp; intMonth &amp; "-" &amp; intDay &amp; " rev. " &amp; intVer_Major
intDateDifference = DateDiff("d", intYear &amp; "/" &amp; intMonth &amp; "/" &amp; intDay, Date)

' Output current version and definition age as Performance data
Wscript.Echo("Current Definitions: " &amp; strSymantecVer &amp; " Which are " &amp; intDateDifference &amp; " days old" &amp; "|age=" &amp; intDateDifference)

If intDateDifference &gt; intCritLevel Then
Wscript.Quit(intCritical)
ElseIf intDateDifference &gt; intWarnLevel Then
Wscript.Quit(intWarning)
ElseIf intDateDifference &lt;= intWarnLevel Then
Wscript.Quit(intOK)
End If
Wscript.Quit(intUnknown)

' Script: check_av.vbs

' Author: Matt White

' Version: 1.1

' Date: 01-03-2010

' Details: Check the current definitions for Symantec AntiVirus are within acceptable bounds

' Usage: cscript /nologo check_av.vbs -w:<days> -c:<days>

' Define Constants for the script exiting

Const intOK = 0

Const intWarning = 1

Const intCritical = 2

Const intUnknown = 3

' Create required objects

Set ObjShell = CreateObject("WScript.Shell")

Set ObjProcess = ObjShell.Environment("Process")

const HKEY_CURRENT_USER = &H80000001

const HKEY_LOCAL_MACHINE = &H80000002

Dim strKeyPath, strSymantecVer

Dim intWarnLevel, intCritLevel, intYear, intMonth , intDay, intVer_Major, intDateDifference

Dim year, Month , Day, Ver_Major

Dim arrValue

' Parse Arguments to find Warning and Critical Levels

If Wscript.Arguments.Named.Exists("w") Then

intWarnLevel = Cint(Wscript.Arguments.Named("w"))

Else

intWarnLevel = 2

End If

If Wscript.Arguments.Named.Exists("c") Then

intCritLevel = Cint(Wscript.Arguments.Named("c"))

Else

intCritLevel = 4

End If

' Determine CPU architecture for correct location of the registry key

strCPUArch = objProcess("PROCESSOR_ARCHITECTURE")

If InStr(1, strCPUArch, "x86") > 0 Then

strKeyPath = "SOFTWARESymantecSharedDefsDefWatch"

ElseIf InStr(1, strCPUArch, "64") > 0 Then

strKeyPath = "SOFTWAREWow6432NodeSymantecSharedDefsDefWatch"

End If

' Query Registry using WMI to obtain the definition value

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv")

oReg.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath,"DefVersion",arrValue

' If the query doesnt return an array Quit - Unknown

If isArray(arrValue) = vbFalse Then

Wscript.Echo "UNKNOWN - Unable to read Definitions from the Registry"

Wscript.Quit(intUnknown)

End If

' Generate output from the registry value

intYear = CLng("&H" & hex(arrValue(1)) & hex(arrValue(0)))

intMonth = CLng("&H" & hex(arrValue(3)) & hex(arrValue(2)))

intDay = CLng("&H" & hex(arrValue(7)) & hex(arrValue(6)))

intVer_Major = CLng("&H" & hex(arrValue(17)) & hex(arrValue(16)))

strSymantecVer= intYear & "-" & intMonth & "-" & intDay & " rev. " & intVer_Major

intDateDifference = DateDiff("d", intYear & "/" & intMonth & "/" & intDay, Date)

' Output current version and definition age as Performance data

Wscript.Echo("Current Definitions: " & strSymantecVer & " Which are " & intDateDifference & " days old" & "|age=" & intDateDifference)

If intDateDifference > intCritLevel Then

Wscript.Quit(intCritical)

ElseIf intDateDifference > intWarnLevel Then

Wscript.Quit(intWarning)

ElseIf intDateDifference <= intWarnLevel Then

Wscript.Quit(intOK)

End If

Wscript.Quit(intUnknown)

Tag: Anti-Virus

Check E-Trust Antivirus Definitions

Nagios/Opsview: Check Symantec AV Definitions