Using PowerShell to Audit Antivirus Updates on your Servers

How often do you check to make sure that things like antivirus has received the latest definition files on all of your servers? There’s probably some centralized GUI interface somewhere that you could log into and check. The antivirus product itself may even have some sort of notification system that sends alerts if the updates fail. Both of those options provide data in a format that can’t be worked with and what happens if something falls through the cracks? Are you willing to bet your job and possible the reputation of your company that some junior level engineer is monitoring those systems?

While each antivirus product is different, it’s fairly simple to determine if the information for the antivirus product is stored somewhere such as in the registry where you can access it remotely with PowerShell. The following example was my first attempt at querying this information for ESET File Security:

Not bad, but the problem is that it queries each server individually (one at a time) which takes more time than necessary and the last update property is returned in a format that isn’t in a date/time datatype.

The problem with trying to query all of the servers in parallel with Invoke-Command is keeping up with the computer name for the ones that don’t have that particular registry key which means they don’t have ESET File Security installed.

In the previous example, Srv02 actually returns an error because the registry key doesn’t exist and that error is suppressed with -ErrorAction SilentlyContinue.

One of two things need to happen to make Srv02 return a result so the PSComputerName synthetic property can be used in the output. Either catch the error and generate something out of nothing that can be returned as shown in the following example:

Or return the error as part of the success output stream:

Notice that the date is now returned in a format that can be worked with. It can be used to return a list of all servers that haven’t received updates in a certain number of days. The function shown in this blog article could also be used as one of the tests in your operational validation testing of your servers to verify that everything is configured and working properly as well as receiving proper updates for things like antivirus software.

The Get-MrEsetUpdateVersion function shown in this blog article can be downloaded from my PowerShell repository on GitHub.

µ

Leave a Reply

%d bloggers like this: