Azure 安全中心中的 Endpoint Protection 评估和建议Endpoint protection assessment and recommendations in Azure Security Center

Azure 安全中心提供支持的 Endpoint Protection 解决方案版本的运行状况评估。Azure Security Center provides health assessments of supported versions of Endpoint protection solutions. 本文说明了使安全中心生成以下两个建议的场景:This article explains the scenarios that lead Security Center to generate the following two recommendations:

  • 在虚拟机上安装 Endpoint Protection 解决方案Install endpoint protection solutions on your virtual machine
  • 解决计算机上的 Endpoint Protection 运行状况问题Resolve endpoint protection health issues on your machines

Windows DefenderWindows Defender

  • 安全中心建议在运行 MpComputerStatus 且结果为“AMServiceEnabled: False”时,在虚拟机上安装 Endpoint Protection 解决方案 Security Center recommends you "Install endpoint protection solutions on virtual machine" when Get-MpComputerStatus runs and the result is AMServiceEnabled: False

  • 安全中心建议在运行 MpComputerStatus 且发生以下任何情况时,解决计算机上的 Endpoint Protection 运行状况问题:Security Center recommends you "Resolve endpoint protection health issues on your machines" when Get-MpComputerStatus runs and any of the following occurs:

    • 以下任一属性为 false:Any of the following properties are false:

      • AMServiceEnabledAMServiceEnabled
      • AntispywareEnabledAntispywareEnabled
      • RealTimeProtectionEnabledRealTimeProtectionEnabled
      • BehaviorMonitorEnabledBehaviorMonitorEnabled
      • IoavProtectionEnabledIoavProtectionEnabled
      • OnAccessProtectionEnabledOnAccessProtectionEnabled
    • 如果下列一个或两个属性大于或等于 7:If one or both of the following properties are 7 or more:

      • AntispywareSignatureAgeAntispywareSignatureAge
      • AntivirusSignatureAgeAntivirusSignatureAge

Microsoft System Center Endpoint ProtectionMicrosoft System Center endpoint protection

  • 安全中心建议在导入 SCEPMpModule ("$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1") 并运行 AMServiceEnabled = false 中的 Get-MProtComputerStatus 结果时,在虚拟机上安装 Endpoint Protection 解决方案 。Security Center recommends you "Install endpoint protection solutions on virtual machine" when importing SCEPMpModule ("$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1") and running Get-MProtComputerStatus results in AMServiceEnabled = false.

  • 安全中心建议在运行 MprotComputerStatus 且发生以下任何情况时,解决计算机上的 Endpoint Protection 运行状况问题 :Security Center recommends you "Resolve endpoint protection health issues on your machines" when Get-MprotComputerStatus runs and any of the following occurs:

    • 以下属性至少一个为 false:At least one of the following properties is false:

      • AMServiceEnabledAMServiceEnabled
      • AntispywareEnabledAntispywareEnabled
      • RealTimeProtectionEnabledRealTimeProtectionEnabled
      • BehaviorMonitorEnabledBehaviorMonitorEnabled
      • IoavProtectionEnabledIoavProtectionEnabled
      • OnAccessProtectionEnabledOnAccessProtectionEnabled
    • 如果以下一个或两个签名更新大于或等于 7:If one or both of the following Signature Updates are greater or equal to 7:

      • AntispywareSignatureAgeAntispywareSignatureAge
      • AntivirusSignatureAgeAntivirusSignatureAge

Trend MicroTrend Micro

  • 安全中心建议在不符合以下任何检查时,在虚拟机上安装 Endpoint Protection 解决方案:Security Center recommends you "Install endpoint protection solutions on virtual machine" when any of the following checks aren't met:
    • 存在 HKLM:\SOFTWARE\TrendMicro\Deep Security AgentHKLM:\SOFTWARE\TrendMicro\Deep Security Agent exists
    • 存在 HKLM:\SOFTWARE\TrendMicro\Deep Security Agent\InstallationFolderHKLM:\SOFTWARE\TrendMicro\Deep Security Agent\InstallationFolder exists
    • 在安装文件夹中找到 dsa_query.cmd 文件The dsa_query.cmd file is found in the Installation Folder
    • 运行 dsa_query.cmd 结果且 Component.AM.mode 为“启用”- 检测到 Trend Micro Deep Security Agent Running dsa_query.cmd results with Component.AM.mode: on - Trend Micro Deep Security Agent detected

Symantec 终结点保护Symantec endpoint protection

安全中心建议在不符合以下任何检查时,在虚拟机上安装 Endpoint Protection 解决方案:Security Center recommends you "Install endpoint protection solutions on virtual machine" when any of the following checks aren't met:

  • HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"
  • HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1

Or

  • HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"
  • HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1

安全中心建议在不符合以下任何检查时,解决计算机上的 Endpoint Protection 运行状况问题:Security Center recommends you "Resolve endpoint protection health issues on your machines" when any of the following checks aren't met:

  • 检查 Symantec 版本 >= 12:注册表位置:HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion" -Value "PRODUCTVERSION"Check Symantec Version >= 12: Registry location: HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion" -Value "PRODUCTVERSION"
  • 检查实时保护状态:HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff == 1Check Real-Time Protection status: HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff == 1
  • 检查签名更新状态:HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LatestVirusDefsDate <= 7 天Check Signature Update status: HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LatestVirusDefsDate <= 7 days
  • 检查完全扫描状态:HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LastSuccessfulScanDateTime <= 7 天Check Full Scan status: HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LastSuccessfulScanDateTime <= 7 days
  • 查找 Symantec 12 的签名版本的签名版本号路径:Registry Paths+ "CurrentVersion\SharedDefs" -Value "SRTSP"Find signature version number Path to signature version for Symantec 12: Registry Paths+ "CurrentVersion\SharedDefs" -Value "SRTSP"
  • Symantec 14 的签名版本的路径:Registry Paths+ "CurrentVersion\SharedDefs\SDSDefs" -Value "SRTSP"Path to signature version for Symantec 14: Registry Paths+ "CurrentVersion\SharedDefs\SDSDefs" -Value "SRTSP"

注册表路径:Registry Paths:

  • "HKLM:\Software\Symantec\Symantec Endpoint Protection" + $Path;"HKLM:\Software\Symantec\Symantec Endpoint Protection" + $Path;
  • "HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection" + $Path"HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection" + $Path

适用于 Windows 的 McAfee Endpoint ProtectionMcAfee endpoint protection for Windows

安全中心建议在不符合以下任何检查时,在虚拟机上安装 Endpoint Protection 解决方案:Security Center recommends you "Install endpoint protection solutions on virtual machine" when any of the following checks aren't met:

  • 存在 HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersionHKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion exists
  • HKLM:\SOFTWARE\McAfee\AVSolution\MCSHIELDGLOBAL\GLOBAL\enableoas = 1HKLM:\SOFTWARE\McAfee\AVSolution\MCSHIELDGLOBAL\GLOBAL\enableoas = 1

安全中心建议在不符合以下任何检查时,解决计算机上的 Endpoint Protection 运行状况问题:Security Center recommends you "Resolve endpoint protection health issues on your machines" when any of the following checks aren't met:

  • McAfee 版本:HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion >= 10McAfee Version: HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion >= 10
  • 查找签名版本:HKLM:\Software\McAfee\AVSolution\DS\DS -Value "dwContentMajorVersion"Find Signature Version: HKLM:\Software\McAfee\AVSolution\DS\DS -Value "dwContentMajorVersion"
  • 查找签名日期:HKLM:\Software\McAfee\AVSolution\DS\DS -Value "szContentCreationDate" >= 7 天Find Signature date: HKLM:\Software\McAfee\AVSolution\DS\DS -Value "szContentCreationDate" >= 7 days
  • 查找扫描日期:HKLM:\Software\McAfee\Endpoint\AV\ODS -Value "LastFullScanOdsRunTime" >= 7 天Find Scan date: HKLM:\Software\McAfee\Endpoint\AV\ODS -Value "LastFullScanOdsRunTime" >= 7 days

适用于 Linux 威胁防护的 McAfee 终结点安全性McAfee Endpoint Security for Linux Threat Prevention

安全中心建议在不符合以下任何检查时,在虚拟机上安装 Endpoint Protection 解决方案:Security Center recommends you "Install endpoint protection solutions on virtual machine" when any of the following checks aren't met:

  • 存在文件 /opt/isec/ens/threatprevention/bin/isecavFile /opt/isec/ens/threatprevention/bin/isecav exists
  • /opt/isec/ens/threatprevention/bin/isecav --version 输出为:McAfee 名称 = 适用于 Linux 威胁防护的 McAfee 终结点安全性,并且 McAfee 版本 >= 10"/opt/isec/ens/threatprevention/bin/isecav --version" output is: McAfee name = McAfee Endpoint Security for Linux Threat Prevention and McAfee version >= 10

安全中心建议在不符合以下任何检查时,解决计算机上的 Endpoint Protection 运行状况问题:Security Center recommends you "Resolve endpoint protection health issues on your machines" when any of the following checks aren't met:

  • /opt/isec/ens/threatprevention/bin/isecav --listtask 返回“快速扫描”和“完全扫描”,并且两者 <= 7 天 "/opt/isec/ens/threatprevention/bin/isecav --listtask" returns Quick scan, Full scan and both of the scans <= 7 days
  • /opt/isec/ens/threatprevention/bin/isecav--listtask 返回 DAT 和引擎更新时间,并且两者 < = 7 天 "/opt/isec/ens/threatprevention/bin/isecav --listtask" returns DAT and engine Update time and both of them <= 7 days
  • /opt/isec/ens/threatprevention/bin/isecav --getoasconfig --summary 返回“访问时扫描”状态 "/opt/isec/ens/threatprevention/bin/isecav --getoasconfig --summary" returns On Access Scan status

适用于 Linux 的 Sophos 防病毒Sophos Antivirus for Linux

安全中心建议在不符合以下任何检查时,在虚拟机上安装 Endpoint Protection 解决方案:Security Center recommends you "Install endpoint protection solutions on virtual machine" when any of the following checks aren't met:

  • 存在文件 /opt/sophos-av/bin/savdstatus 或搜索自定义位置 readlink $(which savscan) File /opt/sophos-av/bin/savdstatus exits or search for customized location "readlink $(which savscan)"
  • /opt/sophos-av/bin/savdstatus --version 返回 Sophos 名称 = Sophos 防病毒,并且 Sophos 版本 >= 9 "/opt/sophos-av/bin/savdstatus --version" returns Sophos name = Sophos Anti-Virus and Sophos version >= 9

安全中心建议在不符合以下任何检查时,解决计算机上的 Endpoint Protection 运行状况问题:Security Center recommends you "Resolve endpoint protection health issues on your machines" when any of the following checks aren't met:

  • opt/sophos-av/bin/savlog --maxage=7 | grep -i "Scheduled scan .* completed" | tail -1 返回一个值"/opt/sophos-av/bin/savlog --maxage=7 | grep -i "Scheduled scan .* completed" | tail -1", returns a value
  • /opt/sophos-av/bin/savlog --maxage=7 | grep "scan finished" | tail -1 返回一个值"/opt/sophos-av/bin/savlog --maxage=7 | grep "scan finished" | tail -1", returns a value
  • opt/sophos-av/bin/savdstatus --lastupdate 返回 lastUpdate,它应 <= 7 天"/opt/sophos-av/bin/savdstatus --lastupdate" returns lastUpdate, which should be <= 7 days
  • opt/sophos-av/bin/savdstatus -v 即为“正在运行访问时扫描” "/opt/sophos-av/bin/savdstatus -v" is equal to "On-access scanning is running"
  • /opt/sophos-av/bin/savconfig get LiveProtection 返回“已启用”"/opt/sophos-av/bin/savconfig get LiveProtection" returns enabled

故障排除和支持Troubleshoot and support

故障排除Troubleshoot

%Systemdrive%\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware(Or PaaSAntimalware)\1.5.5.x(version#)\CommandExecution.log 中提供了 Microsoft Antimalware 扩展日志Microsoft Antimalware extension logs are available at: %Systemdrive%\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware(Or PaaSAntimalware)\1.5.5.x(version#)\CommandExecution.log