Troubleshooting System Center Endpoint Protection (SCEP) Client

-
Microsoft System Center Endpoint Protection provides an antimalware and security solution for the Microsoft platform. This can be integrated with System Center Configuration Manager.

I have consolidated the information which are useful for SCEP client side troubleshooting.

1. Managing Endpoint Protection client with Command Line Interface – MpCmdRun.exe

The MpCmdRun.exe (Microsoft Antimalware service command line utility) is very useful tool to manage local Endpoint protection client with command line.  The MpCmdRun.exe is located in C:\Program Files\Microsoft Security Client folder. On Windows 10 machines, the MpCmdRun.exe is available in C:\Program Files\Windows Defender folder.
When executed, this command automatically creates a log file named as MpCmdRun.log in C:\Users\ username\AppData\Local\Temp folder. This log file records the commands that are executed using MpCmdRun.exe.
Few of most commonly used command lines are listed below. For a complete l list of available switches please see MpCmdRun help using MpCmdRun.exe /? Command line.

 Scan:
Default Scan:   MpCmdRun.exe –scan
Quick Scan:     MpCmdRun.exe –ScanType 1
Full System Scan:         MpCmdRun.exe –ScanType 2
File and Directory Custom Scan:   MpCmdRun.exe –ScanType 3 –File

Managing Definitions:

Signature Update:        MpCmdRun.exe –SignatureUpdate

 Remove Bad Definitions: Sometime you may be in a situation when a new definition caused a server, workstation or application to act abnormaly. An application issue after latest update is quite common in large and complex environment with thousands of applications. The following commands can help you in this kind of situation. You can remove all defintions or roll back to previous version to validate if you application or OS is working fine after removing SCEP definition. 

 Remove Definitions (Rollback to previous version, SCEP stores up to 3 previous version of definition files):            

 MpCmdRun.exe –RemoveDefinitions

 Remove All Definitions:

 MpCmdRun.exe –RemoveDefinitions – All


Collecting SCEP support logs:

SCEP client missing latest defintions is one of the common issue. To troubleshoot the issue you have to look into few log files available at different location. However, you can use MpCmdRun command to gather all support logs at one location.

- Go to "C:\Program Files\Microsoft Security Client\Antimalware" or "C:\Program Files\Windows Defender" depends on Operating System

- Run following command

MpCmdRun.exe -getfiles

You can find all logs files in "C:\ProgramData\Microsoft\Antimalware\Support" or "C:\ProgramData\Windows Defender\Support" folder


2.      Endpoint Protection Log Files

EndpointProtectionAgent.log:  This log records the details about the installation of EP client.
C:\ProgramData\Microsoft\Microsoft Antimalware\Support: This folder contain bunch of log files which provide more information about SCEP definition updates and SCEP functionality. The name of these log files are following.
·         MpCacheStats.log
·         MpDetection.log
·         MpLog.log


3.      Troubleshooting Windows Defender or Endpoint Protection client

The below Microsoft article should be useful in troubleshooting Windows Defender / Endpoint Protection clients.

·         Troubleshooting Endpoint Protection Client
·         How to Troubleshoot Definition update issue for Windows Defender


4.   SCEP basic Ttroubleshootings

 WMI Namespace and Classes for System Center Endpoint Protection
     Before we move with troubleshooting tips & tricks, let’s have the information about WMI namespace   and classes for SCEP. The WMI namespace for SCEP is root\Microsoft\SecurityClient. You can find following Classes in this namespace. The Configuration Manager client agent monitor these classes for any changes and a state message is sent when a change detected.
AntiMalwareHealthStatus
As name suggest, this WMI class represent Microsoft Antimalware service status. You can use below Powershell command to list all properties of this class.

Get-WmiObject -Namespace root\Microsoft\SecurityClient -class AntimalwareHealthStatus

Result:

__GENUS                            : 2
__CLASS                            : AntimalwareHealthStatus
__SUPERCLASS                       : ProtectionTechnologyStatus
__DYNASTY                          : SerializableToXml
__RELPATH                          : AntimalwareHealthStatus=@
__PROPERTY_COUNT                   : 31
__DERIVATION                       : {ProtectionTechnologyStatus, SerializableToXml}
__SERVER                           : DESKTOP01
__NAMESPACE                        : root\Microsoft\SecurityClient
__PATH                             : \\DESKTOP01\root\Microsoft\SecurityClient:AntimalwareHealthStatus=@
AntispywareEnabled                 : True
AntispywareSignatureAge            : 0
AntispywareSignatureUpdateDateTime : 2018-12-09T14:58:32.000Z
AntispywareSignatureVersion        : 1.283.218.0
AntivirusEnabled                   : True
AntivirusSignatureAge              : 0
AntivirusSignatureUpdateDateTime   : 2018-12-09T14:58:32.000Z
AntivirusSignatureVersion          : 1.283.218.0
BehaviorMonitorEnabled             : True
Enabled                            : True
EngineVersion                      : 1.1.15500.2
IoavProtectionEnabled              : True
LastFullScanAge                    : 4294967295
LastFullScanDateTimeEnd            :
LastFullScanDateTimeStart          :
LastFullScanSource                 : 0
LastQuickScanAge                   : 4294967295
LastQuickScanDateTimeEnd           :
LastQuickScanDateTimeStart         :
LastQuickScanSource                : 0
Name                               : Antimalware
NisEnabled                         : True
NisEngineVersion                   : 1.1.15500.2
NisSignatureVersion                : 1.283.218.0
OnAccessProtectionEnabled          : True
ProductStatus                      : 524288
RealTimeScanDirection              : 0
RtpEnabled                         : True
SchemaVersion                      : 1.0.0.1
Version                            : 4.18.1810.5
PSComputerName                     : DESKTOP01



AntiMalwareDetectionStatus

This is a class that represent a single detection. You can use below Powershell command to list all properties of this class.

Get-WmiObject -Namespace root\Microsoft\SecurityClient -class AntiMalwareDetectionStatus

AntiMalwareInfectionStatus

This class represent Microsoft Antimalware service infection status.  You can use below Powershell command to get the list of all properties with in this class.

Get-WmiObject -Namespace root\Microsoft\SecurityClient -class AntiMalwareInfectionStatus


__GENUS                    : 2
__CLASS                    : AntimalwareInfectionStatus
__SUPERCLASS               : SerializableToXml
__DYNASTY                  : SerializableToXml
__RELPATH                  : AntimalwareInfectionStatus=@
__PROPERTY_COUNT           : 10
__DERIVATION               : {SerializableToXml}
__SERVER                   : DESKTOP01
__NAMESPACE                : root\Microsoft\SecurityClient
__PATH                     : \\DESKTOP01\root\Microsoft\SecurityClient:AntimalwareInfectionStatus=@
ComputerStatus             : 1
CriticallyFailedDetections : {}
PendingActionDetections    : {}
PendingFullScan            : False
PendingManualSteps         : False
PendingOfflineScan         : False
PendingReboot              : False
RecentlyCleanedDetections  : {}
SchemaVersion              : 1.0.0.0

PSComputerName             : DESKTOP01


 Check SCEP Definitions version on client

Get-WmiObject  -ComputerName Desktop01 -Query "select * from AntiMalwareHealthStatus"  -Namespace "root\Microsoft\SecurityClient" | Select-object PSComputerName,Version,AntivirusSignatureVersion,AntiVirusSignatureUpdateDateTime,AntivirusEnabled | Format-List



Force State Message for SCEP on SCCM Client
You may have a scenario when everything looks good at client end for SCEP & SCCM. However, latest definition status is not being reported to SCCM. You can try the below Powershell script to force sending status message.

Warning: The below script remove CCM_StateMsg WMI class and restart WMI service. This will force re-creation of WMI class which will refresh state message. You should try this script on individual machines or test environment. you should never try this script for mass fix of the issues on multiple machines as that may create another issues. Please test this in your test environment before executing the same into production.

$Computer = “MyTestPC"
Get-WMIobject -ComputerName $Computer -Namespace root\ccm\StateMsg -Class CCM_StateMsg -Filter "TopicType='1901'" |Remove-WmiObject
Get-Service -ComputerName $computer -Name winmgmt |Restart-Service -Force






Comments

  1. EndPoint ProtectionJuly 29, 2019 at 11:54 AM

    Very informative blog... EndPoint protection important to many businesses that use different kinds of devices to access a business network.

    ReplyDelete
  2. SancuroNovember 8, 2019 at 12:55 PM

    The online platform Sancuro helps organizations to get best quality remote configuration services for IT Hardware. Purchase Troubleshooting services for End Point Security at really affordable price. https://www.sancuro.com/services/mcafee-end-point-security-troubleshooting-services-for-end-point-security

    ReplyDelete

Post a Comment

Popular posts from this blog

SCCM Software Distribution Troubleshooting

-
Image
1.    Content Monitoring and Validation from Console The below article provide details of content monitoring and validation from console. https://blogs.technet.microsoft.com/inside_osd/2011/04/06/configuration-manager-2012-content-monitoring-and-validation/ 2.    Reports SCCM reports should be the first thing to check the software deployment status. By looking into the report you can determine the scope of failure such as large scale failure, location based failure or client specific issues. A large scale failure may be caused by an issue with package or programe while issue can be related with specific client if deployment failure rate is low and limited to few clients. There are multiple reports available for each category.  All Software Distribution reports can be found in below folders under Monitoring > Reporting > reports. ·          Software Distribution – Collections ·          Software Distribution – Content ·          Software Di
Read more

Powershell - List AD Organizational Unit and GPOs linked to them

-
The below script will search Active Directory for all Organizational Unit which contain specific name and list them along with all Group Policies linked to those OUs. Example: The below command will get a list of all OUs which name contains 'Test'. It will also show the details of all GPOs linked to OUs. Usage Example: .\Get-OUList.ps1 –OUName “Test” #Script [ CmdletBinding () ] Param (   [ Parameter (Mandatory = $True ) ]   [ string ] $OUName   ) $invocation = ( Get-Variable MyInvocation ) . Value $directorypath = Split-Path $invocation . MyCommand . Path $outputfile = $directorypath + "\Result.csv" $OUName = "*" + $OUName + "*" $Results = @() $OUList = Get-ADOrganizationalUnit -Filter * | Where-Object -FilterScript { $PSItem . distinguishedname -like $OUName } foreach ( $OU in $OUList ){     $LinkedGPOs = Get-ADOrganizationalUnit -Identity $OU | select -Expa
Read more