For more information on this solution please check the below link
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-malware
I noticed in my environment that i have several clients with insufficient protection
After clicking the assessment for more details, i noticed that these 13 clients have status of Not Reporting. Upon checking them one by one i noticed that most of them are 2008 and 2008 R2 servers. They have Antimalware client updated and real time protection configured. I suspected the AV client as some of them are not microsoft client but rather Symantec and/or Trend Micro however these clients were approved and added to the list queried by OMS
https://blogs.technet.microsoft.com/msoms/2017/01/19/oms-security-malware-assessment-adds-support-for-more-antimalware-vendors/
So to make the story short one of the major requirements for OMS Antimalware Assessment that these clients should have Windows Management Framework 3 or higher installed which includes Power shell V3 which is not installed by default on Server 2008R2.
https://www.microsoft.com/en-us/download/details.aspx?id=34595
After updating these clients and installing the WMF 3, i expected the issue will be resolved and they will get reporting to the OMS assessment however their status turned to be Unknown !!
A very common case for this Unknown status after checking with Microsoft team is that the WMI provider is not registered.
So the resolution is as follows:
- Open administrator Powershell on these Unknown computers
- Ensure the "Execution Policy" allows running scripts. You can check it by running get-executionpolicy
- Import the needed Power Shell module by running Import-module "$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1"
- Run the command Get-MProtComputerStatus
- Most probably you will get invalid Namespace error
- If so then you need to run the below command to register the WMI provider
Register-CimProvider.exe -ProviderName ProtectionManagement -Namespace root\microsoft\ProtectionManagement -Path "C:\Program Files\Microsoft Security Client\ProtectionMgmt.dll" -Impersonation True -HostingModel LocalServiceHost -SupportWQL -ForceUpdate - This will register the ProtectionManagement provider and fix the agent Unknown problem.
- If you changed the execution policy to allow running scripts, you may need to turn it back to the default restricted mode or at least remotesigned.
Hopefully this post is useful for anyone encountering the same issue.
