Notification

Icon
Error

Windows Defender AV - Server 2016 shows no AntiVirus

Posted: Thursday, November 7, 2019 2:57:42 PM(UTC)
Mikey!

Mikey!

Member Original PosterPosts: 27
0
Like
I have looked this up and have not seen any good answers on it. LANSweeper sees Defender AV on Windows 10 machines, but not Server 2016.

If I missed something, please point me in the right direction. I am confused why this has not been addressed. Or at least an option in the software to "allow defender as AV", that would trigger a correct scan would be cool.

Thanks!

Mike
Mikey!
#1Mikey! Member Original PosterPosts: 27  
posted: 11/11/2019 4:32:50 PM(UTC)
Why does this subject get crickets?
Mikey!
#2Mikey! Member Original PosterPosts: 27  
posted: 11/13/2019 2:48:54 PM(UTC)
Anyone??? Brick wall
Mikey! attached the following image(s):
DEFAV1.jpg
DEFAV2.jpg
Ryan.G
#3Ryan.G Member Administration Posts: 24  
posted: 11/14/2019 9:15:25 AM(UTC)
Anti-virus information is retrieved from either the wmi or comparing the installed software with known anti-virus software.

In Windows servers, the anti-virus wmi class does not exist, so this option is not available. For some builds, Windows defender is a feature and not actual software, meaning it's not necessarily picked up by Lansweeper. In this case, the assets will indeed show up in the 'no anti-virus' list.
Mikey!
#4Mikey! Member Original PosterPosts: 27  
posted: 11/14/2019 2:33:14 PM(UTC)
Is this something that can be added to LanSweeper? Maybe a Boolean switch for people that use Defender on Servers?

Thank you for the reply!

Mike
RKCar
#5RKCar Member Posts: 82  
posted: 11/14/2019 5:39:50 PM(UTC)
Originally Posted by: Ryan.G Go to Quoted Post
Anti-virus information is retrieved from either the wmi or comparing the installed software with known anti-virus software.

In Windows servers, the anti-virus wmi class does not exist, so this option is not available. For some builds, Windows defender is a feature and not actual software, meaning it's not necessarily picked up by Lansweeper. In this case, the assets will indeed show up in the 'no anti-virus' list.


Taught me something here about the class not existing on servers.
Mikey!
#6Mikey! Member Original PosterPosts: 27  
posted: 11/14/2019 5:44:26 PM(UTC)
Originally Posted by: RKCar Go to Quoted Post
Originally Posted by: Ryan.G Go to Quoted Post
Anti-virus information is retrieved from either the wmi or comparing the installed software with known anti-virus software.

In Windows servers, the anti-virus wmi class does not exist, so this option is not available. For some builds, Windows defender is a feature and not actual software, meaning it's not necessarily picked up by Lansweeper. In this case, the assets will indeed show up in the 'no anti-virus' list.


Taught me something here about the class not existing on servers.


Right. I hear ya. I guess we have to get "The Man" to fix that then.... Thanks! :)

cscherrey
#7cscherrey Member Posts: 22  
posted: 1/15/2020 6:23:43 PM(UTC)
I know lansweeper supports powershell, right? That is how they are connecting to Office 365. So for Server 2016 and up, they need to use powershell and query Get-MpComputerStatus. Then they can easily update the AV info when Defender is used.
Rob B
#8Rob B Member Posts: 13  
posted: 1/24/2020 4:55:19 PM(UTC)
It appears the report has out-lived its usefulness. I've removed it from the main page default dynamic reports.
sunshine
#9sunshine Member Posts: 3  
posted: 2/18/2020 2:34:22 PM(UTC)
Have you come across a custom report, to report on the feature being enabled? I'm surprised that Lansweeper is taking so long to provide a solution, for us, the customers.
Nathaniel
#10Nathaniel Member Posts: 3  
posted: 2/24/2020 6:03:21 PM(UTC)
Originally Posted by: sunshine Go to Quoted Post
Have you come across a custom report, to report on the feature being enabled? I'm surprised that Lansweeper is taking so long to provide a solution, for us, the customers.


I created custom report that combines the information from WMI and Server features.

Maybe it will help you.

Code:
Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetUnique,
  tblAssets.Domain,
  tblAssets.Description,
  tblAssets.Lastseen,
  tsysOS.Image As icon
From tblAssets
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
Where tblAssets.AssetID Not In (Select tblSoftware.AssetID
      From tblSoftware Inner Join tblSoftwareUni On tblSoftwareUni.SoftID =
          tblSoftware.softID Inner Join tsysantivirus On
          tblSoftwareUni.softwareName Like tsysantivirus.Software) And
  tblAssets.AssetID Not In (Select tblAntivirus.AssetID
      From tblAntivirus) And tblAssets.AssetUnique Not In (Select
        tblAssets.AssetUnique From ((Select a.assetid As assetid,
              a.software As software,
              a.version As version,
              'software comparison' As RetrievedFrom,
              '' As Enabled,
              '' As Uptodate
            From (Select tblSoftware.AssetID As assetid,
                    tblSoftwareUni.softwareName As software,
                    tblSoftware.softwareVersion As version
                  From tblSoftware
                    Inner Join tblSoftwareUni On tblSoftware.softID =
                      tblSoftwareUni.SoftID
                    Inner Join tsysantivirus On tblSoftwareUni.softwareName Like
                      tsysantivirus.Software) a)
            Union
            (Select tblAntivirus.AssetID As assetid,
              tblAntivirus.DisplayName As software,
              Null As version,
              'WMI' As RetrievedFrom,
              Case
                When tblAntivirus.onAccessScanningEnabled = 1 Then 'Yes'
                Else 'No'
              End As Enabled,
              Case
                When tblAntivirus.productUpToDate = 1 Then 'Yes'
                Else 'No'
              End As Uptodate
            From tblAntivirus)
            Union
            (Select tblFeature.AssetId As AssetID,
              tblFeatureUni.featureName As Software,
              Null As version,
              'Features' As RetrievedFrom,
              '' As Enabled,
              '' As Uptodate
            From tblFeature
              Inner Join tblFeatureUni On tblFeature.featUniId =
                tblFeatureUni.featUniID And tblFeatureUni.featureCaption =
                'Windows Defender')) As unioned Inner Join tblAssetCustom On
          unioned.assetid = tblAssetCustom.AssetID Inner Join tblAssets On
          tblAssets.AssetID = unioned.assetid Inner Join tsysOS On
          tblAssets.OScode = tsysOS.OScode Left Join tsysIPLocations On
          tblAssets.LocationID = tsysIPLocations.LocationID
      Where tblAssetCustom.State = 1) And tblComputersystem.Domainrole >= 2 And
  tblAssetCustom.State = 1
Mikey!
#11Mikey! Member Original PosterPosts: 27  
posted: 2/24/2020 6:23:02 PM(UTC)
That script is only pulling 2019 Servers.... And there isn't much data....
Nathaniel
#12Nathaniel Member Posts: 3  
posted: 2/25/2020 1:09:35 PM(UTC)
Originally Posted by: Mikey! Go to Quoted Post
That script is only pulling 2019 Servers.... And there isn't much data....


Sorry, that's not correct. The script pulls all servers and gets all information from both the standard antivirus information and from features (presented in WS2016 and higher). If it finds AV information in any of these, it will show it.

It can be modified to contain other information, this is currently how we are using it in our company. So to your needs you may need to adjust it.

We used this logic to update the default report "Server: All servers without anti-virus software", so now we have exact number in the dashboard if there is any server that does not have AV installed or AV feature enabled.
Mikey!
#13Mikey! Member Original PosterPosts: 27  
posted: 2/25/2020 2:44:59 PM(UTC)
Originally Posted by: Nathaniel Go to Quoted Post
Sorry, that's not correct. The script pulls all servers and gets all information from both the standard antivirus information and from features (presented in WS2016 and higher). If it finds AV information in any of these, it will show it.

It can be modified to contain other information, this is currently how we are using it in our company. So to your needs you may need to adjust it.

We used this logic to update the default report "Server: All servers without anti-virus software", so now we have exact number in the dashboard if there is any server that does not have AV installed or AV feature enabled.


It pulled my only 2 2019 Datacenter Servers for some reason. See picture.

Is it suppose to be pulling everything or just what it thinks doesn't have up to date AV? Maybe I need to modify it. I'd love to replace that standard report with this one.

Thanks!

Mike
Mikey! attached the following image(s):
AVReport.jpg
Nathaniel
#14Nathaniel Member Posts: 3  
posted: 2/25/2020 2:59:34 PM(UTC)
Originally Posted by: Mikey! Go to Quoted Post
Originally Posted by: Nathaniel Go to Quoted Post
Sorry, that's not correct. The script pulls all servers and gets all information from both the standard antivirus information and from features (presented in WS2016 and higher). If it finds AV information in any of these, it will show it.

It can be modified to contain other information, this is currently how we are using it in our company. So to your needs you may need to adjust it.

We used this logic to update the default report "Server: All servers without anti-virus software", so now we have exact number in the dashboard if there is any server that does not have AV installed or AV feature enabled.


It pulled my only 2 2019 Datacenter Servers for some reason. See picture.

Is it suppose to be pulling everything or just what it thinks doesn't have up to date AV? Maybe I need to modify it. I'd love to replace that standard report with this one.

Thanks!

Mike


I'm sorry, my bad. This script I posted was the other one that shows only servers without AV. So that's the one we use for checking what servers don't have AV installed. We replaced with this script the original built-in one.

To have a list of servers where AV is installed, you can use this one:

Code:
Select Top 1000000 unioned.assetid,
  tblAssets.AssetName,
  tsysOS.Image As icon,
  unioned.software,
  unioned.version,
  unioned.Enabled,
  unioned.Uptodate,
  unioned.RetrievedFrom,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Description,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tblAssetCustom.Location,
  tsysIPLocations.IPLocation,
  tsysOS.OSname As OS,
  tblAssets.SP As SP,
  tblAssets.Firstseen,
  tblAssets.Lastseen
From ((Select a.assetid As assetid,
        a.software As software,
        a.version As version,
        'software comparison' As RetrievedFrom,
        '' As Enabled,
        '' As Uptodate
      From (Select tblSoftware.AssetID As assetid,
              tblSoftwareUni.softwareName As software,
              tblSoftware.softwareVersion As version
            From tblSoftware
              Inner Join tblSoftwareUni On tblSoftware.softID =
                tblSoftwareUni.SoftID
              Inner Join tsysantivirus On tblSoftwareUni.softwareName Like
                tsysantivirus.Software) a)
      Union
      (Select tblAntivirus.AssetID As assetid,
        tblAntivirus.DisplayName As software,
        Null As version,
        'WMI' As RetrievedFrom,
        Case
          When tblAntivirus.onAccessScanningEnabled = 1 Then 'Yes'
          Else 'No'
        End As Enabled,
        Case
          When tblAntivirus.productUpToDate = 1 Then 'Yes'
          Else 'No'
        End As Uptodate
      From tblAntivirus)) unioned
  Inner Join tblAssetCustom On unioned.assetid = tblAssetCustom.AssetID
  Inner Join tblAssets On tblAssets.AssetID = unioned.assetid
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Left Join tsysIPLocations On tblAssets.LocationID = tsysIPLocations.LocationID
Where tblComputersystem.Domainrole >= 2 And tblAssetCustom.State = 1
Order By tblAssets.AssetName
Mikey!
#15Mikey! Member Original PosterPosts: 27  
posted: 2/25/2020 3:09:19 PM(UTC)
Originally Posted by: Nathaniel Go to Quoted Post
I'm sorry, my bad. This script I posted was the other one that shows only servers without AV. So that's the one we use for checking what servers don't have AV installed. We replaced with this script the original built-in one.


That's cool... That is a good report... but I was interested in the one that showed no AV installed to replace that default report. Now, I am wondering why it is showing by 2 2019 Servers. They both have Defender AV running and turned on.

Thanks!

Mike
DontByteMe
#16DontByteMe Member Posts: 24  
posted: 2/27/2020 10:55:49 PM(UTC)
Hello,

Maybe its a firewall rule on the server itself? I had the issue of the firewall blocking reports from my main server and had to adjust that to later get pings, reports and to push deployments.

This is just what i had faced. Not sure if you are having that same issue but its something to look at as well.
Mikey!
#17Mikey! Member Original PosterPosts: 27  
posted: 3/6/2020 4:01:41 PM(UTC)
Any reason it is not picking up that 2019 Servers have Defender running? This script sees all my 2016 servers running Defender, but not 2019. Even if I build a new 2019 machine, it shows up in this list as it has "no antivirus".

Thanks!

Mike

Originally Posted by: Nathaniel Go to Quoted Post


I'm sorry, my bad. This script I posted was the other one that shows only servers without AV. So that's the one we use for checking what servers don't have AV installed. We replaced with this script the original built-in one.

To have a list of servers where AV is installed, you can use this one:

Code:
Select Top 1000000 unioned.assetid,
  tblAssets.AssetName,
  tsysOS.Image As icon,
  unioned.software,
  unioned.version,
  unioned.Enabled,
  unioned.Uptodate,
  unioned.RetrievedFrom,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Description,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tblAssetCustom.Location,
  tsysIPLocations.IPLocation,
  tsysOS.OSname As OS,
  tblAssets.SP As SP,
  tblAssets.Firstseen,
  tblAssets.Lastseen
From ((Select a.assetid As assetid,
        a.software As software,
        a.version As version,
        'software comparison' As RetrievedFrom,
        '' As Enabled,
        '' As Uptodate
      From (Select tblSoftware.AssetID As assetid,
              tblSoftwareUni.softwareName As software,
              tblSoftware.softwareVersion As version
            From tblSoftware
              Inner Join tblSoftwareUni On tblSoftware.softID =
                tblSoftwareUni.SoftID
              Inner Join tsysantivirus On tblSoftwareUni.softwareName Like
                tsysantivirus.Software) a)
      Union
      (Select tblAntivirus.AssetID As assetid,
        tblAntivirus.DisplayName As software,
        Null As version,
        'WMI' As RetrievedFrom,
        Case
          When tblAntivirus.onAccessScanningEnabled = 1 Then 'Yes'
          Else 'No'
        End As Enabled,
        Case
          When tblAntivirus.productUpToDate = 1 Then 'Yes'
          Else 'No'
        End As Uptodate
      From tblAntivirus)) unioned
  Inner Join tblAssetCustom On unioned.assetid = tblAssetCustom.AssetID
  Inner Join tblAssets On tblAssets.AssetID = unioned.assetid
  Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Left Join tsysIPLocations On tblAssets.LocationID = tsysIPLocations.LocationID
Where tblComputersystem.Domainrole >= 2 And tblAssetCustom.State = 1
Order By tblAssets.AssetName

Active Discussions

Installer Firefox ESR 68.8.0 MSI Installer
by  PLSJohnJohn   Go to last post Go to first unread
Last post: 5/11/2020 4:33:50 PM(UTC)
Installer Update Chrome browser with GoogleUpdate.exe ?
by  Inna Ptushkina  
Go to last post Go to first unread
Last post: 5/4/2020 8:39:29 PM(UTC)
Installer Bios Update for Dell all in one
by  Florian_Eigsi  
Go to last post Go to first unread
Last post: 4/2/2020 11:36:43 AM(UTC)
Installer Installer - Microsoft Office
by  Florian_Eigsi   Go to last post Go to first unread
Last post: 4/1/2020 3:44:03 PM(UTC)
Installer Windows 10 Upgrade
by  Michael Kop  
Go to last post Go to first unread
Last post: 3/27/2020 4:47:52 PM(UTC)
Installer Uninstall - Adobe Acrobat 9x
by  palemmo   Go to last post Go to first unread
Last post: 3/25/2020 7:25:05 PM(UTC)
Installer OneDrive Silent Install
by  Steven.C  
Go to last post Go to first unread
Last post: 3/13/2020 2:55:19 PM(UTC)