P4A Windows Defender Maintenance Failing

Windows Defender For ConnectWise Automate plug support forum. Post issues and questions here.
bfalco
Posts: 27
Joined: Fri Mar 04, 2022 12:36 pm
2

P4A Windows Defender Maintenance Failing

Post by bfalco »

I am seeing this on all agents, ones that only have defender as AV and others that do have another AV app.
Here is the log

he Script(6345) failed in the Then section at step 12. The reason: SQL Execute failed processing query

Script: S6345 - Starting at Server Time: Thursday, May 4, 2023 8:12:50 AM
IF F1 T: 0.2449958
L4 F235 T: 0.4359934
L5 F20 SetType(P1):1 Parameter(P2):'REPLACE INTO `plugin_p4a_windo...' VariableName(P3):MPSTATUSSQL T: 10.4172899
L6 F67 Sql (P1): 'REPLACE INTO `plugin_p4a_windowsdefender_status` (`ComputerID`,`ComputerName`,`ClientID`,`...' T: 10.5342944
L7 F235 T: 10.7372919
L8 F20 SetType(P1):1 Parameter(P2):'REPLACE INTO `plugin_p4a_windo...' VariableName(P3):MPPREFSQL T: 20.5936218
L9 F67 Sql (P1): 'REPLACE INTO `plugin_p4a_windowsdefender_prefs`(`ComputerID`,`ComputerName`,`ClientID`,`Al...' T: 20.665613
L10 F235 T: 20.7306845
L11 F20 SetType(P1):1 Parameter(P2):'REPLACE INTO `plugin_p4a_windo...' VariableName(P3):MPTHREATSQL T: 22.8234359
L12 F67 Sql (P1): 'REPLACE INTO `plugin_p4a_windowsdefender_detection` (`ComputerID`,
`ClientID`,
`ActionSucc...' T: 22.8254373

bfalco
Posts: 27
Joined: Fri Mar 04, 2022 12:36 pm
2

Re: P4A Windows Defender Maintenance Failing

Post by bfalco »

Is this expected? can I please get a response

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: P4A Windows Defender Maintenance Failing

Post by Cubert »

We would need to see the actual returns from Defender requests on agent. So for same time stamp look in the commands windows for command logs. Find the entry with same time stamp that is "executing command" and grab output and place it here.

Typically it becomes self evident on why it failed to produce any of the status logs, exclusions lists or AV def statuses.

We see this happen when, Defender is disabled. WIndows Defender can be disabled by any AV product so if a AV product other than Defender is present you will have Defender not be able to return a status of any data as it is disabled and will not respond to commands.


We powershell the Defender requests, below are the requests made, if you execute one of these requests, see what Windows produces as a return.

Code: Select all

    Get-MpComputerStatus | ConvertTo-json
    Get-MpPreference | ConvertTo-json
    Get-MpThreatDetection | ConvertTo-json

bfalco
Posts: 27
Joined: Fri Mar 04, 2022 12:36 pm
2

Re: P4A Windows Defender Maintenance Failing

Post by bfalco »

These were the command results found at the same time the script failed, This system has Defender running and Automate has it listed as the active AV product. Webroot was recently removed

First
('7426','MFD-IMC2','3','1.1.20300.3','4.18.2304.8','Normal','True','4.18.2304.8','True','0','2023-05-12 22:31:18','1.389.1146.0','True','0','2023-05-12 22:31:18','1.389.1146.0','True','B56A5371-0AC9-4032-B50A-ADA1211E6DAE','Unknown','2023-02-15 15:05:43','Disabled','4294967295','','','True','True','False','0','1','True','1.1.20300.3','0','2023-05-12 22:31:18','1.389.1146.0','True','0','2023-05-12 17:02:42','2023-05-12 17:01:46','True','0','Signatures','rsw','Enabled','Disabled')

Second
('7426','MFD-IMC2','3','False','False','False','','','','False','0','0','B56A5371-0AC9-4032-B50A-ADA1211E6DAE','','','0','False','False','False','False','True','False','True','False','False','False','True','False','False','False','False','','False','False','False','True','False','False','True','True','True','False','False','False','0','True','False','False','False','0','0','','','','','False','0','0','2','False','0','0','','','','0','0','True','0','0','02:00:00','10080','10080','1440','50','True','1','15','8','02:00:00','01:45:00','4','0','','0','','60','','False','MicrosoftUpdateServer|MMPC','120','8','01:45:00','1','6','1','','','True','0','False','0')


Third
OK

bfalco
Posts: 27
Joined: Fri Mar 04, 2022 12:36 pm
2

Re: P4A Windows Defender Maintenance Failing

Post by bfalco »

Says fails line 12 SQL Execute @MPTHREATSQL@

Any help is appreciated

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: P4A Windows Defender Maintenance Failing

Post by Cubert »

looks like it is not liking that nothing was returned. I am out of town until Tuesday but I will have a look at script and see why it has not skipped 3 if 3 returns nothing. It should be. I'll have an answer for you Tuesday afternoon.

bfalco
Posts: 27
Joined: Fri Mar 04, 2022 12:36 pm
2

Re: P4A Windows Defender Maintenance Failing

Post by bfalco »

Any update

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: P4A Windows Defender Maintenance Failing

Post by Cubert »

Ok I had a chance to review the script and fail points.

Here is the skinny:

Each SQL Execute is dependent on the success of the SQL query that goes before it by design.

There are 3 main steps to getting the data about Defender AV,

Step 1: Get Defender Status, If successful save to SQL and move to step 2
Step 2: Get Defender preferences, id successful save to SQL and go to step 3.
Step 3: Get any threat data and save to database.

You are failing to get threats because you have none to get. So SQL execute returns nothing and fails out. To resolve the error outs we should set the Exit On Failure to Continue on Failure.

All failures are ok and can be ignored. We either get the data or not, if not then Windows is not reporting anything.


Screenshot 2023-05-24 135535.png
Screenshot 2023-05-24 135535.png (65.58 KiB) Viewed 12442 times

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: P4A Windows Defender Maintenance Failing

Post by Cubert »

Ok to immediately resolve your issue set the following lines in the script to Continue on Failure.

line 4, 6 and 7
line 9,10, 12 and 13

Screenshot 2023-05-24 141829.png
Screenshot 2023-05-24 141829.png (44.98 KiB) Viewed 12442 times

I made the updates on my side and will post them with the next release of plugin.

bfalco
Posts: 27
Joined: Fri Mar 04, 2022 12:36 pm
2

Re: P4A Windows Defender Maintenance Failing

Post by bfalco »

thank you that resolved the issue.

Is there a reason this scipt only creates an alert for a possible virus detection and not a ticket?

Post Reply

Return to “Defender For Automate”