I am seeing this on all agents, ones that only have defender as AV and others that do have another AV app.
Here is the log
he Script(6345) failed in the Then section at step 12. The reason: SQL Execute failed processing query
Script: S6345 - Starting at Server Time: Thursday, May 4, 2023 8:12:50 AM
IF F1 T: 0.2449958
L4 F235 T: 0.4359934
L5 F20 SetType(P1):1 Parameter(P2):'REPLACE INTO `plugin_p4a_windo...' VariableName(P3):MPSTATUSSQL T: 10.4172899
L6 F67 Sql (P1): 'REPLACE INTO `plugin_p4a_windowsdefender_status` (`ComputerID`,`ComputerName`,`ClientID`,`...' T: 10.5342944
L7 F235 T: 10.7372919
L8 F20 SetType(P1):1 Parameter(P2):'REPLACE INTO `plugin_p4a_windo...' VariableName(P3):MPPREFSQL T: 20.5936218
L9 F67 Sql (P1): 'REPLACE INTO `plugin_p4a_windowsdefender_prefs`(`ComputerID`,`ComputerName`,`ClientID`,`Al...' T: 20.665613
L10 F235 T: 20.7306845
L11 F20 SetType(P1):1 Parameter(P2):'REPLACE INTO `plugin_p4a_windo...' VariableName(P3):MPTHREATSQL T: 22.8234359
L12 F67 Sql (P1): 'REPLACE INTO `plugin_p4a_windowsdefender_detection` (`ComputerID`,
`ClientID`,
`ActionSucc...' T: 22.8254373
P4A Windows Defender Maintenance Failing
Re: P4A Windows Defender Maintenance Failing
Is this expected? can I please get a response
Re: P4A Windows Defender Maintenance Failing
We would need to see the actual returns from Defender requests on agent. So for same time stamp look in the commands windows for command logs. Find the entry with same time stamp that is "executing command" and grab output and place it here.
Typically it becomes self evident on why it failed to produce any of the status logs, exclusions lists or AV def statuses.
We see this happen when, Defender is disabled. WIndows Defender can be disabled by any AV product so if a AV product other than Defender is present you will have Defender not be able to return a status of any data as it is disabled and will not respond to commands.
We powershell the Defender requests, below are the requests made, if you execute one of these requests, see what Windows produces as a return.
Typically it becomes self evident on why it failed to produce any of the status logs, exclusions lists or AV def statuses.
We see this happen when, Defender is disabled. WIndows Defender can be disabled by any AV product so if a AV product other than Defender is present you will have Defender not be able to return a status of any data as it is disabled and will not respond to commands.
We powershell the Defender requests, below are the requests made, if you execute one of these requests, see what Windows produces as a return.
Code: Select all
Get-MpComputerStatus | ConvertTo-json
Get-MpPreference | ConvertTo-json
Get-MpThreatDetection | ConvertTo-json
Re: P4A Windows Defender Maintenance Failing
These were the command results found at the same time the script failed, This system has Defender running and Automate has it listed as the active AV product. Webroot was recently removed
First
('7426','MFD-IMC2','3','1.1.20300.3','4.18.2304.8','Normal','True','4.18.2304.8','True','0','2023-05-12 22:31:18','1.389.1146.0','True','0','2023-05-12 22:31:18','1.389.1146.0','True','B56A5371-0AC9-4032-B50A-ADA1211E6DAE','Unknown','2023-02-15 15:05:43','Disabled','4294967295','','','True','True','False','0','1','True','1.1.20300.3','0','2023-05-12 22:31:18','1.389.1146.0','True','0','2023-05-12 17:02:42','2023-05-12 17:01:46','True','0','Signatures','rsw','Enabled','Disabled')
Second
('7426','MFD-IMC2','3','False','False','False','','','','False','0','0','B56A5371-0AC9-4032-B50A-ADA1211E6DAE','','','0','False','False','False','False','True','False','True','False','False','False','True','False','False','False','False','','False','False','False','True','False','False','True','True','True','False','False','False','0','True','False','False','False','0','0','','','','','False','0','0','2','False','0','0','','','','0','0','True','0','0','02:00:00','10080','10080','1440','50','True','1','15','8','02:00:00','01:45:00','4','0','','0','','60','','False','MicrosoftUpdateServer|MMPC','120','8','01:45:00','1','6','1','','','True','0','False','0')
Third
OK
First
('7426','MFD-IMC2','3','1.1.20300.3','4.18.2304.8','Normal','True','4.18.2304.8','True','0','2023-05-12 22:31:18','1.389.1146.0','True','0','2023-05-12 22:31:18','1.389.1146.0','True','B56A5371-0AC9-4032-B50A-ADA1211E6DAE','Unknown','2023-02-15 15:05:43','Disabled','4294967295','','','True','True','False','0','1','True','1.1.20300.3','0','2023-05-12 22:31:18','1.389.1146.0','True','0','2023-05-12 17:02:42','2023-05-12 17:01:46','True','0','Signatures','rsw','Enabled','Disabled')
Second
('7426','MFD-IMC2','3','False','False','False','','','','False','0','0','B56A5371-0AC9-4032-B50A-ADA1211E6DAE','','','0','False','False','False','False','True','False','True','False','False','False','True','False','False','False','False','','False','False','False','True','False','False','True','True','True','False','False','False','0','True','False','False','False','0','0','','','','','False','0','0','2','False','0','0','','','','0','0','True','0','0','02:00:00','10080','10080','1440','50','True','1','15','8','02:00:00','01:45:00','4','0','','0','','60','','False','MicrosoftUpdateServer|MMPC','120','8','01:45:00','1','6','1','','','True','0','False','0')
Third
OK
Re: P4A Windows Defender Maintenance Failing
Says fails line 12 SQL Execute @MPTHREATSQL@
Any help is appreciated
Any help is appreciated
Re: P4A Windows Defender Maintenance Failing
looks like it is not liking that nothing was returned. I am out of town until Tuesday but I will have a look at script and see why it has not skipped 3 if 3 returns nothing. It should be. I'll have an answer for you Tuesday afternoon.
Re: P4A Windows Defender Maintenance Failing
Any update
Re: P4A Windows Defender Maintenance Failing
Ok I had a chance to review the script and fail points.
Here is the skinny:
Each SQL Execute is dependent on the success of the SQL query that goes before it by design.
There are 3 main steps to getting the data about Defender AV,
Step 1: Get Defender Status, If successful save to SQL and move to step 2
Step 2: Get Defender preferences, id successful save to SQL and go to step 3.
Step 3: Get any threat data and save to database.
You are failing to get threats because you have none to get. So SQL execute returns nothing and fails out. To resolve the error outs we should set the Exit On Failure to Continue on Failure.
All failures are ok and can be ignored. We either get the data or not, if not then Windows is not reporting anything.
Here is the skinny:
Each SQL Execute is dependent on the success of the SQL query that goes before it by design.
There are 3 main steps to getting the data about Defender AV,
Step 1: Get Defender Status, If successful save to SQL and move to step 2
Step 2: Get Defender preferences, id successful save to SQL and go to step 3.
Step 3: Get any threat data and save to database.
You are failing to get threats because you have none to get. So SQL execute returns nothing and fails out. To resolve the error outs we should set the Exit On Failure to Continue on Failure.
All failures are ok and can be ignored. We either get the data or not, if not then Windows is not reporting anything.
Re: P4A Windows Defender Maintenance Failing
Ok to immediately resolve your issue set the following lines in the script to Continue on Failure.
line 4, 6 and 7
line 9,10, 12 and 13
I made the updates on my side and will post them with the next release of plugin.
line 4, 6 and 7
line 9,10, 12 and 13
I made the updates on my side and will post them with the next release of plugin.
Re: P4A Windows Defender Maintenance Failing
thank you that resolved the issue.
Is there a reason this scipt only creates an alert for a possible virus detection and not a ticket?
Is there a reason this scipt only creates an alert for a possible virus detection and not a ticket?