P4A Windows Defender Maintenance Failing
Posted: Thu May 04, 2023 12:16 pm
by bfalco
I am seeing this on all agents, ones that only have defender as AV and others that do have another AV app.
Here is the log
he Script(6345) failed in the Then section at step 12. The reason: SQL Execute failed processing query
Script: S6345 - Starting at Server Time: Thursday, May 4, 2023 8:12:50 AM
IF F1 T: 0.2449958
L4 F235 T: 0.4359934
L5 F20 SetType(P1):1 Parameter(P2):'REPLACE INTO `plugin_p4a_windo...' VariableName(P3):MPSTATUSSQL T: 10.4172899
L6 F67 Sql (P1): 'REPLACE INTO `plugin_p4a_windowsdefender_status` (`ComputerID`,`ComputerName`,`ClientID`,`...' T: 10.5342944
L7 F235 T: 10.7372919
L8 F20 SetType(P1):1 Parameter(P2):'REPLACE INTO `plugin_p4a_windo...' VariableName(P3):MPPREFSQL T: 20.5936218
L9 F67 Sql (P1): 'REPLACE INTO `plugin_p4a_windowsdefender_prefs`(`ComputerID`,`ComputerName`,`ClientID`,`Al...' T: 20.665613
L10 F235 T: 20.7306845
L11 F20 SetType(P1):1 Parameter(P2):'REPLACE INTO `plugin_p4a_windo...' VariableName(P3):MPTHREATSQL T: 22.8234359
L12 F67 Sql (P1): 'REPLACE INTO `plugin_p4a_windowsdefender_detection` (`ComputerID`,
`ClientID`,
`ActionSucc...' T: 22.8254373
Re: P4A Windows Defender Maintenance Failing
Posted: Thu May 11, 2023 1:00 pm
by Cubert
We would need to see the actual returns from Defender requests on agent. So for same time stamp look in the commands windows for command logs. Find the entry with same time stamp that is "executing command" and grab output and place it here.
Typically it becomes self evident on why it failed to produce any of the status logs, exclusions lists or AV def statuses.
We see this happen when, Defender is disabled. WIndows Defender can be disabled by any AV product so if a AV product other than Defender is present you will have Defender not be able to return a status of any data as it is disabled and will not respond to commands.
We powershell the Defender requests, below are the requests made, if you execute one of these requests, see what Windows produces as a return.
Code: Select all
Get-MpComputerStatus | ConvertTo-json
Get-MpPreference | ConvertTo-json
Get-MpThreatDetection | ConvertTo-json
Re: P4A Windows Defender Maintenance Failing
Posted: Sat May 13, 2023 1:06 pm
by bfalco
These were the command results found at the same time the script failed, This system has Defender running and Automate has it listed as the active AV product. Webroot was recently removed
First
('7426','MFD-IMC2','3','1.1.20300.3','4.18.2304.8','Normal','True','4.18.2304.8','True','0','2023-05-12 22:31:18','1.389.1146.0','True','0','2023-05-12 22:31:18','1.389.1146.0','True','B56A5371-0AC9-4032-B50A-ADA1211E6DAE','Unknown','2023-02-15 15:05:43','Disabled','4294967295','','','True','True','False','0','1','True','1.1.20300.3','0','2023-05-12 22:31:18','1.389.1146.0','True','0','2023-05-12 17:02:42','2023-05-12 17:01:46','True','0','Signatures','rsw','Enabled','Disabled')
Second
('7426','MFD-IMC2','3','False','False','False','','','','False','0','0','B56A5371-0AC9-4032-B50A-ADA1211E6DAE','','','0','False','False','False','False','True','False','True','False','False','False','True','False','False','False','False','','False','False','False','True','False','False','True','True','True','False','False','False','0','True','False','False','False','0','0','','','','','False','0','0','2','False','0','0','','','','0','0','True','0','0','02:00:00','10080','10080','1440','50','True','1','15','8','02:00:00','01:45:00','4','0','','0','','60','','False','MicrosoftUpdateServer|MMPC','120','8','01:45:00','1','6','1','','','True','0','False','0')
Third
OK
Re: P4A Windows Defender Maintenance Failing
Posted: Sun May 21, 2023 7:11 pm
by Cubert
looks like it is not liking that nothing was returned. I am out of town until Tuesday but I will have a look at script and see why it has not skipped 3 if 3 returns nothing. It should be. I'll have an answer for you Tuesday afternoon.
Re: P4A Windows Defender Maintenance Failing
Posted: Wed May 24, 2023 6:02 pm
by Cubert
Ok I had a chance to review the script and fail points.
Here is the skinny:
Each SQL Execute is dependent on the success of the SQL query that goes before it by design.
There are 3 main steps to getting the data about Defender AV,
Step 1: Get Defender Status, If successful save to SQL and move to step 2
Step 2: Get Defender preferences, id successful save to SQL and go to step 3.
Step 3: Get any threat data and save to database.
You are failing to get threats because you have none to get. So SQL execute returns nothing and fails out. To resolve the error outs we should set the Exit On Failure to Continue on Failure.
All failures are ok and can be ignored. We either get the data or not, if not then Windows is not reporting anything.
- Screenshot 2023-05-24 135535.png (65.58 KiB) Viewed 12551 times
Re: P4A Windows Defender Maintenance Failing
Posted: Thu May 25, 2023 12:21 pm
by bfalco
thank you that resolved the issue.
Is there a reason this scipt only creates an alert for a possible virus detection and not a ticket?