Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- param (
- [switch] $ShowAll = $false,
- [switch] $RawEvent = $false,
- [switch] $ShowServices = $false,
- [switch] $ShowRun = $false,
- [switch] $HideKnown = $false,
- [switch] $ShowProcesses = $false,
- [switch] $ShowTasks = $false,
- [switch] $ShowLogs = $false
- )
- # Глубина просмотра истории, знак минус - важен
- $day_offset = -14
- # Антивирусный сервер, используется для проверки распределения машины
- $dest_admserv = "servername"
- # Максимальный "возраст" баз, знак минус - важен
- $bases_offset = -4
- $ShowAvEvents = $false
- if ($ShowAll) {
- $ShowServices = $true
- $ShowRun = $true
- $ShowProcesses = $true
- $ShowTasks = $true
- $ShowLogs = $true
- }
- # Функция проверки статуса удаленного реестра и запуск, если служба не запущена.
- function CheckAndRunRR ([string] $ip) {
- try {
- Write-Host "Проверка доступности реестра:`t`t`t" -NoNewline
- $RR = Get-WmiObject -ComputerName $strpc -Class Win32_service -Filter "Name='RemoteRegistry'"# | Format-Table -Property DisplayName, Pathname
- ForEach ($RReg in $RR) {
- if (!($RReg.Started)) {
- $RunResult = $RReg.StartService()
- if ($RunResult = "0")
- { Write-Host "Started successfuly" -ForegroundColor Yellow }
- else
- { Write-Host "Service Error: " $RunResult -ForegroundColor Red }
- }
- else
- { Write-Host "Running" -ForegroundColor Green }
- }
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- }
- # Функция-фильтр "хороших" ключей реестра (они будут окрашены зелёным и могут быть исключены из вывода)
- function GoodKeys([string] $key, [string] $value) {
- $value = $value.Replace(' (x86)', '')
- $value = $value.Replace('sysWOW64', 'system32')
- switch ($key) {
- #shell & userinit
- shell { if ($value -eq "Explorer.exe") { return $true } }
- userinit { if ($value -eq "c:\windows\system32\userinit.exe,") { return $true } }
- #autruns
- CTFMON.EXE { if ($value -eq "C:\WINDOWS\system32\CTFMON.EXE") { return $true } }
- # REDACTED
- default { return $false }
- }
- }
- # Функция-фильтр "хороших" служб (они будут окрашены зелёным и могут быть исключены из вывода)
- function GoodServices([string] $name, [string] $path) {
- $path = $path.Replace(' (x86)', '')
- $path = $path.Replace('sysWOW64', 'system32')
- switch ($name) {
- 'atchksrv' { if ($path -eq 'C:\Program Files\Intel\AMT\atchksrv.exe') { return $true } }
- # REDACTED
- default { return $false }
- }
- }
- # Функция-фильтр "хороших" процессов (они будут окрашены зелёным и могут быть исключены из вывода)
- function GoodProcesses([string] $name, [string] $path) {
- $path = $path.Replace(' (x86)', '')
- $path = $path.Replace('sysWOW64', 'system32')
- $path = $path.Replace('sysWow64', 'system32')
- switch ($name) {
- 'System Idle Process' { return $true }
- 'System' { return $true }
- # REDACTED
- default { return $false }
- }
- }
- $originalcolor = $Host.UI.RawUI.ForegroundColor
- $strpc = $args[0]
- if ($args.length -eq 0) {
- Write-Host "ИМЯ"
- Write-Host " Get-AVInfo"
- Write-Host ""
- Write-Host "ОПИСАНИЕ"
- Write-Host " Извлекает данные об обнаруженных вирусах из системных логов удалённого ПК"
- Write-Host ""
- Write-Host "СИНТАКСИС"
- Write-Host " Get-AVInfo <string> [-ShowAll] [-ShowServices] [-ShowRun] [-ShowProcesses] [-RawEvent] [-HideKnown]"
- Write-Host ""
- Write-Host ""
- }
- else {
- $isvalid = ($strpc -As [IPAddress] -As [Bool])
- #$isvalod
- if (!($isvalid)) {
- Write-Host "Неверный IP адрес. Проверка по имени ПК не производится." -ForegroundColor Red
- }
- else {
- Write-Host "Проверка доступности ПК"$strpc":`t`t" -NoNewline
- if (!(Test-Connection -ComputerName $strpc -Count 2 -Quiet)) {
- Write-Host "FAIL" -ForegroundColor Red
- }
- else {
- Write-Host "OK" -ForegroundColor Green
- $OS = (Get-WmiObject -ComputerName $strpc -Class win32_operatingsystem).Version
- #статус антивируса
- CheckAndRunRR($strpc)
- try {
- Write-Host "Время последней загрузки`t`t`t" -NoNewline
- $boottime = Get-WmiObject -ComputerName $strpc -Class Win32_operatingsystem | ForEach-Object { $_.ConvertToDateTime($_.lastbootuptime) }
- Write-Host $boottime
- }
- catch { Write-Host $_ -ForegroundColor Red }
- try {
- Write-Host "Поиск агента администрирования:`t`t`t" -NoNewline
- $agent = Get-Process -ComputerName $strpc | Where-Object { $_.ProcessName -eq "klnagent" } | Measure-Object
- $agent = $agent.Count
- if ($agent -eq 0)
- { Write-Host "FAIL" -ForegroundColor Red }
- else
- { Write-Host "Ok" -ForegroundColor Green }
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- try {
- Write-Host "Поиск антивирусного монитора:`t`t`t" -NoNewline
- $mon = Get-Process -ComputerName $strpc | Where-Object { $_.ProcessName -eq "avp" -or $_.ProcessName -eq "kavfs" -or $_.ProcessName -eq "kavfswp" } | Measure-Object
- $mon = $mon.Count
- if ($mon -eq 0)
- { Write-Host "FAIL" -ForegroundColor Red }
- else
- { Write-Host "Ok" -ForegroundColor Green }
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- try {
- $avrunning = ""
- $avstate = ""
- $avbases = ""
- $admServer = ""
- $lastConnected = ""
- $knaver = ""
- $kesver = ""
- $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $strpc)
- try {
- $RegKey = $Reg.OpenSubkey("SOFTWARE\\KasperskyLab\\Components\\34\\1103\\1.0.0.0\\Statistics\\AVState")
- if (!$RegKey) { $RegKey = $Reg.OpenSubkey("SOFTWARE\\Wow6432Node\\KasperskyLab\\Components\\34\\1103\\1.0.0.0\\Statistics\\AVState") }
- $avrunning = $RegKey.GetValue("Protection_AvRunning")
- $avstate = $RegKey.GetValue("Protection_RtpState")
- $avbases = $Regkey.GetValue("Protection_BasesDate")
- $admServer = $Regkey.GetValue("Protection_AdmServer")
- $lastConnected = $RegKey.GetValue("Protection_LastConnected")
- $knaver = $RegKey.GetValue("Protection_NagentVersion")
- }
- catch { }
- try {
- $RegKey2 = $Reg.OpenSubkey("SOFTWARE\\KasperskyLab\\SetupFolders")
- if (!$RegKey2) { $RegKey2 = $Reg.OpenSubkey("SOFTWARE\\Wow6432Node\\KasperskyLab\\SetupFolders") }
- $kesver = $RegKey2.GetValueNames()
- }
- catch { }
- Write-Host "Версия антивирусного агента:`t`t`t" -NoNewline
- Write-Host $knaver
- Write-Host "Версия антивирусного ПО:`t`t`t" -NoNewline
- Write-Host $kesver
- Write-Host "Статус постоянной защиты:`t`t`t" -NoNewline
- if ($avrunning -eq 0)
- { Write-Host "Disabled" -ForegroundColor Red }
- else
- { Write-Host "Enabled" -ForegroundColor Green }
- Write-Host "Состояние постоянной защиты:`t`t`t" -NoNewline
- switch ($avstate) {
- 0 { Write-Host "Неизвестно" -ForegroundColor Red }
- 1 { Write-Host "Не включена" -ForegroundColor Red }
- 2 { Write-Host "Приостановлена" -ForegroundColor Yellow }
- 3 { Write-Host "Запускается" -ForegroundColor yellow }
- 4 { Write-Host "Включена" -ForegroundColor Green }
- 5 { Write-Host "Включена. Высокий уровень" -ForegroundColor Green }
- 6 { Write-Host "Включена. Низкий уровень" -ForegroundColor Green }
- 7 { Write-Host "Включена. Рекомендуемые настройки" -ForegroundColor Green }
- 8 { Write-Host "Включена. Настройки пользователя" -ForegroundColor Green }
- 9 { Write-Host "Сбой в работе" -ForegroundColor Red }
- default { Write-Host "Неизвестно (NaN)" -ForegroundColor Red }
- }
- Write-Host "Сервер администрирования`t`t`t" -NoNewline
- if ($admserver.tolower().startswith($dest_admserv))
- { Write-Host $admserver -ForegroundColor Green }
- else
- { Write-Host $admserver -ForegroundColor Red }
- $critical = Get-Date
- $critical = $critical.AddDays($bases_offset)
- $critical = $critical.ToUniversalTime()
- try {
- $avbases = [datetime]::ParseExact($avbases, "dd-MM-yyyy HH-mm-ss", $null)
- Write-Host "Дата выпуска антивирусных баз:`t`t`t" -NoNewline
- if ($avbases -lt $critical)
- { Write-Host $avbases.ToLocalTime() -ForegroundColor Red }
- else
- { Write-Host $avbases.ToLocalTime() -ForegroundColor Green }
- }
- catch {
- Write-Host "Дата выпуска антивирусных баз:`t`t`t" -NoNewline
- Write-Host "Нет данных" -ForegroundColor Red
- }
- try {
- $critical_conn = Get-Date
- $critical_conn = $critical_conn.AddHours("-2")
- $critical_conn = $critical_conn.ToUniversalTime()
- $lastConnected = [datetime]::ParseExact($lastConnected, "dd-MM-yyyy HH-mm-ss", $null)
- Write-Host "Дата последнего соединения:`t`t`t" -NoNewline
- if ($lastConnected -lt $critical_conn)
- { Write-Host $lastConnected.ToLocalTime() -ForegroundColor Red }
- else
- { Write-Host $lastConnected.ToLocalTime() -ForegroundColor Green }
- }
- catch {
- Write-Host "Дата последнего соединения:`t`t`t" -NoNewline
- Write-Host "Нет данных" -ForegroundColor Red
- }
- }
- catch
- { Write-Host "Ошибка: " $_ -ForegroundColor Red }
- if (!$ShowLogs) { }
- else {
- try {
- Write-Host "Подсчёт количества записей от антивируса:`t" -NoNewline
- $monthbefore = Get-Date
- $monthbefore = $monthbefore.AddDays($day_offset)
- # $logs = "Application", "Kaspersky Event Log", "Kaspersky Anti-Virus"
- #$events = ""
- #foreach ($log in $logs)
- #{ try
- # { $event = Get-EventLog -ComputerName $strpc -LogName $log -EntryType Error -After $monthbefore | where {$_.eventID -eq 4660}}
- # catch {$event = ""}
- # $events = $events + $event
- # }
- #if ($OS.StartsWith("5.1"))
- # {$events = Get-EventLog -ComputerName $strpc -LogName Application -EntryType Error -After $monthbefore | where {$_.eventID -eq 4660}}
- #else
- # {$events = Get-EventLog -ComputerName $strpc -LogName "Kaspersky Event Log" -EntryType Error -After $monthbefore | where {$_.eventID -eq 4660}}
- switch -Wildcard ($OS) {
- "5.1*" { $events = Get-EventLog -ComputerName $strpc -LogName Application -EntryType Error -After $monthbefore | Where-Object { $_.eventID -eq 4660 } }
- "5.2*" { $events = Get-EventLog -ComputerName $strpc -LogName "Kaspersky Anti-Virus" -EntryType Error -After $monthbefore | Where-Object { $_.eventID -eq 4660 } }
- default { $events = Get-EventLog -ComputerName $strpc -LogName "Kaspersky Event Log" -EntryType Error -After $monthbefore | Where-Object { $_.eventID -eq 4660 } }
- #default {}
- }
- $event_measure = $events | Measure-Object
- if ($event_measure.Count -eq 0)
- { Write-Host "0" -ForegroundColor Green }
- else {
- Write-Host $event_measure.Count -ForegroundColor Red
- $ShowAvEvents = $true
- }
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- }
- if ($HideKnown) { Write-Host "`nВнимание, все 'известные' записи и процессы будут скрыты." -ForegroundColor "Green" }
- if ($ShowRun) {
- Write-Host "`nСписок автозагрузки:"
- try {
- $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', $strpc)
- Write-Host "`nHKCU:Run"
- foreach ($User in $Reg.GetSubKeyNames()) {
- switch ($user) {
- ".DEFAULT" { }
- "S-1-5-19" { }
- "S-1-5-19_Classes" { }
- "S-1-5-20" { }
- "S-1-5-20_Classes" { }
- "S-1-5-18" { }
- default {
- if ($User.EndsWith("_Classes")) { }
- else {
- $RegKey = $Reg.OpenSubKey($User + "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run")
- $RunNodes = $Regkey.GetValueNames()
- ForEach ($key in $RunNodes) {
- $value = $RegKey.GetValue($Key)
- if (GoodKeys -key $Key -value $value) {
- $Host.UI.RawUI.ForegroundColor = "Green"
- if ($HideKnown) { }
- else { "{0,-33}{1,-20}" -f $key, $value }
- }
- else {
- $Host.UI.RawUI.ForegroundColor = "Red"
- "{0,-33}{1,-20}" -f $key, $value
- }
- $host.UI.RawUI.ForegroundColor = $originalcolor
- }
- }
- }
- }
- }
- $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $strpc)
- Write-Host "`nHKLM:Run"
- $RegKey = $Reg.OpenSubkey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run")
- $RunNodes = $Regkey.GetValueNames()
- ForEach ($key in $RunNodes) {
- $value = $RegKey.GetValue($Key)
- if (GoodKeys -key $Key -value $value) {
- $Host.UI.RawUI.ForegroundColor = "Green"
- if ($HideKnown) { }
- else { "{0,-33}{1,-20}" -f $key, $value }
- }
- else {
- $Host.UI.RawUI.ForegroundColor = "Red"
- "{0,-33}{1,-20}" -f $key, $value
- }
- $host.UI.RawUI.ForegroundColor = $originalcolor
- }
- $RegKey = $Reg.OpenSubkey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Polices\\Explorer\\Run")
- if ($RegKey) {
- Write-Host "`nHKLM:Polices\Explorer\Run"
- $RunNodes = $Regkey.GetValueNames()
- ForEach ($key in $RunNodes) {
- $value = $RegKey.GetValue($Key)
- if (GoodKeys -key $Key -value $value) {
- $Host.UI.RawUI.ForegroundColor = "Green"
- if ($HideKnown) { }
- else { "{0,-33}{1,-20}" -f $key, $value }
- }
- else {
- $Host.UI.RawUI.ForegroundColor = "Red"
- "{0,-33}{1,-20}" -f $key, $value
- }
- $host.UI.RawUI.ForegroundColor = $originalcolor
- }
- }
- Write-Host "`nHRLM: Shell, userinit"
- $RegKey = $Reg.OpenSubkey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon")
- $shell = $RegKey.GetValue("Shell")
- $userinit = $RegKey.GetValue("userinit")
- if (GoodKeys -key "shell" -value $shell) {
- $Host.UI.RawUI.ForegroundColor = "Green"
- if ($HideKnown) { }
- else { "{0,-33}{1,-20}" -f "Shell", $shell }
- }
- else {
- $Host.UI.RawUI.ForegroundColor = "Red"
- "{0,-33}{1,-20}" -f "Shell", $shell
- }
- $host.UI.RawUI.ForegroundColor = $originalcolor
- if (GoodKeys -key "userinit" -value $userinit) { $Host.UI.RawUI.ForegroundColor = "Green" }
- else { $Host.UI.RawUI.ForegroundColor = "Red" }
- if ($HideKnown) { }
- else { "{0,-33}{1,-20}" -f "userinit", $userinit }
- $host.UI.RawUI.ForegroundColor = $originalcolor
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- Write-Host "`nCommon Autoruns"
- try {
- $dir_found = $false
- $baseDisk = "\\" + $strpc + "\c$"
- $win7cprofile = "\\" + $strpc + "\c$\ProgramData\Microsoft\Windows\"
- $winxcprofile = "\\" + $strpc + "\c$\Documents and Settings\All Users\"
- if ($OS.StartsWith("6")) {
- $commonprofile = $win7cprofile
- $autorunsdir = $commonprofile + "Start Menu\Programs\Startup"
- if (Test-Path $autorunsdir) {
- $dir_found = $true
- }
- }
- if ($OS.StartsWith("5")) {
- $commonprofile = $winxcprofile
- $rudir = $commonprofile + "\Главное меню\Программы\Автозагрузка"
- if (Test-Path $rudir) {
- $autorunsdir = $rudir
- $dir_found = $true
- }
- else {
- $endir = $commonprofile + "\Start Menu\Programs\Startup"
- if (Test-Path $rudir) {
- $autorunsdir = $endir
- $dir_found = $true
- }
- }
- }
- if ($dir_found) {
- $commonaut = Get-ChildItem -Path $autorunsdir
- Write-Host $commonaut.Name -ForegroundColor Red
- }
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- Write-Host "`nUser Autoruns"
- try {
- #$win7 = $false
- $baseDisk = "\\" + $strpc + "\c$"
- $winxpprofile = $baseDisk + "\Documents and Settings"
- $win7profile = $baseDisk + "\users"
- if ($OS.StartsWith("5"))
- { $currentprofile = $winxpprofile }
- if ($OS.StartsWith("6")) {
- $currentprofile = $win7profile
- #$win7 = $true
- }
- $users = Get-ChildItem -Path $currentprofile | Where-Object { $_.Attributes -eq "Directory" } #| Where-Object {$_.Attributes -ne "Hidden"}
- ForEach ($user in $users) {
- switch ($user) {
- "All Users" { }
- "UpdatusUser" { }
- default {
- if ($OS.StartsWith("6")) {
- $autorunsdir = $currentprofile + "\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
- }
- else {
- $rudir = $currentprofile + "\" + $user + "\Главное меню\Программы\Автозагрузка"
- if (Test-Path $rudir) {
- $autorunsdir = $rudir
- $dir_found = $true
- }
- else {
- $endir = $commonprofile + "\Start Menu\Programs\Startup"
- if (Test-Path $rudir) {
- $autorunsdir = $endir
- $dir_found = $true
- }
- }
- }
- Write-Host $user
- $useraut = Get-ChildItem -Path $autorunsdir
- Write-Host $useraut.Name -ForegroundColor Red
- }
- }
- }
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- }
- if ($ShowTasks) {
- Write-Host "`nЗадачи"
- try {
- $fullpath = "\\" + $strpc + "\admin$\Tasks"
- $tasks = Get-ChildItem -Path $fullpath | Where-Object { $_.Extension -eq ".job" }
- foreach ($task in $tasks) {
- Write-Host $task.Name -ForegroundColor Red
- }
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- }
- if ($ShowServices) {
- Write-Host "`nАвтозапускаемые сервисы"
- try {
- $services = Get-WmiObject -ComputerName $strpc -Class Win32_service -Filter "StartMode='Auto'"# | Format-Table -Property DisplayName, Pathname
- ForEach ($service in $services) {
- if (GoodServices -name $service.Name -path $service.Pathname) {
- $Host.UI.RawUI.ForegroundColor = "Green"
- if ($HideKnown) { }
- else { "{0,-33}{1,-20}" -f $service.DisplayName, $service.Pathname }
- }
- else {
- $Host.UI.RawUI.ForegroundColor = "Red"
- "{0,-33}{1,-20}" -f $service.DisplayName, $service.Pathname
- }
- $host.UI.RawUI.ForegroundColor = $originalcolor
- }
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- }
- if ($ShowProcesses) {
- Write-Host "`nСписок процессов"
- try {
- #Get-WmiObject -ComputerName $strpc win32_process | Format-Table -Property Name, ExecutablePath
- $processes = Get-WmiObject -ComputerName $strpc -Class win32_process
- ForEach ($process in $processes) {
- if (GoodProcesses -name $process.Name -path $process.ExecutablePath) {
- $Host.UI.RawUI.ForegroundColor = "Green"
- if ($HideKnown) { }
- else { "{0,-33}{1,-20}" -f $process.Name, $process.ExecutablePath }
- }
- else {
- $Host.UI.RawUI.ForegroundColor = "Red"
- "{0,-33}{1,-20}" -f $process.Name, $process.ExecutablePath
- }
- $host.UI.RawUI.ForegroundColor = $originalcolor
- }
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- }
- if ($ShowAvEvents) {
- try {
- Write-Host "`nСписок обнаруженныех вирусов"
- if ($RawEvent)
- { Write-Host "Выводятся все сообщения от антивируса`n" -ForegroundColor Red }
- foreach ($event in $events) {
- if ($RawEvent) {
- Write-Host $event.TimeGenerated
- Write-Host $event.message
- }
- else {
- $msgfiltred = $event | Where-Object { $_.Message -like '*Обнаружен вредоносный объект*' } | Select-Object -ExpandProperty message
- $virname = $msgfiltred -split "`n" | Select-String "Результат\\Название:"
- $virname = $virname -replace "Результат\\Название: ", ""
- $virbody = $msgfiltred -split "`n" | Select-String "Объект:"
- $virbody = $virbody -replace "Объект:"
- if (!($virname.length -eq 0))
- { "{0,-20}{1,-30}{2,-30}" -f $event.TimeGenerated, $virname, $virbody }
- }
- }
- }
- catch
- { Write-Host $_ -ForegroundColor Red }
- }
- try {
- Write-Host "`n`nТекущий пользователь: "@(Get-WmiObject -ComputerName $strpc -Namespace root\cimv2 -Class Win32_ComputerSystem)[0].UserName;
- }
- catch
- { Write-Host "`n`n" }
- Write-Host "Конец собранной информации об IP:"$strpc
- #$x = $Host.UI.RawUI.ReadKey("NoEcho, IncludeKeyDown")
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement