While using the SCCM console to administer, SCEP is always the preferred method; you may find yourself in a situation where you will need to perform SCEP tasks without the use of the SCCM console. If there was a major virus outbreak on your network and SCCM was knocked offline, it would be critical to maintain control of your SCEP clients.
Additionally, you may have staff members that need to be able to launch full scans and force definition updates remotely, but you do not wish to grant them access to the SCCM console. This recipe will show you how to leverage MpCmdRun.exe and a great free utility from Microsoft named PsExec to accomplish SCEP administration without the SCCM console.
For this recipe, you will need to be using an account that has local administrator privileges on the targeted PC. You will also need to download PsExec from the following website:
Follow these steps:
- You'll be running
PsExec.exefrom your own workstation. The exe needs to be run with a command prompt with elevated privileges. - If this is your first time running PsExec, you will have to agree to EULA.
- To force a remote PC to run a full scan, execute the following command:
psexec \TargetPCsName "C:Program FilesMicrosoft Security ClientAntimalwarempcmdrun.exe" -scan -2 - The value -scan -2 indicates that a full scan should be run.
- If the command was successful, then eventually the following syntax will be returned:
Scan starting... Scan finished. C:Program FilesMicrosoft Security ClientAntimalwarempcmdrun.exe exited on TargetPCsName with error code 0.
- Next, we will send a remote PC a command to retrieve a full definition update directly from the Microsoft Malware Protection Center on the Internet. This command would be useful when attempting to stamp out a spreading infection, as any definition update that comes from MMPC will be the absolute newest available definition file:
psexec \TargetPCsName "C:Program FilesMicrosoft Security ClientAntimalwarempcmdrun.exe" -SignatureUpdate –MMPC - If the command was successful, the following syntax will be returned:
Signature update started . . . Signature update finished. C:Program FilesMicrosoft Security ClientAntimalwarempcmdrun.exe exited on TargetPCsName with error code 0.
- Finally, we will be executing an MpCmdRun command that will collect all of the SCEP log files on a target PC into a single directory for easy retrieval. This would be very useful if you're in the process of troubleshooting an outbreak and you've lost access to SCEP reports in SCCM.
psexec \TargetPCsName "C:Program FilesMicrosoft Security ClientAntimalwarempcmdrun.exe" –getfiles - Once the command has completed successfully, you should see the following syntax:
Files successfully created in C:ProgramDataMicrosoftMicrosoft AntimalwareSupportMpSupportFiles.cab - The preceding file location is located on the target PC; you will need to browse its file system to retrieve the
cabfile.
MpCmdRun.exe is a very useful executable file that can be found on any PC or server that has a SCEP client installed. By using PsExec.exe, we are able to execute remote SCEP commands either in crisis situation or as part of normal administrative procedures.
If an administrator is going to routinely be performing any of the tasks in this recipe, it might make sense to build MpCmdRun into a script.
Additional MpCmdRun functions:
The options in this recipe represent just a handful of the tasks the MpCmdRun can be used for. For your reference, the complete usage output for MpCmdRun can be found as follows:
Usage: MpCmdRun.exe [command] [-options] Command Description -? / -h Displays all available options for this tool -Scan [-ScanType #] [-File <path> [-DisableRemediation]] Scans for malicious software -Trace [-Grouping #] [-Level #] Starts diagnostic tracing -GetFiles Collects support information -RemoveDefinitions [-All] Restores the installed signature definitions to a previous backup copy or to the original default set of signatures [-DynamicSignatures] Removes only the dynamically downloaded signatures -SignatureUpdate [-UNC [-Path <path>] | -MMPC] Checks for new definition updates -Restore -Name <name> [-All] Restore the most recently or all quarantined item(s) based on threat name -AddDynamicSignature [-Path] Loads a dynamic signature -ListAllDynamicSignatures List the loaded dynamic signatures -RemoveDynamicSignature [-SignatureSetID] Removes a dynamic signature Additional Information: Support information will be in the following directory: c:ProgramDataMicrosoftMicrosoft AntimalwareSupport -Scan [-ScanType value] 0 Default, according to your configuration 1 Quick scan 2 Full system scan 3 File and directory custom scan [-File <path>] Indicates the file or directory to be scanned, only valid for custom scan. [-DisableRemediation] This option is valid only for custom scan. When specified: - File exclusions are ignored. - Archive files are scanned. - Actions are not applied after detection. - Event log entries are not written after detection. - Detections from the custom scan are not displayed in the user interface. Return code is 0 if no malware is found or malware is successfully remediated and no additional user action is required 2 if malware is found and not remediated or additional user action is required to complete remediation or there is error in scanning. Please check History for more information. -Trace [-Grouping value] [-Level value] Begins tracing Microsoft Antimalware Service's actions. You can specify the components for which tracing is enabled and how much information is recorded. If no component is specified, all the components will be logged. If no level is specified, the Error, Warning and Informational levels will be logged. The data will be stored in the support directory as a file having the current timestamp in its name and bearing the extension BIN. [-Grouping] 0x1 Service 0x2 Malware Protection Engine 0x4 User Interface 0x8 Real-Time Protection 0x10 Scheduled actions 0x20 NIS/GAPA [-Level] 0x1 Errors 0x2 Warnings 0x4 Informational messages 0x8 Function calls 0x10 Verbose 0x20 Performance -GetFiles Gathers the following log files and packages them together in a compressed file in the support directory - Any trace files from Microsoft Antimalware Service - The Windows Update history log - All Microsoft Antimalware Service events from the System event log - All relevant Microsoft Antimalware Service registry locations - The log file of this tool - The log file of the signature update helper tool -RemoveDefinitions Restores the last set of signature definitions [-All] Removes any installed signature and engine files. Use this option if you have difficulties trying to update signatures. [-DynamicSignatures] Removes all Dynamic Signatures. -SignatureUpdate Checks for new definition updates
[-UNC [-Path <path>]] Performs update directly from UNC file share specified in <path> If -Path is not specified, update will be performed directly from the preconfigured UNC location [-MMPC] Performs update directly from Microsoft Malware Protection Center -Restore -Name <name> Restores the most recently quarantined item based on threat name One Threat can map to more than one file [-All] Restores all the quarantined items based on name -AddDynamicSignature -Path <path> Adds a Dynamic Signature specified by <path> -ListAllDynamicSignatures Lists SignatureSet ID's of all Dynamic Signatures added to the client via SpyNet and MPCMDRUN -AddDynamicSignature -RemoveDynamicSignature -SignatureSetID <SignatureSetID> Removes a Dynamic Signature specified by <SignatureSetID>
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.