> Security Manager > Monitoring third party antivirus software

Monitoring third party antivirus software

Monitoring any of the supported third party antivirus solutions requires a professional license or an Automation on Essentials license applied to the device. You will also need to:

  • Add the AV Status service to the device
  • Execute the AV Status script as a daily scheduled task.

The AV Status script updates a Windows Management Instrumentation (WMI) value on the device that the AV Status service will monitor. This keeps you up-to-date on the third party AV software details including the type installed, if the AV product is running and if it is up to date.

For an up-to-date list of supported antivirus products, download the AV Status script referred to in this document and open it using a text editor such as Notepad or Notepad++. The most current list of antivirus solutions this service will monitor is contained in this script.

The procedures below outline how to build the rules, templates and filters needed to automate the application and removal of the Third Party AV monitoring service, AV Status, depending on whether it is needed or not.

Install the AV Status script

  1. Log into the N-able Resource Center (http://nrc.n-able.com), and go to the Community > Scripts & Automation Policies section.
  2. Tip: You may have to click the three-lined icon in the upper-left corner to see the menu selections.

  3. Click AV Status and download the compressed script and extract Extract the AVstatus.vbs.
  4. At the Service Organization Level, click Configuration > Scheduled Tasks > Script/Software Repository
  5. Click Add > Scripting.
  6. Enter the details, located the script file and click OK.

The AV Status script is updated regularly. It is highly recommended you update the script in your repository on a regular basis. To update the script, open the Script Repository as described above, select the existing AV Status script and click Change.

Create filters

Create a filter to identify devices without our integrated AV solution installed. These devices will need to have the AV Status service and script installed to monitor their third party AV such as Symantec, Trend, AVG etc.

If you have purchased Scripting ability on Essential devices the conditions for Pro and Essentials mode licensing can be removed from the filters below.

  1. In the navigation pane, click Configuration Filters and click Add.
  2. Enter a name and ensure the Show in my Drop-Down check box is selected.
  3. Click Advanced Mode and select Custom Expression from the Find devices where drop-down list.
  4. Enter (((A OR B OR C) AND (D AND E AND F AND G))) and click Generate.
  5.  Select the required criteria and click Save.

Create a second filter to identify professionally licensed Windows devices with integrated AV installed. In the same way, create a filter to identify devices with our integrated AV installed. This will remove AV Status from devices that do not require it. Essential devices will also be removing AV Status as it cannot run its script on them.

  1. In the navigation pane, click Configuration Filters and click Add.
  2. Enter a name and ensure the Show in my Drop-Down check box is selected.
  3. Click Advanced Mode and select Custom Expression from the Find devices where drop-down list box.
  4. Enter (((A OR B OR C) AND (D AND E AND F AND G))) and click Generate.
  5.  Click Save.

Create Scheduled Task profiles

You need to create a scheduled task profile that will run the AV Status script once a day, during the hours that the system will typically be online. This will be added to a rule that will allow it to globally apply automatically

  1. From the Service Organization level, go to Configuration > Scheduled TasksProfiles.
  2. Click Add and enter AV Status Script in the Name field.
  3. Click Add Scripting.
  4. On the Details tab, select Use Device Credentials, and select the script you created in the previous set of steps.
  5. Click the Schedule tab and select Recurring from the Type drop-down list box.
  6. Select Custom from the Interval drop-down, then select and Add at least two Start Times.
  7. How often you run the task and how you schedule it is up to you. It is suggested you run the task twice a day

  8. Ensure the task is run Every day.
  9. Click Save.

Add a second task with the name "AV Status - First Run".

  1. Repeat the information on the Details tab in the previous steps.
  2. On the Schedule tab, select Once from the Type drop-down list box.
  3. Select 2 hours from the Execution Timeout drop-down, and leave Execution Window as "Only run at the specified time".
  4. Click Save, then Save again.

Create three Service Templates that add the AV Status service

Because Service Templates are tied to their respective device classes, you need to create three: one for laptops, one for workstations and one for servers.

  1. At the Service Organization level, go to Configuration > Monitoring > Service Templates.
  2. Click Add and enter a name for the first template. For example "AV Status - Laptops".
  3. Select Laptops - Windows from the Device Class drop-down list box.
  4. Select AV Status from the Service drop-down list box and click Add Service.
  5. Click Save.

Repeat these steps to create templates using the same AV Status service for "AV Status - Workstations" and "AV Status - Servers".

Create three further Service Templates to remove the AV Status service from servers, workstations and laptops to which you choose to deploy AV Defender.

  1. Click Add and enter a name for the first template. For example "AV Status - Removal from Laptops".
  2. Select AV Status from the Service drop-down list box and click Add Service, then click Save.
  3. In the Action column, click Add or Modify, and change to Remove.
  4. Click Save.

Repeat to create templates for "AV Status - Removal from Workstations" and "AV Status - Removal from Servers".

Create rules to deploy/remove the AV Status Script and Service Templates

The first rule deploys AV Status and its components to devices that do not have Centralize integrated AV installed.

  1. At the Service Organization level, click Configuration > Monitoring > Rules.
  2. Click Add and enter the name "Add AV Status to devices without integrated AV installed".
  3. On the Devices to Target tab, select the AV Status - Devices without AV Defender Installed filter created above and add it to the Selected Filters box.
  4. Click the Scheduled Task Profile tab, and select the AV Status Script script you created above.
  5. Click the Monitoring Options tab, and select the AV Status - Workstations, AV Status - Laptops and AV Status - Workstations Service Templates you created above.
  6. Click the Grant Customers & Sites Access tab, move all customer/sites to the Selected Customer/Sites column and click the Propagate to all new customers/sites check box.
  7. Click Save.

The second rule will remove AV Status script and its components from devices that deploy the MSP N-central AV products, and apply product specific monitoring.

  1. At the Service Organization level, click Configuration > Monitoring > Rules.
  2. Click Add and name this rule "Remove AV Status from devices with integrated AV".
  3. Click the Devices to Target tab, and select the "AV Status - Devices with AV Defender Installed" filter created above.
  4. Click the Scheduled Task Profile tab, and select the "AV Status Script" script you created above.
  5. Click the Monitoring Options tab, and select the "AV Status - Removal from Workstations, AV Status - Removal from Laptops and AV Status - Removal Workstations Service" Templates you created above.
  6. Click the Grant Customers & Sites Access tab, and move all customer/sites to the Selected Customer/Sites column and check the Propagate to all new customers/sites check box.
  7. Click Save.