As you may know I have been playing with OMS for a while, especially on the Log Analytics side and some security items. One of the solutions I added quickly was the Antimalware Assessment solution.
What the ANtimalware Assessment does is first of all check if you are protected at all. It will find some antivirus products and it will also see if a machine has nothing recognized outside of the last run of the Malicious Software Removal Tool which comes with Windows Updates every month. And for instance for System Center Endpoint Protection it can pick up on threats.
Today I had a chance to also see that part in action :>
So I got the following email:
This does also name which machine is involved and such.
So I went to my OMS workspace and went into the Antimalware Assessment to find this:
From here we can see which machine was affected and also that the threat has been quarantined already. The second blade tells me what item was found and at what time.
If you click on the threat or the machine you will get to see the log entries leading to this. It features things like which files in which path were found and quarantined.
SO let me have a look at the machine giving the alert and sure enough there it is:
So this gave me a possibility to confirm this does not belong there and remove it permanently. And of course make sure to run a full scan just to be sure.
So there you have it. Immediate value add by the OMS solution on top of what you have already. B):idea::D
Have fun and stay safe!
Bob Cornelissen