From f50b304a0e3727570b8e617917269f7a7f79fba6 Mon Sep 17 00:00:00 2001 From: iserrano76 Date: Mon, 11 Mar 2024 15:29:08 +0100 Subject: [PATCH 1/2] Logger Functions, FE Detection and IIS logs check --- Admin/Test-AMSI.ps1 | 373 +++++++++++++++++++++++++++----------------- 1 file changed, 226 insertions(+), 147 deletions(-) diff --git a/Admin/Test-AMSI.ps1 b/Admin/Test-AMSI.ps1 index 0ee219a739..9fc99e9194 100644 --- a/Admin/Test-AMSI.ps1 +++ b/Admin/Test-AMSI.ps1 @@ -160,6 +160,131 @@ begin { . $PSScriptRoot\..\Shared\CertificateFunctions\Enable-TrustAnyCertificateCallback.ps1 . $PSScriptRoot\..\Shared\ScriptUpdateFunctions\Test-ScriptVersion.ps1 . $PSScriptRoot\..\Shared\Get-ExchangeBuildVersionInformation.ps1 + . $PSScriptRoot\..\Shared\LoggerFunctions.ps1 + . $PSScriptRoot\..\Shared\OutputOverrides\Write-Host.ps1 + . $PSScriptRoot\..\Shared\OutputOverrides\Write-Warning.ps1 + . $PSScriptRoot\..\Shared\OutputOverrides\Write-Verbose.ps1 + . $PSScriptRoot\..\Shared\OutputOverrides\Write-Progress.ps1 + + function Write-DebugLog ($message) { + if (![string]::IsNullOrEmpty($message)) { + $Script:DebugLogger = $Script:DebugLogger | Write-LoggerInstance $message + } + } + + function Write-HostLog ($message) { + if (![string]::IsNullOrEmpty($message)) { + $Script:DebugLogger = $Script:DebugLogger | Write-LoggerInstance $message + $Script:HostLogger = $Script:HostLogger | Write-LoggerInstance $message + } + } + + SetWriteHostAction ${Function:Write-HostLog} + SetWriteProgressAction ${Function:Write-DebugLog} + SetWriteVerboseAction ${Function:Write-DebugLog} + SetWriteWarningAction ${Function:Write-HostLog} + + $LogFileName = "Test-AMSI" + $StartDate = Get-Date + $StartDateFormatted = ($StartDate).ToString("yyyyMMddhhmmss") + $Script:DebugLogger = Get-NewLoggerInstance -LogName "$LogFileName-Debug-$StartDateFormatted" -LogDirectory $PSScriptRoot -AppendDateTimeToFileName $false -ErrorAction SilentlyContinue + $Script:HostLogger = Get-NewLoggerInstance -LogName "$LogFileName-Results-$StartDateFormatted" -LogDirectory $PSScriptRoot -AppendDateTimeToFileName $false -ErrorAction SilentlyContinue + + function SearchOnLogs { + param( + [Parameter(ParameterSetName = 'SearchHttpRequestFiltering', Mandatory = $true)] + [switch]$SearchHttpRequestFiltering, + [Parameter(ParameterSetName = 'SearchIIS', Mandatory = $true)] + [switch]$SearchIIS, + [Parameter(ParameterSetName = 'SearchIIS', Mandatory = $true)] + [Parameter(ParameterSetName = 'SearchHttpRequestFiltering', Mandatory = $true)] + [string]$Server, + [Parameter(ParameterSetName = 'SearchHttpRequestFiltering', Mandatory = $true)] + [string]$ExchangePath, + [Parameter(ParameterSetName = 'SearchIIS', Mandatory = $true)] + [Parameter(ParameterSetName = 'SearchHttpRequestFiltering', Mandatory = $true)] + [string]$UrlStem + ) + + $LogFolder = $null + $isDisabled = $false + + if ($SearchHttpRequestFiltering) { + $OriginalLogFolder = Join-Path $ExchangePath "Logging\HttpRequestFiltering\" + if ($Server.Equals($env:COMPUTERNAME, [System.StringComparison]::OrdinalIgnoreCase)) { + $LogFolder = $OriginalLogFolder + } else { + $LogFolder = "\\$Server\$($OriginalLogFolder.Replace(':','$'))" + } + } + + if ($SearchIIS) { + $getIISLogPath = { + $webSite = Get-Website "Default Web Site" + $logPath = $webSite.logFile.directory + $resolvedPath = [System.IO.Path]::GetFullPath([System.Environment]::ExpandEnvironmentVariables($logPath)) + "$resolvedPath\w3svc$($webSite.id)" + } + + $OriginalLogFolder = Invoke-ScriptBlockHandler -ComputerName $server -ScriptBlock $getIISLogPath + if ($server.Equals($env:COMPUTERNAME, [System.StringComparison]::OrdinalIgnoreCase)) { + $LogFolder = $OriginalLogFolder + } else { + $LogFolder = "\\$server\$($OriginalLogFolder.Replace(':','$'))" + } + + $getIISLogDisabled = { (Get-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\ecp" -Filter "system.webServer/httpLogging" -Name donTLog).Value } + $isDisabled = (Invoke-ScriptBlockHandler -ComputerName $server -ScriptBlock $getIISLogDisabled) + if ($isDisabled) { + Write-Host "We could not get IIS log for $Server because it is disabled" -ForegroundColor Yellow + return + } + } + + if ($null -eq $LogFolder) { + Write-Host "We could not get log folder for $Server" -ForegroundColor Yellow + } else { + Write-Host "Looking for request $UrlStem on server $Server" -ForegroundColor Yellow + if ($SearchIIS) { + Write-Host "IIS logs on Folder $OriginalLogFolder ..." + } else { + Write-Host "HttpRequestFiltering logs on Folder $OriginalLogFolder ..." + } + + if (Test-Path $LogFolder -PathType Container) { + $timeout1min = (Get-Date).AddMinutes(1) + $foundRequest = $false + do { + Start-Sleep -Seconds 1 + $remainSeconds = ($timeout1min - (Get-Date)).Seconds + Write-Progress -Activity "Searching on logs ..." -Status "Max seconds Remaining" -SecondsRemaining $remainSeconds + $file = $null + $file = Get-ChildItem $LogFolder -Filter "*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 1 -Property * + $found = $file | Get-Content | Select-String $UrlStem + if ($found) { + Write-Host "We found the request on logs: " -ForegroundColor Green + Write-Host "$($found.Line)" + $foundRequest = $true + if ($SearchHttpRequestFiltering) { + Write-Host " " + Write-Host "Request blocked by server: $Server from AMSI" -ForegroundColor Green + Write-Host " " + } + } + } while ((-not $foundRequest) -and ($remainSeconds -gt 0)) + Write-Progress -Activity "Searching on logs ..." -Completed + if (-not $foundRequest) { + Write-Warning "We have not found the request on FrontEnd server: $Server." -ForegroundColor Red + if ($SearchHttpRequestFiltering) { + Write-Host "Server: $Server has not record on HttpRequestFiltering log" -ForegroundColor Red + } + Write-Host " " + } + } else { + Write-Host "We could not access Logs folder on $Server" -ForegroundColor Red + } + } + } function HasWindowsVersionAmsiSupport { param( @@ -173,11 +298,11 @@ begin { if ($Version -ge 10) { return $true } else { - Write-Warning "$server is not a Windows version with AMSI support." + Write-Host "$server is not a Windows version with AMSI support." -ForegroundColor Red return $false } } else { - Write-Warning "We could not get Windows version for $server." + Write-Host "We could not get Windows version for $server." -ForegroundColor Red return $false } } @@ -185,9 +310,7 @@ begin { function CheckServerAMSI { param( [Parameter(Mandatory = $true)] - [string]$Server, - [Parameter(Mandatory = $false)] - [switch]$IsExchangeServer + [string]$Server ) try { @@ -203,94 +326,64 @@ begin { $randomString = -join ($characters | Get-Random -Count $length) $UrlStem = "/ecp/Test-$randomString.js" $urlRequest = "https://$Server$UrlStem" + Write-Host "Test string: Test-$randomString" + Write-Host " " Invoke-WebRequest -Uri $urlRequest -Method POST -Headers @{ "Host" = "$Server" } -WebSession $CookieContainer -DisableKeepAlive } catch [System.Net.WebException] { $Message = ($_.Exception.Message).ToString().Trim() - $currentForegroundColor = $host.ui.RawUI.ForegroundColor + $FEServer = $null + if ($_.Exception.Response.Headers) { + $FEServer = $_.Exception.Response.Headers["X-FEServer"] + if ($FEServer) { + Write-Host "FrontEnd Detected: $FEServer" -ForegroundColor Green + Write-Host " " + } + } if ($_.Exception.Status -eq [System.Net.WebExceptionStatus]::TrustFailure) { - $host.ui.RawUI.ForegroundColor = "Red" - Write-Host $Message - $host.ui.RawUI.ForegroundColor = "Yellow" - Write-Host "You could use the -IgnoreSSL parameter" - $host.ui.RawUI.ForegroundColor = $currentForegroundColor + Write-Host " " + Write-Host $Message -ForegroundColor Red + Write-Host "You could use the -IgnoreSSL parameter" -ForegroundColor Yellow } elseif ($_.Exception.Status -eq [System.Net.WebExceptionStatus]::ProtocolError -and $_.Exception.Response.StatusCode -eq [System.Net.HttpStatusCode]::BadRequest ) { - $host.ui.RawUI.ForegroundColor = "Green" - Write-Host "We sent an test request to the ECP Virtual Directory of the server requested" - $host.ui.RawUI.ForegroundColor = "Yellow" - Write-Host "The remote server returned an error: (400) Bad Request" - Write-Host "This may be indicative of a potential block from AMSI" - $host.ui.RawUI.ForegroundColor = "Green" - if ($IsExchangeServer) { - $getMSIInstallPathSB = { (Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\Setup -ErrorAction SilentlyContinue).MsiInstallPath } - $ExchangePath = Invoke-ScriptBlockHandler -ComputerName $Server -ScriptBlock $getMSIInstallPathSB - Write-Host "You can check your log files located in $($ExchangePath)Logging\HttpRequestFiltering\ in $Server" - } else { - Write-Host "You can check your log files located in %ExchangeInstallPath%\Logging\HttpRequestFiltering\ in all server included in $Server endpoint" - } - $host.ui.RawUI.ForegroundColor = $currentForegroundColor - Write-Host "You should find a request for $UrlStem in the HttpRequestFiltering logs" - if ($IsExchangeServer) { - Write-Host "" - Write-Host "Looking for a request $UrlStem in the HttpRequestFiltering logs" - $HttpRequestFilteringLogFolder = $null - - if ($ExchangePath) { - if ($Server.Equals($env:COMPUTERNAME, [System.StringComparison]::OrdinalIgnoreCase)) { - $HttpRequestFilteringLogFolder = Join-Path $ExchangePath "Logging\HttpRequestFiltering\" - } else { - $HttpRequestFilteringLogFolder = Join-Path "\\$server\$($ExchangePath.Replace(':','$'))" "Logging\HttpRequestFiltering\" - } - if (Test-Path $HttpRequestFilteringLogFolder -PathType Container) { - $file = $null - $timeout1min = (Get-Date).AddMinutes(1) - $foundRequest = $false - do { - Start-Sleep -Seconds 2 - $file = $null - $file = Get-ChildItem $HttpRequestFilteringLogFolder -Filter "HttpRequestFiltering_*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 1 -Property * - if ($file) { - $found = $null - $found = $file | Get-Content | Select-String $UrlStem - if ($found) { - if ($found.Line -match "Detected") { - Write-Host "We found the request Detected in HttpRequestFiltering logs: " -ForegroundColor Green - } else { - Write-Warning "We found the request in HttpRequestFiltering logs but was not detected: " - } - Write-Host "$($found.Line)" - $foundRequest = $true - } - } - } while ((-not $foundRequest) -and ((Get-Date) -lt $timeout1min)) - if (-not $foundRequest) { - Write-Warning "We have not found the request." - } - } else { - Write-Host "We could not access HttpRequestFiltering folder on $Server" -ForegroundColor Red - } + Write-Host " " + Write-Host "The remote server returned an error: (400) Bad Request" -ForegroundColor Green + Write-Host "This may be indicative of a potential block from AMSI" -ForegroundColor Green + Write-Host " " + if ($FEServer) { + if ($fullList -contains $FEServer) { + SearchOnLogs -SearchIIS -server $FEServer -UrlStem $UrlStem + $getMSIInstallPathSB = { (Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\Setup -ErrorAction SilentlyContinue).MsiInstallPath } + $ExchangePath = Invoke-ScriptBlockHandler -ComputerName $FEServer -ScriptBlock $getMSIInstallPathSB + SearchOnLogs -SearchHttpRequestFiltering -server $FEServer -ExchangePath $ExchangePath -UrlStem $UrlStem + Write-Host " " } else { - Write-Host "Cannot get Exchange installation path on $Server" -ForegroundColor Red + Write-Host "FrontEnd server is not an Exchange Server" -ForegroundColor Red + Write-Host " " } - } else { - Write-Host "Check your log files located in %ExchangeInstallPath%\Logging\HttpRequestFiltering\ in all server that provide $Server endpoint" } } elseif ($_.Exception.Status -eq [System.Net.WebExceptionStatus]::NameResolutionFailure) { - $host.ui.RawUI.ForegroundColor = "Red" - Write-Host $msgNewLine - Write-Host $Message - Write-Host "`nWe could not find the server requested. Please check the name of the server." - Write-Host $msgNewLine - $host.ui.RawUI.ForegroundColor = $currentForegroundColor + Write-Host " " + Write-Host $Message -ForegroundColor Red + Write-Host " " + Write-Host "We could not find the server requested. Please check the name of the server." -ForegroundColor Red } else { - $host.ui.RawUI.ForegroundColor = "Red" - Write-Host $msgNewLine - Write-Host $Message - Write-Host $msgNewLine - $host.ui.RawUI.ForegroundColor = "Yellow" - Write-Host "If you are using Microsoft Defender, RealTime protection could be disabled or then AMSI may be disabled." - Write-Host "If you are using a 3rd Party AntiVirus Product that may not be AMSI capable (Please Check with your AntiVirus Provider for Exchange AMSI Support)" - $host.ui.RawUI.ForegroundColor = $currentForegroundColor + Write-Host " " + Write-Host $Message -ForegroundColor Red + Write-Host " " + if ($fullList -contains $FEServer) { + SearchOnLogs -SearchIIS -server $FEServer -UrlStem $UrlStem + Write-Host " " + Write-Host "Server: $FEServer do not detect bad Request, it has not triggered AMSI" -ForegroundColor Red + Write-Host " " + Write-Host "If you are using Microsoft Defender, RealTime protection could be disabled or then AMSI may be disabled." -ForegroundColor Yellow + Write-Host "If you are using a 3rd Party AntiVirus Product that may not be AMSI capable (Please Check with your AntiVirus Provider for Exchange AMSI Support)" -ForegroundColor Yellow + } else { + if ($FEServer) { + Write-Host " " + Write-Host "FrontEnd server $FEServer is not an Exchange Server" -ForegroundColor Red + Write-Host " " + } + } } } finally { if ($IgnoreSSL) { @@ -310,7 +403,7 @@ begin { [string]$ExchangeServer ) - Write-Host "" + Write-Host " " Write-Host "AMSI Providers detection:" -ForegroundColor Green $AMSIProvidersSB = { @@ -319,7 +412,8 @@ begin { Write-Host "Providers:" $providerCount = 0 foreach ($provider in $AMSIProviders) { - Write-Host "`nProvider $($providerCount+1): $($provider.PSChildName)" -ForegroundColor DarkGreen + Write-Host " " + Write-Host "Provider $($providerCount+1): $($provider.PSChildName)" -ForegroundColor DarkGreen # when using -match we set the variable $Match when a true value is performed. $foundMatch = $provider -match '[0-9A-Fa-f\-]{36}' if ($foundMatch) { @@ -329,7 +423,7 @@ begin { $providers = Get-ChildItem $key -ErrorAction SilentlyContinue if ($providers) { $providerCount++ - $providers | Format-Table -AutoSize | Out-Host + $providers | Format-Table -AutoSize | Out-String | Write-Host $path = $null $path = ($providers | Where-Object { $_.PSChildName -eq 'InprocServer32' }).GetValue('') if ($path) { @@ -344,7 +438,7 @@ begin { if ((Get-MpComputerStatus).RealTimeProtectionEnabled) { Write-Host "Windows Defender has Real Time Protection Enabled" -ForegroundColor Green } else { - Write-Warning "Windows Defender has Real Time Protection Disabled" + Write-Host "Windows Defender has Real Time Protection Disabled" -ForegroundColor Red } Write-Host "It should be version 1.1.18300.4 or newest." if (Test-Path $WindowsDefenderPath -PathType Container) { @@ -356,40 +450,40 @@ begin { if ($DefenderVersion -ge "1.1.18300.4") { Write-Host "Windows Defender version supported for AMSI: $DefenderVersion" -ForegroundColor Green } else { - Write-Warning "Windows Defender version Non-supported for AMSI: $DefenderVersion" + Write-Host "Windows Defender version Non-supported for AMSI: $DefenderVersion" -ForegroundColor Red } } else { - Write-Warning "We could not get Windows Defender version " + Write-Host "We could not get Windows Defender version" -ForegroundColor Red } } else { - Write-Warning "We did not find Windows Defender MpCmdRun.exe." + Write-Host "We did not find Windows Defender MpCmdRun.exe." -ForegroundColor Red } } else { - Write-Warning "We did not find Windows Defender Path." + Write-Host "We did not find Windows Defender Path." -ForegroundColor Red } } } else { - Write-Warning "It is not Windows Defender AV, check with your provider." + Write-Host "It is not Windows Defender AV, check with your provider." -ForegroundColor Red } } else { - Write-Warning "We did not find AMSI providers." + Write-Host "We did not find AMSI providers." -ForegroundColor Red } } else { Write-Host "We did not find $m ClSid registered" -ForegroundColor Red } } } else { - Write-Warning "We did not find any ClSid on $($provider.PSChildName) AMSI provider." + Write-Host "We did not find any ClSid on $($provider.PSChildName) AMSI provider." -ForegroundColor Red } } } else { - Write-Host " We did not find any AMSI provider" -ForegroundColor Red + Write-Host "We did not find any AMSI provider" -ForegroundColor Red } } - Write-Host "" + Write-Host " " Write-Host "Checking AMSI Provider on $ExchangeServer" - Write-Host "" + Write-Host " " Invoke-ScriptBlockHandler -ComputerName $ExchangeServer -ScriptBlock $AMSIProvidersSB $FEEcpWebConfig = $null @@ -411,39 +505,35 @@ begin { if (Test-Path $FEEcpWebConfig -PathType Leaf) { $FEFilterModule = $null $FEFilterModule = Get-Content $FEEcpWebConfig | Select-String ' Date: Wed, 20 Mar 2024 16:57:42 +0100 Subject: [PATCH 2/2] Check OriginalLogFolder and ExchangePath --- Admin/Test-AMSI.ps1 | 107 +++++++++++++++++++++++++------------------- 1 file changed, 61 insertions(+), 46 deletions(-) diff --git a/Admin/Test-AMSI.ps1 b/Admin/Test-AMSI.ps1 index 9fc99e9194..08283f4721 100644 --- a/Admin/Test-AMSI.ps1 +++ b/Admin/Test-AMSI.ps1 @@ -226,63 +226,73 @@ begin { "$resolvedPath\w3svc$($webSite.id)" } + $OriginalLogFolder = $null $OriginalLogFolder = Invoke-ScriptBlockHandler -ComputerName $server -ScriptBlock $getIISLogPath - if ($server.Equals($env:COMPUTERNAME, [System.StringComparison]::OrdinalIgnoreCase)) { - $LogFolder = $OriginalLogFolder - } else { - $LogFolder = "\\$server\$($OriginalLogFolder.Replace(':','$'))" - } + if ($OriginalLogFolder) { + if ($server.Equals($env:COMPUTERNAME, [System.StringComparison]::OrdinalIgnoreCase)) { + $LogFolder = $OriginalLogFolder + } else { + $LogFolder = "\\$server\$($OriginalLogFolder.Replace(':','$'))" + } - $getIISLogDisabled = { (Get-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\ecp" -Filter "system.webServer/httpLogging" -Name donTLog).Value } - $isDisabled = (Invoke-ScriptBlockHandler -ComputerName $server -ScriptBlock $getIISLogDisabled) - if ($isDisabled) { - Write-Host "We could not get IIS log for $Server because it is disabled" -ForegroundColor Yellow + $getIISLogDisabled = { (Get-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\ecp" -Filter "system.webServer/httpLogging" -Name donTLog).Value } + $isDisabled = (Invoke-ScriptBlockHandler -ComputerName $server -ScriptBlock $getIISLogDisabled) + if ($isDisabled) { + Write-Host "We could not get IIS log for $Server because it is disabled" -ForegroundColor Yellow + return + } + } else { + Write-Host "We could not get IIS log for $Server" -ForegroundColor Red return } } - if ($null -eq $LogFolder) { - Write-Host "We could not get log folder for $Server" -ForegroundColor Yellow - } else { - Write-Host "Looking for request $UrlStem on server $Server" -ForegroundColor Yellow - if ($SearchIIS) { - Write-Host "IIS logs on Folder $OriginalLogFolder ..." - } else { - Write-Host "HttpRequestFiltering logs on Folder $OriginalLogFolder ..." - } + if ($LogFolder) { + if (Test-Path -Path $LogFolder -PathType Container) { + Write-Host "Looking for request $UrlStem on server $Server" -ForegroundColor Yellow + if ($SearchIIS) { + Write-Host "IIS logs on Folder $OriginalLogFolder ..." + } else { + Write-Host "HttpRequestFiltering logs on Folder $OriginalLogFolder ..." + } - if (Test-Path $LogFolder -PathType Container) { - $timeout1min = (Get-Date).AddMinutes(1) - $foundRequest = $false - do { - Start-Sleep -Seconds 1 - $remainSeconds = ($timeout1min - (Get-Date)).Seconds - Write-Progress -Activity "Searching on logs ..." -Status "Max seconds Remaining" -SecondsRemaining $remainSeconds - $file = $null - $file = Get-ChildItem $LogFolder -Filter "*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 1 -Property * - $found = $file | Get-Content | Select-String $UrlStem - if ($found) { - Write-Host "We found the request on logs: " -ForegroundColor Green - Write-Host "$($found.Line)" - $foundRequest = $true + if (Test-Path $LogFolder -PathType Container) { + $timeout1min = (Get-Date).AddMinutes(1) + $foundRequest = $false + do { + Start-Sleep -Seconds 1 + $remainSeconds = ($timeout1min - (Get-Date)).Seconds + Write-Progress -Activity "Searching on logs ..." -Status "Max seconds Remaining" -SecondsRemaining $remainSeconds + $file = $null + $file = Get-ChildItem $LogFolder -Filter "*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 1 -Property * + $found = $file | Get-Content | Select-String $UrlStem + if ($found) { + Write-Host "We found the request on logs: " -ForegroundColor Green + Write-Host "$($found.Line)" + $foundRequest = $true + if ($SearchHttpRequestFiltering) { + Write-Host " " + Write-Host "Request blocked by server: $Server from AMSI" -ForegroundColor Green + Write-Host " " + } + } + } while ((-not $foundRequest) -and ($remainSeconds -gt 0)) + Write-Progress -Activity "Searching on logs ..." -Completed + if (-not $foundRequest) { + Write-Warning "We have not found the request on FrontEnd server: $Server." -ForegroundColor Red if ($SearchHttpRequestFiltering) { - Write-Host " " - Write-Host "Request blocked by server: $Server from AMSI" -ForegroundColor Green - Write-Host " " + Write-Host "Server: $Server has not record on HttpRequestFiltering log" -ForegroundColor Red } + Write-Host " " } - } while ((-not $foundRequest) -and ($remainSeconds -gt 0)) - Write-Progress -Activity "Searching on logs ..." -Completed - if (-not $foundRequest) { - Write-Warning "We have not found the request on FrontEnd server: $Server." -ForegroundColor Red - if ($SearchHttpRequestFiltering) { - Write-Host "Server: $Server has not record on HttpRequestFiltering log" -ForegroundColor Red - } - Write-Host " " + } else { + Write-Host "Error accessing $LogFolder on $Server" -ForegroundColor Red } } else { Write-Host "We could not access Logs folder on $Server" -ForegroundColor Red } + } else { + Write-Host "We could not get log folder for $Server" -ForegroundColor Yellow } } @@ -351,10 +361,15 @@ begin { Write-Host " " if ($FEServer) { if ($fullList -contains $FEServer) { - SearchOnLogs -SearchIIS -server $FEServer -UrlStem $UrlStem + SearchOnLogs -SearchIIS -Server $FEServer -UrlStem $UrlStem $getMSIInstallPathSB = { (Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\Setup -ErrorAction SilentlyContinue).MsiInstallPath } + $ExchangePath = $null $ExchangePath = Invoke-ScriptBlockHandler -ComputerName $FEServer -ScriptBlock $getMSIInstallPathSB - SearchOnLogs -SearchHttpRequestFiltering -server $FEServer -ExchangePath $ExchangePath -UrlStem $UrlStem + if ($ExchangePath) { + SearchOnLogs -SearchHttpRequestFiltering -Server $FEServer -ExchangePath $ExchangePath -UrlStem $UrlStem + } else { + Write-Host "We could not get Exchange installation path on $FEServer" -ForegroundColor Red + } Write-Host " " } else { Write-Host "FrontEnd server is not an Exchange Server" -ForegroundColor Red @@ -371,7 +386,7 @@ begin { Write-Host $Message -ForegroundColor Red Write-Host " " if ($fullList -contains $FEServer) { - SearchOnLogs -SearchIIS -server $FEServer -UrlStem $UrlStem + SearchOnLogs -SearchIIS -Server $FEServer -UrlStem $UrlStem Write-Host " " Write-Host "Server: $FEServer do not detect bad Request, it has not triggered AMSI" -ForegroundColor Red Write-Host " "