From d2f257a808d65ebc2c53e20de1877bd698d7110d Mon Sep 17 00:00:00 2001 From: Canthv0 Date: Tue, 20 Jun 2023 11:16:01 -0400 Subject: [PATCH 01/13] process list basics from the get-exchangeavexclusionsprocess --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 11697f4491..48babdbd89 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -289,6 +289,21 @@ foreach ($extension in $extensionsList) { #Delete Random Folder Remove-Item $randomFolder +# Test Exchange Processes for unexpected modules +$ProcessList = Get-ExchAVExclusionsProcess -ExchangePath $ExchangePath -MsiProductMinor ([byte]$serverExchangeInstallDirectory.MsiProductMinor) + +# Gather all processes on the computer +$ServerProcess = Get-Process + +# Gather each process and work thru their module list to remove any known modules. +foreach ($process in $process ) { + + + +} + + + # Report what we found if ($BadFolderList.count -gt 0 -or $BadExtensionList.Count -gt 0 ) { $OutputPath = Join-Path $env:LOCALAPPDATA BadExclusions.txt From a544450fe01b7f2d8a12c802c9b55366874492e9 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Wed, 21 Jun 2023 13:34:30 -0400 Subject: [PATCH 02/13] finalized process testing and reporting --- .../AVTester/Test-ExchAVExclusions.ps1 | 84 +++++++++++++++---- 1 file changed, 68 insertions(+), 16 deletions(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 48babdbd89..b67be410bd 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -289,21 +289,6 @@ foreach ($extension in $extensionsList) { #Delete Random Folder Remove-Item $randomFolder -# Test Exchange Processes for unexpected modules -$ProcessList = Get-ExchAVExclusionsProcess -ExchangePath $ExchangePath -MsiProductMinor ([byte]$serverExchangeInstallDirectory.MsiProductMinor) - -# Gather all processes on the computer -$ServerProcess = Get-Process - -# Gather each process and work thru their module list to remove any known modules. -foreach ($process in $process ) { - - - -} - - - # Report what we found if ($BadFolderList.count -gt 0 -or $BadExtensionList.Count -gt 0 ) { $OutputPath = Join-Path $env:LOCALAPPDATA BadExclusions.txt @@ -319,5 +304,72 @@ if ($BadFolderList.count -gt 0 -or $BadExtensionList.Count -gt 0 ) { } Write-Warning ("Review " + $OutputPath + " For the full list.") } else { - Write-SimpleLogFile -String "All EICAR files found; Exclusions appear to be set properly" -Name $LogFile -OutHost + Write-SimpleLogFile -String "All EICAR files found; File Exclusions appear to be set properly" -Name $LogFile -OutHost +} + +Write-SimpleLogFile -string "Testing for AV loaded in processes" -name $LogFile -OutHost + +# Test Exchange Processes for unexpected modules +$ProcessList = Get-ExchAVExclusionsProcess -ExchangePath $ExchangePath -MsiProductMinor ([byte]$serverExchangeInstallDirectory.MsiProductMinor) + +# Gather all processes on the computer +$ServerProcess = Get-Process + +# Module white list +$ModuleWhiteList = New-Object Collections.Generic.List[string] + +$ModuleWhiteList.add("Google.Protobuf.ni.dll") +$ModuleWhiteList.add("Microsoft.RightsManagementServices.Core.ni.dll") +$ModuleWhiteList.add("Newtonsoft.Json.ni.dll") +$ModuleWhiteList.add("Microsoft.Cloud.InstrumentationFramework.Events.ni.dll") +$ModuleWhiteList.add("HealthServicePerformance.dll") +$ModuleWhiteList.add("InterceptCounters.dll") +$ModuleWhiteList.add("MOMConnectorPerformance.dll") +$ModuleWhiteList.add("ExDbFailureItemApi.dll") +$ModuleWhiteList.add("Microsoft.Cloud.InstrumentationFramework.Metrics.ni.dll") +$ModuleWhiteList.add("IfxMetrics.dll") +$ModuleWhiteList.add("ManagedBlingSigned.dll") + +Write-SimpleLogFile -string ("White Listed Module Count: " + $ModuleWhiteList.count) -Name $LogFile + +$UnexpectedModuleFound = 0 + +# Gather each process and work thru their module list to remove any known modules. +foreach ($process in $ServerProcess) { + + # Determine if it is a known exchange process + if ($ProcessList -contains $process.path ) { + + # Gather all modules + [array]$ProcessModules = $process.modules + + # Remove all "known" modules + $ProcessModules = $ProcessModules | Where-Object { $_.company -notlike "Oracle*" -and $_.Product -notlike "Outside In*" } + $ProcessModules = $ProcessModules | Where-Object { $_.fileversioninfo.companyname -ne "Microsoft Corporation." } + $ProcessModules = $ProcessModules | Where-Object { $_.fileversioninfo.companyname -ne "Microsoft" } + $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.companyname -ne "Microsoft Corporation" } + + # Clear out modules from the white list + Foreach ($module in $ModuleWhiteList) { + $ProcessModules = $ProcessModules | Where-Object { $_.modulename -ne $module } + } + + if ($ProcessModules.count -gt 0) { + Write-Warning ("Possible AV Modules found in process $($process.processname)") + $UnexpectedModuleFound++ + foreach ($module in $ProcessModules) { + Write-SimpleLogFile -string ("[FAIL] - PROCESS: $($process.processname) MODULE: $($module.modulename) COMPANY: $($module.company)") -Name $LogFile + } + } + } +} + +# Final output for process detection +if ($UnexpectedModuleFound -gt 0){ + Write-SimpleLogFile -string ("Found $($UnexpectedModuleFound) processes with unexpected modules loaded") -Name $LogFile -OutHost + Write-Warning ("Review " + $OutputPath + " For more information.") + Write-Information ("If a module is labeled `"Unexpected`" in error please submit the log file to ExToolsFeedback@microsoft.com" ) +} +else { + Write-SimpleLogFile -string ("No Unexpected modules found loaded.") -Name $LogFile -OutHost } From 15aa9f4381afc0392e5c4d539a61f9d61d9cb223 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Wed, 21 Jun 2023 14:34:15 -0400 Subject: [PATCH 03/13] updates to formatting --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index b67be410bd..e6cbf3d217 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -365,11 +365,10 @@ foreach ($process in $ServerProcess) { } # Final output for process detection -if ($UnexpectedModuleFound -gt 0){ +if ($UnexpectedModuleFound -gt 0) { Write-SimpleLogFile -string ("Found $($UnexpectedModuleFound) processes with unexpected modules loaded") -Name $LogFile -OutHost Write-Warning ("Review " + $OutputPath + " For more information.") Write-Information ("If a module is labeled `"Unexpected`" in error please submit the log file to ExToolsFeedback@microsoft.com" ) -} -else { +} else { Write-SimpleLogFile -string ("No Unexpected modules found loaded.") -Name $LogFile -OutHost } From 2a9b596e754818c9d843edc9e591c983ecc00740 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Fri, 23 Jun 2023 13:49:16 -0400 Subject: [PATCH 04/13] Updated filtering process --- .../AVTester/Test-ExchAVExclusions.ps1 | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index e6cbf3d217..9aedcd6db7 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -329,6 +329,21 @@ $ModuleWhiteList.add("ExDbFailureItemApi.dll") $ModuleWhiteList.add("Microsoft.Cloud.InstrumentationFramework.Metrics.ni.dll") $ModuleWhiteList.add("IfxMetrics.dll") $ModuleWhiteList.add("ManagedBlingSigned.dll") +# Oracle modules associated with 'Outside In® Technology' +$ModuleWhiteList.add("wvcore.dll") +$ModuleWhiteList.add("sccut.dll") +$ModuleWhiteList.add("sccfut.dll") +$ModuleWhiteList.add("sccfa.dll") +$ModuleWhiteList.add("sccfi.dll") +$ModuleWhiteList.add("sccch.dll") +$ModuleWhiteList.add("sccda.dll") +$ModuleWhiteList.add("sccfmt.dll") +$ModuleWhiteList.add("sccind.dll") +$ModuleWhiteList.add("sccca.dll") +$ModuleWhiteList.add("scclo.dll") +$ModuleWhiteList.add("SCCOLE2.DLL") +$ModuleWhiteList.add("SCCSD.DLL") +$ModuleWhiteList.add("SCCXT.DLL") Write-SimpleLogFile -string ("White Listed Module Count: " + $ModuleWhiteList.count) -Name $LogFile @@ -343,11 +358,8 @@ foreach ($process in $ServerProcess) { # Gather all modules [array]$ProcessModules = $process.modules - # Remove all "known" modules - $ProcessModules = $ProcessModules | Where-Object { $_.company -notlike "Oracle*" -and $_.Product -notlike "Outside In*" } - $ProcessModules = $ProcessModules | Where-Object { $_.fileversioninfo.companyname -ne "Microsoft Corporation." } - $ProcessModules = $ProcessModules | Where-Object { $_.fileversioninfo.companyname -ne "Microsoft" } - $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.companyname -ne "Microsoft Corporation" } + # Remove Microsoft modules + $ProcessModules = $ProcessModules | Where-Object { $_.fileversioninfo.companyname -ne "Microsoft Corporation." -and $_.fileversioninfo.companyname -ne "Microsoft" -and $_.FileVersionInfo.companyname -ne "Microsoft Corporation" } # Clear out modules from the white list Foreach ($module in $ModuleWhiteList) { From 73b302b4d3fc2035bcaf5dd9230c74219f8b1f1b Mon Sep 17 00:00:00 2001 From: canthv0 Date: Fri, 23 Jun 2023 14:28:18 -0400 Subject: [PATCH 05/13] Excluding portion of code from cSpell --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 9aedcd6db7..904c7493c0 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -318,6 +318,7 @@ $ServerProcess = Get-Process # Module white list $ModuleWhiteList = New-Object Collections.Generic.List[string] +# cSpell:disable $ModuleWhiteList.add("Google.Protobuf.ni.dll") $ModuleWhiteList.add("Microsoft.RightsManagementServices.Core.ni.dll") $ModuleWhiteList.add("Newtonsoft.Json.ni.dll") @@ -344,6 +345,7 @@ $ModuleWhiteList.add("scclo.dll") $ModuleWhiteList.add("SCCOLE2.DLL") $ModuleWhiteList.add("SCCSD.DLL") $ModuleWhiteList.add("SCCXT.DLL") +# cSpell:enable Write-SimpleLogFile -string ("White Listed Module Count: " + $ModuleWhiteList.count) -Name $LogFile From da968daef87d7c49397dc61402485c49067d9452 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Fri, 23 Jun 2023 14:33:44 -0400 Subject: [PATCH 06/13] Updated spelling for cSpell --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 904c7493c0..d9d61011ed 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -361,18 +361,18 @@ foreach ($process in $ServerProcess) { [array]$ProcessModules = $process.modules # Remove Microsoft modules - $ProcessModules = $ProcessModules | Where-Object { $_.fileversioninfo.companyname -ne "Microsoft Corporation." -and $_.fileversioninfo.companyname -ne "Microsoft" -and $_.FileVersionInfo.companyname -ne "Microsoft Corporation" } + $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation." -and $_.FileVersionInfo.CompanyName -ne "Microsoft" -and $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation" } # Clear out modules from the white list Foreach ($module in $ModuleWhiteList) { - $ProcessModules = $ProcessModules | Where-Object { $_.modulename -ne $module } + $ProcessModules = $ProcessModules | Where-Object { $_.ModuleName -ne $module } } if ($ProcessModules.count -gt 0) { - Write-Warning ("Possible AV Modules found in process $($process.processname)") + Write-Warning ("Possible AV Modules found in process $($process.ProcessName)") $UnexpectedModuleFound++ foreach ($module in $ProcessModules) { - Write-SimpleLogFile -string ("[FAIL] - PROCESS: $($process.processname) MODULE: $($module.modulename) COMPANY: $($module.company)") -Name $LogFile + Write-SimpleLogFile -string ("[FAIL] - PROCESS: $($process.ProcessName) MODULE: $($module.ModuleName) COMPANY: $($module.Company)") -Name $LogFile } } } From e93c653e72e7cf09454e5eef2752a78c7b18b200 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Fri, 23 Jun 2023 14:39:13 -0400 Subject: [PATCH 07/13] Corrected formatting --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index d9d61011ed..3107b0f052 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -364,7 +364,7 @@ foreach ($process in $ServerProcess) { $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation." -and $_.FileVersionInfo.CompanyName -ne "Microsoft" -and $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation" } # Clear out modules from the white list - Foreach ($module in $ModuleWhiteList) { + foreach ($module in $ModuleWhiteList) { $ProcessModules = $ProcessModules | Where-Object { $_.ModuleName -ne $module } } From 3fa07cefb9ded9d42f37d3a5445678e53b8f19b2 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Mon, 26 Jun 2023 13:24:34 -0400 Subject: [PATCH 08/13] Changed white list to allow list --- .../AVTester/Test-ExchAVExclusions.ps1 | 60 +++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 3107b0f052..76869e6a0e 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -315,39 +315,39 @@ $ProcessList = Get-ExchAVExclusionsProcess -ExchangePath $ExchangePath -MsiProdu # Gather all processes on the computer $ServerProcess = Get-Process -# Module white list -$ModuleWhiteList = New-Object Collections.Generic.List[string] +# Module allow list +$ModuleAllowList = New-Object Collections.Generic.List[string] # cSpell:disable -$ModuleWhiteList.add("Google.Protobuf.ni.dll") -$ModuleWhiteList.add("Microsoft.RightsManagementServices.Core.ni.dll") -$ModuleWhiteList.add("Newtonsoft.Json.ni.dll") -$ModuleWhiteList.add("Microsoft.Cloud.InstrumentationFramework.Events.ni.dll") -$ModuleWhiteList.add("HealthServicePerformance.dll") -$ModuleWhiteList.add("InterceptCounters.dll") -$ModuleWhiteList.add("MOMConnectorPerformance.dll") -$ModuleWhiteList.add("ExDbFailureItemApi.dll") -$ModuleWhiteList.add("Microsoft.Cloud.InstrumentationFramework.Metrics.ni.dll") -$ModuleWhiteList.add("IfxMetrics.dll") -$ModuleWhiteList.add("ManagedBlingSigned.dll") +$ModuleAllowList.add("Google.Protobuf.ni.dll") +$ModuleAllowList.add("Microsoft.RightsManagementServices.Core.ni.dll") +$ModuleAllowList.add("Newtonsoft.Json.ni.dll") +$ModuleAllowList.add("Microsoft.Cloud.InstrumentationFramework.Events.ni.dll") +$ModuleAllowList.add("HealthServicePerformance.dll") +$ModuleAllowList.add("InterceptCounters.dll") +$ModuleAllowList.add("MOMConnectorPerformance.dll") +$ModuleAllowList.add("ExDbFailureItemApi.dll") +$ModuleAllowList.add("Microsoft.Cloud.InstrumentationFramework.Metrics.ni.dll") +$ModuleAllowList.add("IfxMetrics.dll") +$ModuleAllowList.add("ManagedBlingSigned.dll") # Oracle modules associated with 'Outside In® Technology' -$ModuleWhiteList.add("wvcore.dll") -$ModuleWhiteList.add("sccut.dll") -$ModuleWhiteList.add("sccfut.dll") -$ModuleWhiteList.add("sccfa.dll") -$ModuleWhiteList.add("sccfi.dll") -$ModuleWhiteList.add("sccch.dll") -$ModuleWhiteList.add("sccda.dll") -$ModuleWhiteList.add("sccfmt.dll") -$ModuleWhiteList.add("sccind.dll") -$ModuleWhiteList.add("sccca.dll") -$ModuleWhiteList.add("scclo.dll") -$ModuleWhiteList.add("SCCOLE2.DLL") -$ModuleWhiteList.add("SCCSD.DLL") -$ModuleWhiteList.add("SCCXT.DLL") +$ModuleAllowList.add("wvcore.dll") +$ModuleAllowList.add("sccut.dll") +$ModuleAllowList.add("sccfut.dll") +$ModuleAllowList.add("sccfa.dll") +$ModuleAllowList.add("sccfi.dll") +$ModuleAllowList.add("sccch.dll") +$ModuleAllowList.add("sccda.dll") +$ModuleAllowList.add("sccfmt.dll") +$ModuleAllowList.add("sccind.dll") +$ModuleAllowList.add("sccca.dll") +$ModuleAllowList.add("scclo.dll") +$ModuleAllowList.add("SCCOLE2.DLL") +$ModuleAllowList.add("SCCSD.DLL") +$ModuleAllowList.add("SCCXT.DLL") # cSpell:enable -Write-SimpleLogFile -string ("White Listed Module Count: " + $ModuleWhiteList.count) -Name $LogFile +Write-SimpleLogFile -string ("Allow List Module Count: " + $ModuleAllowList.count) -Name $LogFile $UnexpectedModuleFound = 0 @@ -363,8 +363,8 @@ foreach ($process in $ServerProcess) { # Remove Microsoft modules $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation." -and $_.FileVersionInfo.CompanyName -ne "Microsoft" -and $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation" } - # Clear out modules from the white list - foreach ($module in $ModuleWhiteList) { + # Clear out modules from the allow list + foreach ($module in $ModuleAllowList) { $ProcessModules = $ProcessModules | Where-Object { $_.ModuleName -ne $module } } From a94d6323a9362a7ef2770b3edeeedd17c58b7eb1 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Mon, 26 Jun 2023 13:27:19 -0400 Subject: [PATCH 09/13] updated documentation --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 76869e6a0e..ea5b6381c3 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -7,9 +7,11 @@ Requires: Administrator rights Major Release History: 06/16/2021 - Initial Release + 06/26/2023 - Added ability to scan processes .SYNOPSIS Uses EICAR files to verify that all Exchange paths that should be excluded from AV scanning are excluded. +Checks Exchange processes for "unknown" modules being loaded into them. .DESCRIPTION Writes an EICAR test file https://en.wikipedia.org/wiki/EICAR_test_file to all paths specified by @@ -20,7 +22,10 @@ https://docs.microsoft.com/en-us/exchange/anti-virus-software-in-the-operating-s If the file is removed then the path is not properly excluded from AV Scanning. IF the file is not removed then it should be properly excluded. -Once the files are created it will wait 60 seconds for AV to "see" and remove the file. +Once the files are created it will wait 300 seconds for AV to "see" and remove the file. + +Pulls all Exchange processes and their modules. +Excludes known modules and reports all unknown modules. .PARAMETER Recurse Will test not just the root folders but all SubFolders. From ec38938945f2708de14e397392fae022b2a2f456 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Thu, 29 Jun 2023 15:03:39 -0400 Subject: [PATCH 10/13] Updated Output logging to generate a log files for the processes portion. --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index ea5b6381c3..c395f0ef83 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -38,6 +38,9 @@ $env:LOCALAPPDATA\ExchAvExclusions.log List of Scanned Folders: $env:LOCALAPPDATA\BadExclusions.txt +List of Unknown Processes +$env:LOCALAPPDATA UnknownModules.txt + .EXAMPLE .\Test-ExchAVExclusions.ps1 @@ -368,6 +371,9 @@ foreach ($process in $ServerProcess) { # Remove Microsoft modules $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation." -and $_.FileVersionInfo.CompanyName -ne "Microsoft" -and $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation" } + # Generate and output path for an unknown modules file: + $OutputProcessPath = Join-Path $env:LOCALAPPDATA UnknownModules.txt + # Clear out modules from the allow list foreach ($module in $ModuleAllowList) { $ProcessModules = $ProcessModules | Where-Object { $_.ModuleName -ne $module } @@ -377,7 +383,9 @@ foreach ($process in $ServerProcess) { Write-Warning ("Possible AV Modules found in process $($process.ProcessName)") $UnexpectedModuleFound++ foreach ($module in $ProcessModules) { - Write-SimpleLogFile -string ("[FAIL] - PROCESS: $($process.ProcessName) MODULE: $($module.ModuleName) COMPANY: $($module.Company)") -Name $LogFile + $OutString = ("[FAIL] - PROCESS: $($process.ProcessName) MODULE: $($module.ModuleName) COMPANY: $($module.Company)") + Write-SimpleLogFile -string $outstring -Name $LogFile + $OutString | Out-File $OutputProcessPath -Append } } } @@ -386,8 +394,8 @@ foreach ($process in $ServerProcess) { # Final output for process detection if ($UnexpectedModuleFound -gt 0) { Write-SimpleLogFile -string ("Found $($UnexpectedModuleFound) processes with unexpected modules loaded") -Name $LogFile -OutHost - Write-Warning ("Review " + $OutputPath + " For more information.") - Write-Information ("If a module is labeled `"Unexpected`" in error please submit the log file to ExToolsFeedback@microsoft.com" ) + Write-Warning ("Review " + $OutputProcessPath + " For more information.") + Write-SimpleLogFile ("If a module is labeled `"Unexpected`" in error please submit the log file to ExToolsFeedback@microsoft.com" ) -Name $LogFile -OutHost } else { Write-SimpleLogFile -string ("No Unexpected modules found loaded.") -Name $LogFile -OutHost } From 063ead68f89361fea845c9734a8b647dd47101cb Mon Sep 17 00:00:00 2001 From: canthv0 Date: Thu, 29 Jun 2023 15:03:51 -0400 Subject: [PATCH 11/13] Updated documentation --- docs/Diagnostics/Test-ExchAVExclusions.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/Diagnostics/Test-ExchAVExclusions.md b/docs/Diagnostics/Test-ExchAVExclusions.md index 85f2817314..89d4dc1c61 100644 --- a/docs/Diagnostics/Test-ExchAVExclusions.md +++ b/docs/Diagnostics/Test-ExchAVExclusions.md @@ -16,6 +16,10 @@ IF the file is not removed then it should be properly excluded. Once the files are created it will wait 5 minutes for AV to "see" and remove the file. +After finishing testing directories it will test Exchange Processes. +We pull all Exchange processes and the modules loaded into them. +Those are then compared to a list of known modules and anything "unknown" is reported. + ... .\Test-ExchAVExclusions.ps1 ... @@ -35,3 +39,6 @@ $env:LOCALAPPDATA\ExchAvExclusions.log List of Folders and extensions Scanned by AV: $env:LOCALAPPDATA\BadExclusions.txt + +List of Unknown Processes: +$env:LOCALAPPDATA UnknownModules.txt \ No newline at end of file From d30d0cf54fc696dbad5c9ce83e2c8e2087407d11 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Thu, 29 Jun 2023 15:18:26 -0400 Subject: [PATCH 12/13] Fixed CamelCase issue --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index c395f0ef83..ea4c13a232 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -384,7 +384,7 @@ foreach ($process in $ServerProcess) { $UnexpectedModuleFound++ foreach ($module in $ProcessModules) { $OutString = ("[FAIL] - PROCESS: $($process.ProcessName) MODULE: $($module.ModuleName) COMPANY: $($module.Company)") - Write-SimpleLogFile -string $outstring -Name $LogFile + Write-SimpleLogFile -string $OutString -Name $LogFile $OutString | Out-File $OutputProcessPath -Append } } From e34e9d1ed130c6b070aaaef8f502e6526a217ee3 Mon Sep 17 00:00:00 2001 From: canthv0 Date: Wed, 5 Jul 2023 13:07:02 -0400 Subject: [PATCH 13/13] MD formating issue --- docs/Diagnostics/Test-ExchAVExclusions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Diagnostics/Test-ExchAVExclusions.md b/docs/Diagnostics/Test-ExchAVExclusions.md index 89d4dc1c61..71ffd18b39 100644 --- a/docs/Diagnostics/Test-ExchAVExclusions.md +++ b/docs/Diagnostics/Test-ExchAVExclusions.md @@ -41,4 +41,4 @@ List of Folders and extensions Scanned by AV: $env:LOCALAPPDATA\BadExclusions.txt List of Unknown Processes: -$env:LOCALAPPDATA UnknownModules.txt \ No newline at end of file +$env:LOCALAPPDATA UnknownModules.txt