Monitoring third-party antivirus software

Monitoring any of the supported third-party antivirus solutions requires a professional license or an Automation on Essentials license applied to the device. You will also need to:

  • Add the AV Status service to the device
  • Execute the AV Status script as a daily scheduled task.

The AV Status script updates a WMI value on the device that the AV Status service will monitor. This keeps you up-to-date on the third party AV software details including the type installed, if the AV product is running and if it is up to date.

For an up-to-date list of supported antivirus products, download the AV Status script referred to in this document and open it using a text editor such as Notepad or Notepad++. The most current list of antivirus solutions this service will monitor is contained in this script.

The procedures below outline how to build the rules, templates and filters needed to automate the application and removal of the Third Party AV monitoring service, AV Status, depending on whether it is needed or not. The steps required are:

  1. Install the AV Status script
  2. Create filters
  3. Create scheduled task profiles
  4. Create three service templates that add the AV Status service
  5. Create rules to deploy/remove the AV Status script and service templates

Install the AV status script

  1. Log in to N-ableMe and download the compressed script and extract the AVstatus.vbs.

    When you extract AVstatus.vbs, there will also be a PDF file included in the extracted folder. Please refer to this file for additional information when installing the script.

  2. At the Service Organization Level, click Configuration > Scheduled Tasks > Script/Software Repository
  3. Click Add > Scripting.
  4. Enter the details, located the script file and click OK.

The AV Status script is updated regularly. It is highly recommended you update the script in your repository on a regular basis. To update the script, open the Script Repository as described above, select the existing AV Status script and click Change.

Create filters

Create a filter to identify devices that do not have AV Defender enabled. These devices will need to have the AV Status service and script installed to monitor their third party AV such as Symantec, Trend, and AVG.

If you have purchased Scripting ability on Essential devices the conditions for Pro and Essentials mode licensing can be removed from the filters below.

You will need to refer to the PDF file included in the extracted AVstatus.vbs folder, for additional information about creating the filters.

  1. Click ConfigurationFilters and click Add.
  2. Enter a name and ensure the Show in my Drop-Down check box is selected.
  3. Click Advanced Mode, and in the Find devices where drop-down list, select Custom Expression.
  4. In the empty field beside the drop-down list, enter A AND (B OR C OR D).

    Create the Boolean expression as necessary for the types of devices for which you don't have AV Defender enabled.

  5. Click Generate.
  6. In each of the Select a Category drop-down lists, select Device.
  7. For each of these, select the required criteria as follows:
    1. From the drop-down list next to Device "A", select AV Defender Enabled.
    2. From the Select an Operator drop-down list for Device "A", select EQUAL TO.
    3. From the Select a Value drop-down list for Device "A", select FALSE.
    4. From the drop-down lists next to each remaining Device (B, C, and D), select Class.
    5. From the Select an Operator drop-down lists for each remaining Device, select EQUAL TO.
    6. From the Select a Value drop-down lists for each remaining Device, select the appropriate device to which you want to apply this filter. For example Workstations – Windows, Laptop – Windows, Servers – Windows, etc.

      Note that each device should be different. No two should be the same.

  8. Click Save.

Create a second filter to identify professionally licensed Windows devices that have AV Defender enabled. This will remove AV Status from devices that do not require it. Essential devices will also remove AV Status as it cannot run its script on them.

Repeat the procedure above, except that in step 7c select TRUE from the Select a Value drop down list for Device "A". Then continue with the rest of the steps above.

Create scheduled task profiles

You need to create a scheduled task profile that will run the AV Status script once a day, during the hours that the system will typically be online. This will be added to a rule that will allow it to globally apply automatically

  1. Click Configuration > Scheduled TasksProfiles.
  2. Click Add and enter AV Status Script in the Name field.
  3. Click Add Scripting.
  4. On the Details tab, select Use Device Credentials, and select the script you created in the previous steps.
  5. Click the Schedule tab and select Recurring from the Type drop-down list box.
  6. Select Custom from the Interval drop-down, then select and Add at least two Start Times.

    7. How often you run the task and how you schedule it is up to you. It is suggested you run the task twice a day

  7. Ensure the task is run Every day.
  8. Click Save.

Add a second task with the name "AV Status - First Run".

  1. Repeat the information on the Details tab in the previous steps.
  2. On the Schedule tab, select Once from the Type drop-down list box.
  3. Select two hours from the Execution Timeout drop-down, and leave Execution Window as "Only run at the specified time".
  4. Click Save, then Save again.

Create three Service Templates that add the AV Status service

Because Service Templates are tied to their respective device classes, you need to create three: one for laptops, one for workstations and one for servers.

  1. Click Configuration > Monitoring > Service Templates.
  2. Click Add and enter a name for the first template. For example "AV Status - Laptops".
  3. Select Laptops - Windows from the Device Class drop-down list box.
  4. Select AV Status from the Service drop-down list box and click Add Service.
  5. Click Save.

Repeat these steps to create templates using the same AV Status service for "AV Status - Workstations" and "AV Status - Servers".

Create three further Service Templates to remove the AV Status service from servers, workstations and laptops where you choose to deploy AV Defender.

  1. Click Add and enter a name for the first template. For example "AV Status - Removal from Laptops".
  2. Select AV Status from the Service drop-down list box.
  3. Click Add Service, then click Save.
  4. In the Action column, click Add or Modify, and change to Remove.
  5. Click Save.

Repeat to create templates for "AV Status - Removal from Workstations" and "AV Status - Removal from Servers".

Create rules to deploy/remove the AV Status Script and service templates

The first rule deploys AV Status and its components to devices that do not have Centralize integrated AV installed.

  1. Click Configuration > Monitoring > Rules.
  2. Click Add and enter the name "Add AV Status to devices without integrated AV installed".
  3. On the Devices to Target tab, select the AV Status - Devices without AV Defender Installed filter created above and add it to the Selected Filters box.
  4. Click the Scheduled Task Profile tab, and select the AV Status Script script you created above.
  5. Click the Monitoring Options tab, and select the AV Status - Workstations, AV Status - Laptops and AV Status - Workstations Service Templates you created above.
  6. Click the Grant Customers & Sites Access tab, move all customer/sites to the Selected Customer/Sites column.
  7. Click the Propagate to all new customers/sites check box.
  8. Click Save.

The second rule will remove AV Status script and its components from devices that deploy the N-able N-central AV products, and apply product specific monitoring.

  1. At the Service Organization level, click Configuration > Monitoring > Rules.
  2. Click Add and name this rule "Remove AV Status from devices with integrated AV".
  3. Click the Devices to Target tab, and select the "AV Status - Devices with AV Defender Installed" filter created above.
  4. Click the Scheduled Task Profile tab, and select the "AV Status Script" script you created above.
  5. Click the Monitoring Options tab, and select the "AV Status - Removal from Workstations, AV Status - Removal from Laptops and AV Status - Removal Workstations Service" Templates you created above.
  6. Click the Grant Customers & Sites Access tab, and move all customer/sites to the Selected Customer/Sites column and check the Propagate to all new customers/sites check box.
  7. Click Save.