Thursday, February 24, 2011

Nagios Check for Forefront Client Security Signature Definitions

I have used Nagios for nearly 8 years and found it to be a great monitoring tool. Its flexible and allows you to monitor a heterogenous server environment with custom system checks tailored to your needs. For Windows Servers, the NSClient++ secure monitoring client allows you to go farther than simple ping, port and SNMP queries and execute scripts for monitoring services. Below is a VBScript I wrote to monitor the Forefront Client Security (FCS) Virus Signature freshness on a server by checking the age of the downloaded definition file. While you can monitor this directly in the FCS console, it becomes burdensome to monitor every product by its individual monitoring console. Integration into one monitoring platform saves a considerable amount of time and allows for straight forward escalation practices when trouble arises. One tool for evaluating your entire Enterprise health.
Const contHkeyLocalMachine = &H80000002
Const contReturnNormal = 0
Const contReturnWarning = 1
Const contReturnError = 2
Const contReturnUnknown = 3
strServer = "."
strToday = FormatDateTime(Date, 0)
strVirusDefinitionFilePath = NULL
Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates"
strSignatureLocation = "SignatureLocation"
objReg.GetStringValue contHkeyLocalMachine,strKeyPath,strSignatureLocation,strVirusDefinitionFilePath
strVirusDefinitionFile = strVirusDefinitionFilePath & "\mpavdlta.vdm"
If strVirusDefinitionFile = "\mpavdlta.vdm" Then
 strReturnValue = contReturnError
 strResult = "Cannot determine location directory for mpavdlta.vdm from Registry. FCS might not have received its first update. Visit to quickly resolve."
 WScript.Echo strResult
 WScript.Quit (strReturnValue)
End If
Set objFso = CreateObject("Scripting.FileSystemObject")
Set objFile = objFso.GetFile(strVirusDefinitionFile)
strVirusSignatureDate = FormatDateTime(objFile.DateCreated, 0)
intSignatureDefinitionDiff = DateDiff("d",strVirusSignatureDate,StrToday)
If intSignatureDefinitionDiff > 3 Then
 strReturnValue = contReturnError
ElseIf intSignatureDefinitionDiff > 1 Then
 strReturnValue = contReturnWarning
ElseIf intSignatureDefinitionDiff < 2 Then
 strReturnValue = contReturnNormal
 strReturnValue = contReturnUnknown
End If
If intSignatureDefinitionDiff > 1 Then
 strResult = "Virus Signatures Last Updated: " & strVirusSignatureDate & " (" & intSignatureDefinitionDiff & " days ago)"
ElseIf intSignatureDefinitionDiff = 0 Then
 strResult = "Virus Signatures Last Updated: " & strVirusSignatureDate & " (Today)"
 strResult = "Virus Signatures Last Updated: " & strVirusSignatureDate & " (" & intSignatureDefinitionDiff & " day ago)"
End If
WScript.Echo strResult
WScript.Quit (strReturnValue)


  1. Thanks for this script!

  2. I'm a Nagios do I even invoke this?