Microsoft System Center Endpoint Protection

Microsoft System Center Endpoint Protection (SCEP) is an anti-virus and anti-malware product for Windows environments that includes a Windows Firewall manager. SCEP (formerly called Forefront) is integrated into System Center, an enterprise system management product comprised of multiple modules that manages a Windows-based enterprise IT environment. For more information, see the Endpoint Protection documentation on Microsoft Docs.

Because the SCEP client logs events to Windows Event Log, it is possible to collect these events with NXLog.

EventData field from Windows Event Log

Some of the event data is stored as custom data in the EventData field of the events, as shown below. The values are not labeled, but this data can be parsed using regular expressions, if the proper field names are known.

EventData field (excerpt with line breaks added)
<Data>%%830</Data>
<Data>1.5.1937.0</Data>
<Data>{92224018-9446-4C2D-AFCB-EC4456B8859E}</Data>
<Data>10</Data>
<Data>%%843</Data>
<Data></Data>
<Data>C:\\Program Files\\Mozilla Firefox\\firefox.exe</Data>
<Data>DOMAIN</Data>
<Data>admin</Data>
<Data>S-1-5-21-314323950-2314161084-4234690932-1002</Data>
<Data>EICAR_Test_File</Data>
<Data>2147519003</Data>
<Data>5</Data>
<Data>42</Data>
<Data>http://go.microsoft.com/fwlink/?linkid=37020&amp;name=EICAR_Test_File&amp;threatid=2147519003</Data>
<Data>file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt</Data>
<Data></Data>
<Data></Data>
<Data>4</Data>
<Data>%%814</Data>
<Data>0</Data>
<Data>%%823</Data>
<Data></Data>
<Data></Data>
<Data>Severe</Data>
<Data>Virus</Data>
<Data></Data>
<Data></Data>
Example 1. Collecting and parsing Microsoft Forefront (FCSAM) events from Windows Event Log

This configuration uses the im_msvistalog module to collect FCSAM client events from Windows Event Log. This will result in an $EventData field in the event record containing <Data> entries similar to the previous example.

To extract values from the $EventData field, a regular expression is selected based on the event ID. Then each <Data> entry is identified by a combination of its position in the list and a pattern match on its value. For example, the <Data>1.5.1937.0</Data> portion of the EventData string is extracted and saved to the NXLog $ClientVersion field.

This example includes regular expressions for parsing event IDs 3004, 3005, 5007, 5008, 1000, 1001, 1002, 1006 and 1007. Some fields, which are empty or otherwise do not contain useful data are skipped. The configuration could be extended to parse other events logged by the FCSAM client via adding more regular expressions, parsing multiple event IDs with a single expression, and/or dividing the parsing into multiple expressions for a single event.

nxlog.conf
<Extension _json>
    Module  xm_json
</Extension>

define FCSAMEvents    3004, 3005, 5007, 5008, 1000, 1001, 1002, 1006, 1007

define EventID_3004_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data><\/Data> \
    <Data>(?<ProcessName>(\w{1}:\\.*\.exe))<\/Data> \
    <Data>(?<Domain>([\w\d]+))<\/Data> \
    <Data>(?<User>([\w\d]+))<\/Data> \
    <Data>(?<SID>(S-[\d\-]+))<\/Data> \
    <Data>(?<Filename>.*)<\/Data> \
    <Data>(?<ID>(\d{9,11}))<\/Data> \
    <Data>(?<SeverityID>(\d{1,2}))<\/Data> \
    <Data>(?<CategoryID>(\d{1,3}))<\/Data> \
    <Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
    <Data>(?<PathFound>(file:\w{1}:.*\.\w{2,4}))<\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d+<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d+<\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data>(?<Severity>(\w+))<\/Data> \
    <Data>(?<Category>(\w+))<\/Data>/

define EventID_3005_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data>(?<Domain>([\w\d]+))<\/Data> \
    <Data>(?<User>([\w\d]+))<\/Data> \
    <Data>(?<SID>(S-[\d\-]+))<\/Data> \
    <Data>(?<Filename>.*)<\/Data> \
    <Data>(?<ID>(\d{9,11}))<\/Data> \
    <Data>(?<SeverityID>(\d{1,2}))<\/Data> \
    <Data>(?<CategoryID>(\d{1,3}))<\/Data> \
    <Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
    <Data><\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d+<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d+<\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data>(?<Severity>(\w+))<\/Data> \
    <Data>(?<Category>(\w+))<\/Data>/

define EventID_1000-1002_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data>(?<Domain>([\w\d]+))<\/Data> \
    <Data>(?<User>([\w\d]+))<\/Data> \
    <Data>(?<SID>(S-[\d\-]+))<\/Data>/

define EventID_5007_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<Old_value>.*)<\/Data> \
    <Data>(?<New_value>.*)<\/Data> \
    <Data><\/Data> \
    <Data><\/Data>/

define EventID_5008_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<Resource>file(.*))<\/Data> \
    <Data>\d{1} /

define EventID_1006_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data>(?<Domain>([\w\d]+))<\/Data> \
    <Data>(?<User>([\w\d]+))<\/Data> \
    <Data>(?<SID>(S-[\d\-]+))<\/Data> \
    <Data>(?<Filename>.*)<\/Data> \
    <Data>(?<ID>(\d{9,11}))<\/Data> \
    <Data>(?<SeverityID>(\d{1,2}))<\/Data> \
    <Data>(?<CategoryID>(\d{1,3}))<\/Data> \
    <Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
    <Data>(?<PathFound>(file:\w{1}:.*\.\w{2,4}))<\/Data> /

define EventID_1007_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data>\d+<\/Data> \
    <Data><\/Data> \
    <Data>(?<Domain>([\w\d]+))<\/Data> \
    <Data>(?<User>([\w\d]+))<\/Data> \
    <Data>(?<SID>(S-[\d\-]+))<\/Data> \
    <Data>(?<Filename>.*)<\/Data> \
    <Data>(?<ID>(\d{9,11}))<\/Data> \
    <Data>(?<SeverityID>(\d{1,2}))<\/Data> \
    <Data>(?<CategoryID>(\d{1,3}))<\/Data> \
    <Data>(?<FWLink>(http.*id=\d{10}))<\/Data> /

<Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">
                    *[System[Provider[@Name='FCSAM']]]</Select>
                <Select Path="Security">*[System[Provider[@Name='FCSAM']]]</Select>
                <Select Path="System">*[System[Provider[@Name='FCSAM']]]</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
        #Drop events not defined in FCSAMEvents
        if ($EventID NOT IN (%FCSAMEvents%)) drop();

        #1. Regex for EventID==3004 event in $EventData section.
        else if ($EventID == 3004)
        $EventData =~ %EventID_3004_REGEX%;

        #2. Regex for EventID==3005 event in $EventData section.
        else if ($EventID == 3005)
        $EventData =~ %EventID_3005_REGEX%;

        #3. Regex for 1000-1002 event in $EventData section.
        else if ($EventID IN (1000, 1001, 1002))
        $EventData =~ %EventID_1000-1002_REGEX%;

        #4. Regex for EventID==5007 event in $EventData section.
        else if ($EventID == 5007)
        $EventData =~ %EventID_5007_REGEX%;

        #5. Regex for EventID==5008 event in $EventData section.
        else if ($EventID == 5008)
        $EventData =~ %EventID_5008_REGEX%;

        #6. Regex for EventID==1006 event in $EventData section.
        else if ($EventID == 1006)
        $EventData =~ %EventID_1006_REGEX%;

        #7. Regex for EventID==1007 event in $EventData section.
        else if ($EventID == 1007)
        $EventData =~ %EventID_1007_REGEX%;

        to_json();
    </Exec>
</Input>
Event sample
{
  "EventTime": "2019-01-11T12:19:22.000000+01:00",
  "Hostname": "Host.DOMAIN.local",
  "Keywords": "36028797018963968",
  "EventType": "WARNING",
  "SeverityValue": 3,
  "Severity": "Severe",
  "EventID": 3004,
  "SourceName": "FCSAM",
  "TaskValue": 0,
  "RecordNumber": 11595,
  "ExecutionProcessID": 0,
  "ExecutionThreadID": 0,
  "Channel": "System",
  "Message": "Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.\r\n For more information please see the following:\r\nhttp://go.microsoft.com/fwlink/?linkid=37020&name=EICAR_Test_File&threatid=2147519003\r\n \tScan ID: {92224018-9446-4C2D-AFCB-EC4456B8859E}\r\n \tAgent: On Access\r\n \tUser: DOMAIN\\admin\r\n \tName: EICAR_Test_File\r\n \tID: 2147519003\r\n \tSeverity: Severe\r\n \tCategory: Virus\r\n \tPath Found: file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt\r\n \tAlert Type: \r\n \tProcess Name: C:\\Program Files\\Mozilla Firefox\\firefox.exe\r\n \tDetection Type: Concrete\r\n \tStatus: Suspend",
  "Opcode": "Info",
  "EventData": "<Data>%%830</Data><Data>1.5.1937.0</Data><Data>{92224018-9446-4C2D-AFCB-EC4456B8859E}</Data><Data>10</Data><Data>%%843</Data><Data></Data><Data>C:\\Program Files\\Mozilla Firefox\\firefox.exe</Data><Data>DOMAIN</Data><Data>admin</Data><Data>S-1-5-21-314323950-2314161084-4234690932-1002</Data><Data>EICAR_Test_File</Data><Data>2147519003</Data><Data>5</Data><Data>42</Data><Data>http://go.microsoft.com/fwlink/?linkid=37020&amp;name=EICAR_Test_File&amp;threatid=2147519003</Data><Data>file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt</Data><Data></Data><Data></Data><Data>4</Data><Data>%%814</Data><Data>0</Data><Data>%%823</Data><Data></Data><Data></Data><Data>Severe</Data><Data>Virus</Data><Data></Data><Data></Data>",
  "EventReceivedTime": "2019-01-11T12:19:22.883100+01:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_msvistalog",
  "Category": "Virus",
  "CategoryID": "42",
  "ClientVersion": "1.5.1937.0",
  "FWLink": "http://go.microsoft.com/fwlink/?linkid=37020&amp;name=EICAR_Test_File&amp;threatid=2147519003",
  "Filename": "EICAR_Test_File",
  "ID": "2147519003",
  "PathFound": "file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt",
  "ProcessName": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
  "SID": "S-1-5-21-314323950-2314161084-4234690932-1002",
  "ScanID": "{92224018-9446-4C2D-AFCB-EC4456B8859E}",
  "SeverityID": "5",
  "User": "DOMAIN \\ admin"
}

Collecting and parsing Microsoft SCEP data from log files

SCEP client log files are located in the %allusersprofile%\Microsoft\Microsoft Antimalware\Support directory.

These logs contain the following client actions:

  • Definition updates

  • Malware detections

  • Monitoring alerts

Input sample - MPDetection
2019-06-08T13:35:31.153Z Service started - System Center Endpoint Protection \
(DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)
Input sample - MPLog
2019-05-31T17:15:17.383Z Process scan (postsignatureupdatescan) started.
Signature updated via MMPC on 05-31-2019 19:15:17
SCEP client installation logs location
%allusersprofile%\Microsoft\Microsoft Security Client\Support
Input sample - EppSetup
SUCCESS	2019/05/31 19:12:05:782 TID:4700 PID:4692
Setup ended successfully with result: The operation completed successfully.   [00000000] 
Input sample - MSSecurityClient_Setup
=== Verbose logging stopped: 5/31/2019  19:11:59 ===
MSI (s) (28:2C) [19:11:59:329]: Destroying RemoteAPI object.
Example 2. Collecting and parsing Microsoft SCEP data from log files

The following configuration collects events from SCEP files with the im_file module. Logs are written in the UTF-16LE character encoding, so the xm_charconv extension module is used to convert the input.

nxlog.conf
<Extension charconv>
     Module      xm_charconv
     LineReader  UTF-16LE
</Extension>

<Extension _json>
    Module    xm_json
</Extension>

<Input Antimalware>
    Module  im_file
    File    'C:\ProgramData\Microsoft\Microsoft Antimalware\Support\' + \
            'MPDetection-*.log'
    File    'C:\ProgramData\Microsoft\Microsoft Antimalware\Support\' + \
            'MPLog-*.log'
    File    'C:\ProgramData\Microsoft\Microsoft Security Client\Support\' + \
            'EppSetup.log'
    File    'C:\ProgramData\Microsoft\Microsoft Security Client\Support\' + \
            'MSSecurityClient_Setup*.log'
    ReadFromLast TRUE
    InputType    charconv
   <Exec>
      file_name() =~ /(?<Filename>[^\\]+)$/;
      if $FileName =~ /MPLog|MPDetection/
      if $raw_event =~ /(.*\.\d{3}Z)\s+(.*)/
            {
              $EventTime = $1;
              $Message = $2;
            }
        else
            {
              $Message = $raw_event;
            }	
      if $FileName =~ /EppSetup/
      if $raw_event =~ /(\w+)\s+(.*)\s+TID\:(\d+)\s+PID\:(\d+)/
            {
              $Status = $1;
              $EventTime = $2;
              $TID = $3;
              $PID = $4;
		    }
          else
            {
		      $Message = $raw_event;
            }
       if $FileName =~ /MSSecurityClient_Setup/
       if $raw_event =~ /.*\[(.*)\]\:(.*)/
            {
              $EventTime = $1;
              $Message = $2;
            }
         else
            {
              $Message = $raw_event;
            }
      to_json();
   </Exec>
</Input>
Event sample - MPDetection
{
  "EventReceivedTime": "2019-06-16T14:24:51.746591+02:00",
  "SourceModuleName": "Antimalware",
  "SourceModuleType": "im_file",
  "Filename": "MPDetection-05312019-191154.log",
  "EventTime": "2019-06-08T13:35:31.153Z",
  "Message": "Service started - System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)"
}
Event sample - MPLog
{
  "EventReceivedTime": "2019-06-16T14:36:04.642769+02:00",
  "SourceModuleName": "Antimalware",
  "SourceModuleType": "im_file",
  "Filename": "MPLog-05312019-191154.log",
  "Message": "************************************************************"
}
{
  "EventReceivedTime": "2019-06-16T14:36:04.642769+02:00",
  "SourceModuleName": "Antimalware",
  "SourceModuleType": "im_file",
  "Filename": "MPLog-05312019-191154.log",
  "EventTime": "2019-05-31T17:15:17.383Z",
  "Message": "Process scan (postsignatureupdatescan) started."
}
Event sample - EppSetup
{
  "EventReceivedTime": "2019-06-16T14:39:07.127660+02:00",
  "SourceModuleName": "Antimalware",
  "SourceModuleType": "im_file",
  "Filename": "EppSetup.log",
  "Status": "SUCCESS",
  "EventTime": "2019/05/31 19:12:05:782",
  "TID": "4700",
  "PID": "4692"
}
{
  "EventReceivedTime": "2019-06-16T14:39:07.127660+02:00",
  "SourceModuleName": "Antimalware",
  "SourceModuleType": "im_file",
  "Filename": "EppSetup.log",
  "Message": "Setup ended successfully with result: The operation completed successfully."
}
Event sample - MSSecurityClient_Setup
{
  "EventReceivedTime": "2019-06-16T14:22:17.824508+02:00",
  "SourceModuleName": "Antimalware",
  "SourceModuleType": "im_file",
  "Filename": "MSSecurityClient_Setup_4.7.213.0_epp_Install.log",
  "Message": "=== Verbose logging stopped: 5/31/2019  19:11:59 ==="
}
{
  "EventReceivedTime": "2019-06-16T14:22:17.824508+02:00",
  "SourceModuleName": "Antimalware",
  "SourceModuleType": "im_file",
  "Filename": "MSSecurityClient_Setup_4.7.213.0_epp_Install.log",
  "EventTime": "19:11:59:329",
  "Message": " Destroying RemoteAPI object."
}

Collecting and parsing SCEP data from an SQL database

SCEP (SCCM) also logs data to an SQL database.

Example 3. Collecting and parsing SCEP data from an SQL database

The following configuration queries the SCCM database with the im_odbc module. This example contains two SQL queries collecting Last Malware alerts and AV Detection alerts.

nxlog.conf
<Extension _json>
    Module  xm_json
</Extension>

<Input last_malware>
    Module           im_odbc
    ConnectionString DSN=SMS;database=CM_CND;uid=user;pwd=password;
    IdType           timestamp
    SQL      SELECT DetectionTime as id,* \
             FROM vEP_LastMalware \
             WHERE DetectionTime > CAST(? AS datetime)
    Exec     to_json();
</Input>

<Input av_detections>
    Module           im_odbc
    ConnectionString DSN=SMS;database=CM_CND;uid=user;pwd=password;
    IdType           timestamp
    SQL     SELECT DetectionTime as id,* \
            FROM v_GS_Threats \
            INNER JOIN v_R_System \
            ON v_GS_Threats.ResourceID=v_R_System.ResourceID \
            WHERE DetectionTime > CAST(? AS datetime)
   Exec    to_json();
</Input>
Event sample - last malware
{
  "id": "2019-06-20T18:21:14.050000+02:00",
  "RecordID": 72057594037997950,
  "MachineID": 16777219,
  "LastMessageTime": "2019-06-20T18:21:22.597000+02:00",
  "LastMessageSerialNumber": 102,
  "DetectionTime": "2019-06-20T18:21:14.050000+02:00",
  "ActionTime": "2019-06-20T18:21:22.573000+02:00",
  "ProductVersion": "4.7.213.0",
  "DetectionID": "6A70D85D-1AB0-4F20-BCAB-9B9CCEEA5ED5",
  "DetectionSource": 1,
  "PendingActions": 0,
  "Process": "Unknown",
  "UserID": 16777217,
  "ThreatName": "Virus:DOS/EICAR_Test_File",
  "ThreatID": 2147519003,
  "SeverityID": 5,
  "CategoryID": 42,
  "Path": "file:_C:\\Users\\admin\\Downloads\\eicar.com;file:_C:\\Users\\admin\\Downloads\\eicar.com.txt",
  "CleaningAction": 2,
  "ExecutionStatus": 0,
  "ActionSuccess": true,
  "ErrorCode": 0,
  "RemainingActions": 0,
  "LastRemainingActionsCleanTime": null,
  "EventReceivedTime": "2019-06-20T20:22:28.050844+02:00",
  "SourceModuleName": "last_malware",
  "SourceModuleType": "im_odbc"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 08 January 2020