Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Friday, April 4, 2014

MalwareBytes Blocked IP Reporting

We had a spate of malware attacks on our website recently. We run MalwareBytes Anti-Malware on the box. In the log file, I see that it's blocking IP addresses. Shouldn't there be some reporting? I think so. I start poking around the interface, but there are no reporting options.

Surprisingly, it doesn't even write to the event logs. Only log files. So much for alerting us when there's an issue. I talk to my network admin and we decide that we'd like a daily report that tells us what IPs have been blocked, and then he can investigate further and decide if he wants to block the IP at the Firewall.

On a daily basis, we need to pull yesterday's log file, select any lines with "IP-BLOCK" in them, and send him an email with the entries so he can look into the IP addresses. Sounds like a job for Powershell!

As it happens, MalwareBytes writes their log files using a weird encoding format. My Get-Content fails miserably, resulting in text output where there appears to be a space between every single character. In Notepad++, the text looks fine, but I notice that in the bottom right-hand side it says "UCS-2 LE w/o BOM". Weird, this must be encoded differently. Get-Content works with some encoding schemes, but this one is not in the list. After much Googling, trial, and error, I am able to figure out that I need to read the file using get-content, then output to file using different encoding by using the -Encoding UTF8 switch. Now, however, the text file I have contains a bunch of NUL characters. To get rid of these I have to do a -replace "`0","". That's a zero, and the backtick zero symbolizes the NUL character. NOW I have some data to work with!

Great, so I put it all together, test it, and schedule it to run nightly at 12:01AM.

Here's the script:

#---------------------- BEGIN SCRIPT -----------------------

#Path to Malwarebytes Log Files
$PathToLogs = "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"

#Temp File
$TempFile = "C:\Temp\TempFile.txt"

#Yesterday date, as a string formatted yyyy-MM-dd
$date = (Get-Date).AddDays(-1).ToString('yyyy-MM-dd')

#Put together the filename we'll be looking for
$FileName = "protection-log-" + $date + ".txt"

#Put together the entire path
$FileFullPath = $PathToLogs + $FileName

#Read the content from the log file, and send it out with UTF8 encoding to the Temp File
Get-Content $FileFullPath | out-file -Encoding UTF8 $TempFile

#Read the new content
$UTF8File = Get-Content $TempFile

#Delete the Temp File, since we've read it now
Remove-Item $TempFile -Force

#Specify the character to be removed
$RemoveString = "`0"

#Remove the null characters from the file, creating a usable file
$CleanedLog = $UTF8File -replace $RemoveString,""

#Get the lines that have blocked IPs
$BlockedIPs = $CleanedLog | select-string -pattern "IP-BLOCK"

#Convert BlockedIPs to a string, so I can use it in the body of my email
$BlockedIPs = $BlockedIPs | out-string

#Send an email if there are greater than 0 IP Block messages
If ((($BlockedIPs | measure-object).count) -gt 0){
Send-MailMessage -To -Subject "PS Report - IPs Blocked by MalwareBytes" -Body $BlockedIPs -From "" -SmtpServer ""

#---------------------- BEGIN SCRIPT -----------------------

No comments:

Post a Comment