Surprisingly, it doesn't even write to the event logs. Only log files. So much for alerting us when there's an issue. I talk to my network admin and we decide that we'd like a daily report that tells us what IPs have been blocked, and then he can investigate further and decide if he wants to block the IP at the Firewall.
On a daily basis, we need to pull yesterday's log file, select any lines with "IP-BLOCK" in them, and send him an email with the entries so he can look into the IP addresses. Sounds like a job for Powershell!
As it happens, MalwareBytes writes their log files using a weird encoding format. My Get-Content fails miserably, resulting in text output where there appears to be a space between every single character. In Notepad++, the text looks fine, but I notice that in the bottom right-hand side it says "UCS-2 LE w/o BOM". Weird, this must be encoded differently. Get-Content works with some encoding schemes, but this one is not in the list. After much Googling, trial, and error, I am able to figure out that I need to read the file using get-content, then output to file using different encoding by using the -Encoding UTF8 switch. Now, however, the text file I have contains a bunch of NUL characters. To get rid of these I have to do a -replace "`0","". That's a zero, and the backtick zero symbolizes the NUL character. NOW I have some data to work with!
Great, so I put it all together, test it, and schedule it to run nightly at 12:01AM.
Here's the script:
#---------------------- BEGIN SCRIPT -----------------------
#Path to Malwarebytes Log Files
$PathToLogs = "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
#Temp File
$TempFile = "C:\Temp\TempFile.txt"
#Yesterday date, as a string formatted yyyy-MM-dd
$date = (Get-Date).AddDays(-1).ToString('yyyy-MM-dd')
#Put together the filename we'll be looking for
$FileName = "protection-log-" + $date + ".txt"
#Put together the entire path
$FileFullPath = $PathToLogs + $FileName
#Read the content from the log file, and send it out with UTF8 encoding to the Temp File
Get-Content $FileFullPath | out-file -Encoding UTF8 $TempFile
#Read the new content
$UTF8File = Get-Content $TempFile
#Delete the Temp File, since we've read it now
Remove-Item $TempFile -Force
#Specify the character to be removed
$RemoveString = "`0"
#Remove the null characters from the file, creating a usable file
$CleanedLog = $UTF8File -replace $RemoveString,""
#Get the lines that have blocked IPs
$BlockedIPs = $CleanedLog | select-string -pattern "IP-BLOCK"
#Convert BlockedIPs to a string, so I can use it in the body of my email
$BlockedIPs = $BlockedIPs | out-string
#Send an email if there are greater than 0 IP Block messages
If ((($BlockedIPs | measure-object).count) -gt 0){
Send-MailMessage -To netadmin@contoso.com -Subject "PS Report - IPs Blocked by MalwareBytes" -Body $BlockedIPs -From "helpdesk@contoso.com" -SmtpServer "mailserver.contoso.com"
}
#---------------------- BEGIN SCRIPT -----------------------
No comments:
Post a Comment