کد:
http://itprosecure.com/blogs/fcs_administration/archive/2009/04/13/forefront-client-security-using-the-log-files-from-the-forefront-client-security-agent-sp1for-analysis.aspx

The Forefront Client Security SP1 Agent includes a number of useful Log Files when Troubleshooting, Identifying General Health or Validating Client Policy. I am offering an example in this Blog entry of several of the FCS SP1 Agent specific Log Files. Typically these Log Files are used in conjunction with the standard tools built into the Operating System (in this case Vista Enterprise SP1) which include the Application Log, System Log and Security Log (now referred to as 'Windows Logs'). Additionally, I wanted to briefly review a very useful Command Line Utility (actually it is the 'core' of the Forefront Client Security SP1 Agent) titled 'mpcmdrun.exe'. 'Mpcmdrun.exe' when used with the '-getfiles' parameter outputs a number of useful Log Files, some of which are simply collected into a single location for review. The default output path for running the Command Utility of 'mpcmdrun.exe -getfiles' is as follows:
'C:\ProgramData\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Support'
The reference material for the output definition for each of the Log Files generated by mpcmdrun.exe is summarized in the following Table as copied directly from the Microsoft TechNet article.
Microsoft Forefront Client Security Operational Logs

If you have ever asked yourself the following questions when working with the Forefront Client Security SP1 Agent, this Blog entry will assist you:

  1. Can I generate additional log files from the Forefront Client Security Agent?
  2. What are the log files for the Forefront Client Security Agent?
  3. How can I tell if Virus Definitions are updating correctly for the Forefront Client Security Agent?
  4. How can I tell if Malware Definitions are updating correctly for the Forefront Client Security Agent?
  5. What registry entries is the Forefront Client Security Agent modifying?
  6. How do I use mpcmdrun.exe to generate log files for the Forefront Client Security Agent?
  7. What log files are generated when i run mpcmdrun.exe -getfiles on a Forefront Client Security Agent?



1. Our goal is to gain access to a File that is by default 'hidden' in Windows Vista (this is Windows Vista Enterprise SP1). I initially Login as a Local Administrator and navigate to the Control Panel. Within the Control Panel Application I then navigate to the 'Folder Options' application. It is here (as a Local Administrator) I can modify settings to permit viewing 'Hidden Files and Folders'.



2. Upon selecting the 'Hidden Files and Folders' application within the Control Panel I then select 'Properties' for the 'Hidden Files and Folders', then the 'View' Tab. The 'Advanced Settings' dialogue window permits visibility of the Toggle Button titled 'Show Hidden Files and Folders'. I select the Togggle Button to 'Permit' display of 'Hidden Files and Folders'.



3. Next I need to navigate to Windows Explorer to see the File Structure off of the Root Drive (typically C:\ Drive) for this Workstation. I select 'Start Button', 'Computer' then expand the '+' sign next to the 'C:\' to see the Folders on the C:\ Drive. A new Folder is visible that was not previously visible. The target Folder of interest is 'C:\ProgramData'.



4. I expand the 'C:\ProgramData' Folder until the 'Support' Folder is visible. Currently only 1 Log File is visible. This Log File (see reference Table above) is the 'MPLog-XXXXXXX' Log File. One of the benefits of using the 'mpcmdrun.exe' Utility is that this file, along with a list of additional Log Files will appear in this Folder upon execution of the '-getfiles' parameter. We will get to that in a minute!



5. Additionally, when I navigate to the 'Logs' Folder further down the Folder Hierarchy appears additional Trace Files of value.



6. Separately (I have moved to the 'C:\Windows\WindowsUpdate.txt' File now) we can use this Log File to track functionality of Windows Update. Windows Update is the mechanism (a possible mechanism) used to update Virus Definitions for the Forefront Client Security SP1 Agent. My intent was to show you this Log File and also state this is one of the Log Files that is 'copied' into a single Folder when running 'mpcmdrun.exe -getfiles' as we will in just a moment.



7. The Windows Firewall proves to be a very useful Log File in environments incorporating State-Based Control mechanisms. Again, my intent is to review the File Path for this Log File, understanding that this knowledge allows analysis of all Log Files in a more concise manner for Client Workstations (or Servers for that matter since Windows 2008 is configured the same way) running the Forefront Client Security SP1 Agent. The 'Default Path' for the Windows Firewall Log has been modified for this configuration by me through a Group Policy Object (GPO).



8. Finally, I move to invoke the 'mpcmdrun.exe -getfiles' Command to harvest a variety of Log Files focused on the Forefront Client Security SP1 Agent. I invoke this Command in a Command Window in heightened User Context (or in English, I used 'RunAs' to open the Command Prompt as required to comply with User Account Control'). Notice upon completion (in the next Screen Capture) the output location and number of Log Files this Command Utility generates.



9. Here is the output of the numerous Log Files specific to the Forefront Client Security SP1 Agent. Also note a single .CAB File is generated with all visible Log Files enclosed within. We are now ready to start reviewing Log Files for Errors, Success or Result Codes.



10. Here are the Log Files we have been working to create using the 'mpcmdrun.exe -getfiles' Command Utility available in the Forefront Client Security SP1 Agent.


If you'd like to 'Learn Advanced IT' - check out our new website exchangesummit.net! Use coupon code 'ITPS-777' for $100 off (through 9/1/2009) the Forefront Client Security SP1 Single Server Topology on Windows 2008. Detailed Course Description -15 hours of video training. Free video content as well!

Summary: In this Blog entry I review the numerous Log Files useful when Administering the Forefront Client Security SP1 Agent. Specifically I focus on using the 'mpcmdrun.exe -getfiles' Command Utility to generate a number of useful Log Files for further analysis. The 'mpcmdrun.exe' utility is a 'Hidden File' and can only be invoked in the User Context of a Local Administrator in the Forefront Client Security SP1 Agent



موضوعات مشابه: