Inexpensive Security

Hello my good people,

This post came about because I read a thread by Taylor "@SwiftOnSecurity" on Twitter.(Follow her if you can, she has amazing ideas about information security and corn.) This is her original idea, I just built a script to implement it in  my own way. 

Anyway, the principle is that you should not assume that your AV/EDR is always working as expected in your environment. Thus, it's a good practice to build a health check of your solution that is independent of the AV/EDR engine itself. There are many ways to do this (i.e. Group Policy), but I chose something that I am more comfortable with: PowerShell Scripts.

This script is to be deployed as a scheduled task that would run and check whether any services of the AV engine have been stopped. 

The script starts the services related to the program and sends an email to a monitored mailbox with the information of the computer and the logged in user.

This may not be necessarily scalable on very large environment where you are already getting a lot of alerts from different solutions.  

I will address the issue of scalability with the next iterations of the script, but let's keep in mind that the objective is not to build a full blown monitoring capability.

Thank you

GitHub repo Here

PS: This is based on the Symantec AV that I had running on one of my systems and you will need to adapt it to your needs. Use this code at your own risk