; IF SetConsole("hide") ; ENDIF ; ; NT/95 logging - Kixtart 3.62, 3.63, 4.00 ; ; (c) scripting@wanadoo.nl - 2000, 2001 ; ; vs 2.02 - program (McAfee 4.x) ; ; 1.00 (20000525) original version ; 2.00 (20010401) - kixtart 2001 RC1 compliancy ; - using %tmp% value ; - Y2K format in dynamic log file ; 2.01 (20010701) - standardization of $debug_file value ; 2.02 (20011120) - suppress SetConsole("hide") ; $prgrm_version="2.02" ; $tmp_directory=ExpandEnvironmentVars("%tmp%") IF (Substr($tmp_directory,Len($tmp_directory),1) = "\") $tmp_directory=Substr($tmp_directory,1,Len($tmp_directory)-1) ENDIF ; -------------------------------------------------------------------------- ; - Site Specific Codes ; - ; - 1. "$file" log McAfee information to specified file. ; - advise: use a hidden directory on server with read + write access. ; ; - 2. "$debug_mode". usefull for kixtart programmers. ; - 3. "$debug_file". log McAfee debug information to specified file. ; -------------------------------------------------------------------------- $log_file=$tmp_directory+"\McAfee.lst" ; $debug_mode="yes" ; - no/yes - for additional information about checking registry keys - $debug_file=$tmp_directory+"\kix-info.log" ; -------------------------------------------------------------------------- $cr=Chr(10) $lf=Chr(13) $eol=$cr+$lf ; IF (@inwin = 1) $nt_mode="yes" ELSE $nt_mode="no" ENDIF IF (Len(@ipaddress0) = 0) $offline_mode="yes" ELSE $offline_mode="no" ENDIF ; IF ($debug_mode = "yes") IF (RedirectOutput($debug_file,1) = 0) ENDIF ENDIF ; -------------------------------------------------------------------------- ; - - ; -------------------------------------------------------------------------- :script_collect_pc_info $x="" ; - it will contains all kind of information about workstation and server - ; - f.e. 00127_000505_23:23:23 DOMAIN=(NT - vs 1.01 L DOMAIN \\SPLxxxxx) 171.077.077.100 00A02ABABEEE mca SPLzzzzz ('MCA') $domain="" $ldomain="" IF ($nt_mode = "yes") $ikey="HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" IF (ExistKey($ikey) = 0) $domain=ReadValue($ikey, "DefaultDomainName") ENDIF $ikey="HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" IF (ExistKey($ikey) = 0) $ldomain=ReadValue($ikey, "CachePrimaryDomain") ENDIF ELSE $ikey="HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSNP2\NetworkProvider" IF (ExistKey($ikey) = 0) $domain=ReadValue($ikey, "AuthenticatingAgent") ENDIF $ikey="HKEY_LOCAL_MACHINE\Security\Provider" IF (ExistKey($ikey) = 0) $ldomain=ReadValue($ikey, "Container") ENDIF ENDIF IF (Len($domain) = 0) IF (Len(@ldomain) <> 0) $domain=@ldomain ELSE $domain=@domain ENDIF IF (Len($domain) = 0) $domain="~domain" ; - unknown @domain/@ldomain value - ENDIF ENDIF IF (Len($ldomain) = 0) $ldomain=$domain ENDIF ; IF ($nt_mode = "yes") $time_start=@time $log_info="Kixtart-VIC "+$prgrm_version+" script started" $log_info=$log_info+" for '"+Lcase(@userid)+"'" $log_info=$log_info+" ("+$time_start+" - '"+@ipaddress0+"')" IF LogEvent(0, 1, $log_info, "", "Kixtart VIC @kix") ENDIF ENDIF ; -------------------------------------------------------------------------- ; - special variables settings - ; -------------------------------------------------------------------------- $section=Substr(@date,1,4) IF (@ydayno < 10) $section=$section+"00"+@ydayno ELSE IF (@ydayno < 100) $section=$section+"0"+@ydayno ELSE $section=$section+@ydayno ENDIF ENDIF $key=$section+"_" $key=$key+Substr(@date,3,2)+Substr(@date,6,2)+Substr(@date,9,2) $key=$key+"_" $key=$key+@time $key=$key+" "+$domain ; - calculation of LSERVER variable - IF (Len(@ipaddress0) = 0) $offline_mode="yes" IF ($nt_mode = "yes") $x=$x+"(NT - vs "+$prgrm_version+" - off-line )" ELSE $x=$x+"(95 - vs "+$prgrm_version+" - off-line )" ENDIF ELSE $offline_mode="no" IF (Len(@lserver) = 0) $lserver="~lserver " ELSE $lserver=@lserver ; - \\spln99999 - ENDIF IF (Lcase($domain) = Lcase($ldomain)) IF ($nt_mode = "yes") $x=$x+"(NT - vs "+$prgrm_version+" L $domain $lserver)" ELSE $x=$x+"(95 - vs "+$prgrm_version+" L $domain $lserver)" ENDIF ELSE IF ($nt_mode = "yes") $x=$x+"(NT - vs "+$prgrm_version+" - $domain $lserver)" ELSE $x=$x+"(95 - vs "+$prgrm_version+" - $domain $lserver)" ENDIF ENDIF ENDIF ; - calculation of ip/mac-address value - IF (Len(@ipaddress0) = 15) $i=1 $ip_old=@ipaddress0 $ip_new="" DO IF (Substr($ip_old,$i,1) <> " ") $ip_new=$ip_new+Substr($ip_old,$i,1) ELSE $ip_new=$ip_new+"0" ENDIF $i=$i+1 UNTIL ($i > 15) ELSE $ip_new="xxx.xxx.xxx.xxx" ENDIF $x=$x+" "+$ip_new ; IF (Len(@address) = 0) $address="xxxxxxxxxxxx" ELSE $address=@address ENDIF $x=$x+" "+$address ; - calculation of USER variable - $user="" IF ($nt_mode = "yes") $ikey="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" IF (ExistKey($ikey) = 0) $user=ReadValue($ikey, "DefaultUserName") ENDIF ELSE $ikey="HKEY_LOCAL_MACHINE\System\CurrentControlSet\control" IF (ExistKey($ikey) = 0) $user=ReadValue($ikey, "Current User") ENDIF ENDIF IF (Len($user) = 0) $user=@userid IF (Len($user) = 0) $user="~user" ENDIF ENDIF $x=$x+" "+$user ; - calculation of WORKSTATION value - IF (Len(@wksta) = 0) $x=$x+" ~wksta" ELSE $x=$x+" "+@wksta ENDIF IF (Len(@fullname) = 0) IF (Len(@comment) = 0) $x=$x+" ('~fullname')" ELSE $x=$x+" ('~fullname'+'"+@comment+"')" ENDIF ELSE IF (Len(@comment) = 0) $x=$x+" ('@fullname')" ELSE $x=$x+" ('"+@fullname+"'+'"+@comment+"')" ENDIF ENDIF $tmp=$x IF ($debug_mode = "yes") ; cls IF ($nt_mode = "yes") IF (Len(@ipaddress0) = 0) ? "Kixtart "+@kix+" - NT debug mode (vs "+$prgrm_version+")"+" "+@time+" (off-line)" ELSE ? "Kixtart "+@kix+" - NT debug mode (vs "+$prgrm_version+")"+" "+@time+" (on-line)" ENDIF ELSE IF (Len(@ipaddress0) = 0) ? "Kixtart "+@kix+" - 95 debug mode (vs "+$prgrm_version+")"+" "+@time+" (off-line)" ELSE ? "Kixtart "+@kix+" - 95 debug mode (vs "+$prgrm_version+")"+" "+@time+" (on-line)" ENDIF ENDIF ? ? "file "+$log_file ? "section "+$section ? "key "+$key IF (Len(@fullname) = 0) ? "user "+$user ELSE IF (Len(@comment) = 0) ? "user "+$user+" ('"+@fullname+"')" ELSE ? "user "+$user+" ('"+@fullname+"'+'"+@comment+"')" ENDIF ENDIF ? ? "workstation "+@wksta+" ("+Lcase(@lanroot)+") C="+GetDiskSpace("c:\")+" KBytes" ? "domain "+@domain ? "ldomain "+@ldomain ? " -> = "+$domain ? " "+$ldomain+" (L)" ? "ip_adress "+$ip_new+" "+$address ? ? "debug_mode "+$debug_mode ? "offline_mode "+$offline_mode ? ENDIF ; -------------------------------------------------------------------------- ; - - ; -------------------------------------------------------------------------- $virus="" $virus_def="" ; - "4.0.4048" - $virus_engine="" ; - "4.0.02" - $virus_product="" ; - "4.0.2" - ; $virus_bcanbedisabled="x" $virus_bdisablescanning="x" $virus_bloadatstartup="x" $virus_bscanallfiles="x" $virus_bscancompressed="x" $virus_bscanfloppyonshutdown="x" $virus_bscanincoming="x" $virus_bscanoutgoing="x" $virus_bvscan="x" ; $execute_mode="yes" IF ($execute_mode = "yes") IF ($debug_mode = "yes") ? ? "Inventory McAfee version" ? ENDIF ; $first="" $ikey="HKEY_LOCAL_MACHINE\Software\McAfee\VirusScan" IF (ExistKey($ikey) = 0) $index=0 IF ($debug_mode = "yes") ? $ikey ENDIF DO $icode=EnumValue($ikey, $index) IF (Len($icode) <> 0) $found=" " SELECT CASE ($icode = "szEngineVer") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" $virus_engine=ReadValue($ikey, $icode) CASE ($icode = "szProductVer") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" $virus_product=ReadValue($ikey, $icode) CASE ($icode = "szSerialNum") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE ($icode = "szVirDefVer") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" $virus_def=ReadValue($ikey, $icode) CASE ($icode = "szVirDefDate") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE 1 ENDSELECT IF ($debug_mode = "yes") ? " "+$found+" "+$icode+"="+ReadValue($ikey, $icode) ENDIF ENDIF $index=$index+1 UNTIL (Len($icode) = 0) ENDIF $ikey="HKEY_LOCAL_MACHINE\Software\McAfee\VirusScan\McShield" IF (ExistKey($ikey) = 0) $index=0 IF ($debug_mode = "yes") ? $ikey ENDIF DO $icode=EnumValue($ikey, $index) IF (Len($icode) <> 0) $found=" " SELECT CASE ($icode = "dwFilesCleaned") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" CASE ($icode = "dwFilesDeleted") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" CASE ($icode = "dwFilesMoved") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" CASE ($icode = "dwFilesScanned") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" CASE 1 ENDSELECT IF ($debug_mode = "yes") ? " "+$found+" "+$icode+"="+ReadValue($ikey, $icode) ENDIF ENDIF $index=$index+1 UNTIL (Len($icode) = 0) ENDIF $ikey="HKEY_LOCAL_MACHINE\Software\McAfee\VirusScan\McShield\CurrentVersion" IF (ExistKey($ikey) = 0) $index=0 IF ($debug_mode = "yes") ? $ikey ENDIF DO $icode=EnumValue($ikey, $index) IF (Len($icode) <> 0) $found=" " SELECT CASE ($icode = "bCanBeDisabled") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" $virus_bcanbedisabled=ReadValue($ikey, $icode) CASE ($icode = "bDisableScanning") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" $virus_bdisablescanning=ReadValue($ikey, $icode) CASE ($icode = "bLoadAtStartup") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" $virus_bloadatstartup=ReadValue($ikey, $icode) CASE ($icode = "bScanAllFiles") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" $virus_bscanallfiles=ReadValue($ikey, $icode) CASE ($icode = "bScanCompressed") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" $virus_bscancompressed=ReadValue($ikey, $icode) CASE ($icode = "bScanFloppyOnShutdown") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" $virus_bscanfloppyonshutdown=ReadValue($ikey, $icode) CASE ($icode = "bScanInComing") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" $virus_bscanincoming=ReadValue($ikey, $icode) CASE ($icode = "bScanOutgoing") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" $virus_bscanoutgoing=ReadValue($ikey, $icode) CASE ($icode = "bVScan") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" $virus_bvscan=ReadValue($ikey, $icode) CASE ($icode = "szLastUpdateFile") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE ($icode = "szProgExts") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE ($icode = "szTaskName") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE 1 ENDSELECT IF ($debug_mode = "yes") ? " "+$found+" "+$icode+"="+ReadValue($ikey, $icode) ENDIF ENDIF $index=$index+1 UNTIL (Len($icode) = 0) ENDIF $ikey="HKEY_LOCAL_MACHINE\Software\McAfee\VirusScan\Tasks\Upgrade" IF (ExistKey($ikey) = 0) $index=0 IF ($debug_mode = "yes") ? $ikey ENDIF DO $icode=EnumValue($ikey, $index) IF (Len($icode) <> 0) $found=" " SELECT CASE ($icode = "bSchedEnabled") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE ($icode = "szLastUpdateFile") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE ($icode = "szTaskName") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE ($icode = "szUpdateFtpLocation") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE 1 ENDSELECT IF ($debug_mode = "yes") ? " "+$found+" "+$icode+"="+ReadValue($ikey, $icode) ENDIF ENDIF $index=$index+1 UNTIL (Len($icode) = 0) ENDIF $ikey="HKEY_LOCAL_MACHINE\Software\McAfee\VirusScan\Tasks\Update" IF (ExistKey($ikey) = 0) $index=0 IF ($debug_mode = "yes") ? $ikey ENDIF DO $icode=EnumValue($ikey, $index) IF (Len($icode) <> 0) $found=" " SELECT CASE ($icode = "bSchedEnabled") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE ($icode = "szLastUpdateFile") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE ($icode = "szTaskName") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE ($icode = "szUpdateFtpLocation") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE 1 ENDSELECT IF ($debug_mode = "yes") ? " "+$found+" "+$icode+"="+ReadValue($ikey, $icode) ENDIF ENDIF $index=$index+1 UNTIL (Len($icode) = 0) ENDIF $ikey="HKEY_LOCAL_MACHINE\Software\McAfee\Scan95" IF (ExistKey($ikey) = 0) $index=0 IF ($debug_mode = "yes") ? $ikey ENDIF DO $icode=EnumValue($ikey, $index) IF (Len($icode) <> 0) $found=" " SELECT CASE ($icode = "DATFile") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE ($icode = "bVShieldEnabled") $virus=$virus+$first+$icode+"="+ReadValue($ikey, $icode) $first=" " $found="*" CASE ($icode = "szLangID") $virus=$virus+$first+$icode+"='"+ReadValue($ikey, $icode)+"'" $first=" " $found="*" CASE 1 ENDSELECT IF ($debug_mode = "yes") ? " "+$found+" "+$icode+"="+ReadValue($ikey, $icode) ENDIF ENDIF $index=$index+1 UNTIL (Len($icode) = 0) ENDIF $file_x=$log_file IF ($nt_mode = "yes") $section_x=$domain+"_NT" ELSE $section_x=$domain+"_95" ENDIF $key_x="" $key_x=$key_x+Substr(Lcase(@wksta)+" ",1,15)+" " $key_x=$key_x+$section_x $xxx="" IF (Len($virus_def) <> 0) OR (Len($virus_engine) <> 0) $xxx=$xxx+Substr($key,1,22) $xxx=$xxx+Substr(Lcase($virus_def)+" ",1,10) $xxx=$xxx+Substr(Lcase($virus_engine)+" ",1,10) $xxx=$xxx+Substr(Lcase($virus_product)+" ",1,7) $xxx=$xxx+$virus_bcanbedisabled $xxx=$xxx+$virus_bdisablescanning $xxx=$xxx+$virus_bloadatstartup $xxx=$xxx+$virus_bscanallfiles $xxx=$xxx+$virus_bscancompressed $xxx=$xxx+$virus_bscanfloppyonshutdown $xxx=$xxx+$virus_bscanincoming $xxx=$xxx+$virus_bscanoutgoing $xxx=$xxx+$virus_bvscan $xxx=$xxx+" " $xxx=$xxx+Substr($key,23,Len($key)-22)+" "+$tmp ELSE $xxx=$xxx+$key+" "+$tmp ENDIF ; IF ($debug_mode = "yes") ? ? " file_x = "+$log_file IF (Len($virus_def) = 0) AND (Len($virus_engine) = 0) ? " section_x = "+$section_x+"_error" ? " key_x = "+$key_x+"_error" ELSE ? " section_x = "+$section_x ? " key_x = "+$key_x ENDIF ? " xxx = "+$xxx ? ENDIF IF (Len($virus_def) = 0) AND (Len($virus_engine) = 0) IF WriteProfileString($file_x, $section_x, $key_x, "") ENDIF IF WriteProfileString($file_x, $section_x+"_error", $key_x+"_error", $xxx) ENDIF ELSE IF WriteProfileString($file_x, $section_x+"_error", $key_x+"_error", "") ENDIF IF WriteProfileString($file_x, $section_x, $key_x, $xxx) ENDIF ENDIF ELSE IF ($debug_mode = "yes") ? ? "Inventory McAfee version: SKIPPED" ? ENDIF ENDIF ; -------------------------------------------------------------------------- ; - - ; -------------------------------------------------------------------------- IF (RedirectOutput("",1) = 0) ENDIF ; IF ($debug_mode = "yes") IF ($nt_mode = "yes") ? "Kixtart "+@kix+" - NT debug mode (vs "+$prgrm_version+")"+" "+@time ELSE ? "Kixtart "+@kix+" - 95 debug mode (vs "+$prgrm_version+")"+" "+@time ENDIF ? ENDIF :end_script IF ($nt_mode = "yes") $time_stop=@time $log_info="Kixtart-VIC "+$prgrm_version+" script completed successfully" $log_info=$log_info+" for '"+Lcase($user)+"' "+Ucase($domain) $log_info=$log_info+" ("+$time_start+" - "+$time_stop+" - '"+$ip_new+"')" IF (Len(@fullname) > 0) $log_info=$log_info+" '"+Lcase(@fullname)+"'" ENDIF IF ($found_virus_key = "yes") IF LogEvent(0, 1, $log_info, "", "Kixtart VIC @kix"+"c") ENDIF ELSE IF LogEvent(0, 1, $log_info, "", "Kixtart VIC @kix"+"s") ENDIF ENDIF ENDIF ; ? "Informative McAfee.KIX: create dynamic list '"+$log_file+"'" IF ($debug_mode = "yes") ? "Informative McAfee.KIX: create debug list '"+$debug_file+"'" ELSE ? "Informative McAfee.KIX: no creation of debug list '"+$debug_file+"'" ENDIF ; BREAK ON FLUSHKB