Forcing AV scans from the command line in Forefront

One of the things that annoys me with Forefront is the inability to scan multiple, selected machines in the console.
One way around that is to use the command line and mpcmdrun.exe.
mpcmdrun.exe is the Forefront tool to get information, but can be used to start Forefront scans.

“C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -scantype 1

Forces an immediate quick scan.

“C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -scantype 2

Forces an immediate full scan.

Niffy, eh?

When I get in to work and have a number of Forefront generated alerts, I drop the machine names from the alerts in to a text file.
Using Psexec I can then kick of scans of all these machines just to make sure they are clean

Psexec @alerted.txt “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -scantype 1

Psexec will go through the list, machine by machine, however, only once it has completed the scan on the machine.
For the more serious alerts I prefer to run a full scan

Psexec @majoralert.txt “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -scantype 2

Running a full scan PSexec on 20 normal machines could take hours this way!

NOTE: Running a full scan on a PC won’t make any friends. It will mostly like generate help desk calls on why their PC is suddenly running slowly. You may want to send an email to the user in question before hand – or not you, BOFH, you ;-)

On the full scans, I occasionally dump out some of the logs just to have a history file for ammo from the angry user. Forefront does produce a link with alert email, which points to a pretty SQL reporting page, but I still like the raw data.

Psexec @majoralert.txt “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” –getfiles

This, annoyingly, drops the file on the remote machine, so I then have to bring the files to my local machine:

Robocopy “\\machinename\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Support” c:\dumps\machinename *.*

Here’s a much nicer guide, with pictures, from retrieving and working with the Forefront client log files here.

Should you want to run this a schedule task to kick off a full scan create the task with this undocumented command:

“C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -RestrictPrivileges -scantype 2
Reply now | Feed

3 Comments

  1. #111
    John Q :

    Jun 2, 2009 12:07 pm |

    I had to use
    Psexec @ff.txt “c:\progra~1\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe” -Scan -scantype 2

    To get my desktops to run.

  2. #112
    Dave C :

    Jun 25, 2009 12:41 am |

    I have issues trying to run psexec on systems running forefront. The Forefront client kills off the
    psexecsvc running on the client box and my command never finishes.
    Did you have any problems like this?

  3. #113
    Chris Mohan( author ) :

    Jul 6, 2009 5:30 pm |

    I have not run into PSExec being to stopped by Forefront. You can add in the psexecsvc.exe as any allowed process/exe in the Forefront console.
    That should fix the problem.

Leave a Reply


XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Wp Logo Theme: Guangzhou
Home