After seeing that the MSERT tool by Microsoft (The Microsoft Safety Scanner) detected recent Exchange threats https://www.bleepingcomputer.com/news/security/microsofts-msert-tool-now-finds-web-shells-from-exchange-server-attacks/, I thought it would be prudent as a secondary measure to deploy the tool, scan, and make sure everything across our estate was clean. Although I didn’t have that problem in my environment, I thought it acted as a good tool to be able to mass deploy as a secondary scan. The tool (Microsoft Safety Scanner) is designed to find and remove malware. It is backed by the same definitions as Microsoft Defender. The script will always download the latest version. It doesn’t install anything persistent.
I decided to put together a PowerShell script to deploy it.
It runs in detect only mode. If you want to force a full scan, change the arguments on line 54. I have a piece of code in place that terminates the script after 30 minutes if the scan is still running, that’s on line 57. The tool places its log in C:\Windows\Debug\Msert.log. It will overwrite the log each time, if you don’t want this behaviour, take out line 85.
If you want to deploy this via RMM then you want to check the output for either SUCCESS: or CRITICAL:
Hope you find it useful! I’ve added the switches below for anyone who wants to play with this interactively.
Hi Gavin
You mentioned that you added switches to your PowerShell.
i.e. I tried to run Find-MicrosoftSecurityScannerViolations.ps1 /? and it is actually running MSRT
So I looked at the code and on lines 64-66 are as follow:
function Start-MSERTScanner {
$Arguments = “/Q /N”
$proc = Start-Process $EXEPath $Arguments -PassThru
doesn’t that mean that you will always run in Quiet and Detect-Only mode???
I am not that good at PS, so I am not sure how to fix this or even if it is a bug?
Alexandre
The switches are the picture under his comment
The switches are the picture under his comment