CWA Solution - Malicious Software Removal Tool Scanning & Disabling
Purpose
The solution provides feature to run the scanning using Malicious Software Removal Tool or disable/uninstall it completely.
Deployment Content
| Content | Type | Function |
|---|---|---|
| Script - Malicious Software Removal Tool Scanner | Script | This script runs the Malicious Software Removal Tool Scanner and logs the result. It also provides an option to perform an auto-fix of the detected infections by the tool. |
| Internal Monitor - MSRT Scanner Execute | Monitor | This monitor detects the online Windows-supported agents (Windows 10, 11, 2016, 2019, and 2022 only) where the client EDF 'MSRT Scanner Enable' is checked and the exclusion location and computer EDFs 'MSRT Scanner Exclude' are not checked. It also excludes the agents where the MSRT scanner script Malicious Software Removal Tool Scanner ran in the past 7 days. |
| Dataview - MSRT Scanner Audit | Dataview | This dataview stores the status of the MSRT scanner result from the script Malicious Software Removal Tool Scanner. |
| △ Custom - Execute Script - MSRT Scanner | Alert template | This alert template helps to schedule the script Script - Malicious Software Removal Tool Scanner to the detected agents of the monitor Internal Monitor - MSRT Scanner Execute. |
Disabling Content
| Content | Type | Function |
|---|---|---|
| Monitor - MSRT Disable-Uninstall | Internal Monitor | This monitor detects the online Windows 10/11 where the MSRT disable/uninstall EDF is checked and exclusions are not checked and ignores the agent where the disable/uninstall was already done. |
| Script - Malicious Software Removal Tool Disable/Unistall | Script | This script will block the MSRT patches to be enrolled to the Windows and also provides feature to Uninstall it completely. It can run on demand and also be scheduled as an autofix with the monitor Monitor - MSRT Disable-Uninstall. |
| Dataview - MSRT Scanner Audit | Dataview | This dataview stores the status of the MSRT scanner result from the Script - Malicious Software Removal Tool Disable/Unistall. |
△ Custom - Execute Script - MSRT Disable/Uninstall | Alert Template | This alert template helps to schedule the Script - Malicious Software Removal Tool Disable/Unistall to the detected agents of the Monitor - MSRT Disable-Uninstall. |
Implementation
Implement the deployment content
-
Import the following content using the ProSync Plugin:
- Script - Malicious Software Removal Tool Scanner
- Internal Monitor - MSRT Scanner Execute
- Dataview - MSRT Scanner Audit
- △ Custom - Execute Script - MSRT Scanner
- Run the script Script - Malicious Software Removal Tool Scanner with SetEnvironment = 1 on any random machine so that required EDFs get imported.
-
Reload the system cache:
-
Configure the solution as outlined below:
- Navigate to Automation → Monitors within the CWA Control Center and set up the following:
- Internal Monitor - MSRT Scanner Execute
- Set up with △ Custom - Execute Script - MSRT Scanner Alert Template.
- Right-click and Run Now to start the monitor.
- Internal Monitor - MSRT Scanner Execute
- Please ensure to whitelist the following hashes for script execution.
ED06AECD5686944B0A5E5D76C1E7A9EA
C8759C7E4979819C0BB39DAF4DC64124
- Navigate to Automation → Monitors within the CWA Control Center and set up the following:
Implement the Disable/Uninstall content
-
Import the following content using the ProSync Plugin:
- Script - Malicious Software Removal Tool Disable/Unistall
- Internal Monitor - MSRT Disable-Uninstall
- Dataview - MSRT Scanner Audit
- △ Custom - Execute Script - MSRT Disable/Uninstall
- Run the script Script - Malicious Software Removal Tool Disable/Unistall with Set_Environment = 1 on any random machine so that required EDFs get imported.
-
Reload the system cache:
-
Configure the solution as outlined below:
- Navigate to Automation → Monitors within the CWA Control Center and set up the following:
- Internal Monitor - MSRT Disable-Uninstall
- Set up with △ Custom - Execute Script - MSRT Disable/Uninstall Alert Template.
- Right-click and Run Now to start the monitor.
- Internal Monitor - MSRT Disable-Uninstall
- Please ensure to whitelist the following hashes for script execution.
8E7513A15FC33B38337976B85C0E8C5C
- Navigate to Automation → Monitors within the CWA Control Center and set up the following: