1 Reply Latest reply on Nov 30, 2012 8:17 AM by tonyb99

    Sysinternals Autoruns deployment via ePO (EEDK)

    mcafeenewb

      I had a need to gather information from various client machines to investigate start up items and such. Some of the machines I did not have permissions to connect and remote execute various commands, plus that process became a bit lengthy. So I utilized the McAfee ePO EEDK to create a package to execute AutorunsC.exe (command line version) on the endpoint and then export the data to a share to review at a later time.

       

      I felt this was something that GetSusp was missing and could come in handy for systems that may require attention.

       

      You wil first need to package AutorunsC.exe into a seperate executeable that will contain all the instructions (passing the commands from the Deployment Task in ePO did not work out very well). I used AutoIt to create the package.

       

      Here is an example of the code; you will need to modify for your needs.

       

      FileInstall("C:\folder\autorunsc.exe", "C:\folder\autorunsc.exe")

      Runwait(@ComSpec & " /c " & "C:\folder\autorunsc.exe -accepteula -a -f -m -c > C:\folder\AutoRunsC.csv", "", @SW_HIDE)

      FileCopy("C:\folder\AutoRunsC.csv", "\\YOURSERVER.YOURDOMAIN.com\YOURSHARE$\AutoRunsC\" & @ComputerName & ".csv", 9)

       

       

      The First line is only needed for the compiling of the script into the executable. If you are familiar with AutoIt or AutoHotKey then it will make sense

      The Second line executes autorunsc.exe siliently with the switches of my choice; it then dumps the results to a file on the local system

      The Third line copies that file to my server, into a share I dedicated for this data and names the file "Computername.csv"

       

      Once you compile this into an executable, then use the EEDK to have it signed by your ePO server and available as a deployable product. I set the task as a run once for systems I had tagged as "Potentially Infected". Once they checked in and invoked the task, I had my data.

       

      Enjoy.