Auditing Forefront Endpoint Protection 2010’s Exclusion List

Disclaimer: I can’t be sure this works for all exclusion scenarios.  My lab machines are set up to use this regkey, but manual tests have shown other regkeys.

# Forefront exclusion list
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(‘LocalMachine’, $_);
$subKey= “SOFTWARE\Microsoft\Microsoft Forefront\Forefront Endpoint Protection\2010\AM” -replace ‘\\’, ‘\\’;
$regKey= $reg.OpenSubKey($subkey);
[array]::IndexOf(($regkey.GetValue(‘Policy’) -as [xml]).AntiMalware.Exclusions.Paths.Path, ‘m:\logs’) -eq -1;

Here, I’m testing if the machine is excluding the log directory.  Previous versions of ForeFront store exclusion data as separate values under a given key.  2010 stores it as [string] data under the ‘Policy’ value.  Actually, it’s [xml], hence the ‘-as [xml]’ above.

Oh, and the “string” -replace “\\”, “\\”?  That’s to avoid the ‘leaning toothpicks’ syndrome so common to Perl.  In this case, it says “find every ‘\’ character and replace it with ‘\\’ in its place.”  The first ‘\\’ escapes the backwhack, which in MOST languages is used to escape metacharacters.  In PowerShell, it’s ‘`’ (backtick), but only where PowerShell itself is implementing the parsing.  In .NET, like MOST other languages, it’s still the backslash.

Comments (0)