After seeing that the MSERT tool by Microsoft (The Microsoft Safety Scanner) detected recent Exchange threats https://www.bleepingcomputer.com/news/security/microsofts-msert-tool-now-finds-web-shells-from-exchange-server-attacks/, I thought it would be prudent as a secondary measure to deploy the tool, scan, and make sure everything across our estate was clean. Although I didn’t have that problem in my environment, I thought it acted as a good tool to be able to mass deploy as a secondary scan. The tool (Microsoft Safety Scanner) is designed to find and remove malware. It is backed by the same definitions as Microsoft Defender. The script will always download the latest version. It doesn’t install anything persistent.

I decided to put together a PowerShell script to deploy it. 

https://github.com/gavsto/Gavsto-Public-Scripts/blob/master/Find-MicrosoftSecurityScannerViolations.ps1

It runs in detect only mode. If you want to force a full scan, change the arguments on line 54. I have a piece of code in place that terminates the script after 30 minutes if the scan is still running, that’s on line 57. The tool places its log in C:\Windows\Debug\Msert.log. It will overwrite the log each time, if you don’t want this behaviour, take out line 85.

If you want to deploy this via RMM then you want to check the output for either SUCCESS: or CRITICAL:

Hope you find it useful! I’ve added the switches below for anyone who wants to play with this interactively.