Custom Inventory Rule to grab file information on a Trend pattern file
We are trying to have kace show if users have up to date virus pattern files for TrendMicro.
We've identified what file we need to grab, but a small annoyance is its actually 2 files with the same name, but different extension e.g icrc$oth.665 and icrc$oth.667 (one is the previous pattern file so it can roll back to it if need be)
I've tried using the below syntax with and without quotes around the file path. I've tried other things like simply just grabbing notepad to see if it exists, and nothing wants to populate the custom inventory field. Any help is appreciated.
FileInfoReturn("C:\Program Files (x86)\Trend Micro\OfficeScan Client\icrc$oth.*", modification_time, DATE)
0 Comments
[ + ] Show comments
Answers (3)
Please log in to answer
Posted by:
aragorn.2003
9 years ago
We´re not using TrendMicro, but it looks like that these settings can be found within the registry and it´s easier to get a value from a registry key. If i´am right there should be a REG_DWORD value named PatternVer and maybe also PatternDate and PatternTooOldDays.
Custom Inventory Rule then looks like
RegistryValueReturn(HKEY_LOCAL_MACHINE\PATH, KEY, TEXT)
Comments:
-
Thanks for the information.
It doesnt seem to want to return any information in the CIR field.
You were correct about a PatternVer existing, but the data in it doesn't differ from older versions of trend vs new, so I decided to go with PatternDate to see when it was last updated.
I use the below syntax but it still isnt returning anything, am I missing something obvious?
RegistryValueReturn(HKEY_LOCAL_MACHINE\Software\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc, PatternDate, REG_SZ) - Ouytree 9 years ago
Posted by:
aragorn.2003
9 years ago
Hi Quytree. Some questions/ideas.
- did you see the registry value?
- try to enable debug logging in amp.conf by adding this line "debug=detail" and restart the KACE agent.
then check the KAgent.log under C:\ProgramData\Dell\KACE\user. If this includes error=183 please read the following. https://support.software.dell.com/kb/115133 - Have you setup the right supported operating system in Software Detail view
Comments:
-
Ive been able to get the registry value return to work on HKeyCurrentUser, nothing returns when using the HKeyLocalMachine paths though.
I've enabled debugging and do get the error 183 and have tried that fix in the link provided but still doesnt work, and still gives an error 183 which you can see below
Custom Inventory Rule failed on registry operation: logop=6, key='HKLM64\Software\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc\': error=183
Its definitely targeting the right OS as I have gotten this command to work.
EDIT: I've also tried all of this on a couple of 32bit windows machines, and still nothing. - Ouytree 9 years ago
Posted by:
jknox
9 years ago
I agree with Aragorn. I set up something similar for McAfee:
RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine, AVDatVersion, TEXT) AND RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine, AVDatDate, TEXT)
It returns this:
RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine, AVDatVersion, TEXT) AND RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine, AVDatDate, TEXT)
It returns this:
Comments:
-
I've switched out the reg_sz to text but its still not returning anything.
Could it be some type of permissions thing? I've just come back from holiday so im about to jump in and give it some more testing. - Ouytree 9 years ago
