File Search Report

paladium · ‎06-25-2013

Hello,

I am struggling to customize this query. I want to generate a report that tells us when our DLP executable is not found on just the WIN XP and WIN 7 clients. I can get the full report of everything with and without the DLP executable in it across all OS platforms, but only the WIN XP and WIN 7 clients without the DLP executable needs to be in the report.

Any assistance would be appreciated 🙂

-----------------------
Current query
-----------------------


Select Top 1000000 tsysOS.Image As icon,
  tblAssets.AssetID,
  tblAssets.AssetUnique,
  tblFileVersions.Found,
  tblFileVersions.FileVersion,
  tblAssets.Assettype,
  tblAssets.IPAddress,
  tsysOS.OSname
From tblAssets
  Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblFileVersions.FilePathfull Like '%edpa.exe'
Order By tblAssets.AssetUnique,
  tblFileVersions.FilePathfull

----------------------------------------- DC, CISSP/CISM Lansweeper Enterprise User

Hemoco · ‎06-26-2013

Please use the report below. (Do not bump threads that are less than a day old. We reply to each post as quickly as possible.)

Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetUnique,
tblFileVersions.Found,
tblFileVersions.FileVersion,
tblAssets.Assettype,
tblAssets.IPAddress,
tsysOS.OSname
From tblAssets
Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblFileVersions.Found = 0 And (tsysOS.OSname = 'win xp' Or
tsysOS.OSname = 'win 7') And tblFileVersions.FilePathfull Like '%edpa.exe'
Order By tblAssets.AssetUnique,
tblFileVersions.FilePathfull

View solution in original post

dsnyrs · ‎07-10-2013

I've disabled:

%programfiles%\symantec\endpoint agent\edpa.exe

and only enabled:

%programfiles(x86)%\symantec\endpoint agent\edpa.exe

I still have HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Endpoint\DisplayName = Endpoint enabled.

My concern is that it will only be scanning 64bit OS'. How will the system be able to differentiate between 32 bit and 64 bit if it's only looking for %programfiles(x86)% .......?

Thanks

Hemoco · ‎07-10-2013

dsnyrs wrote:
My concern is that it will only be scanning 64bit OS'. How will the system be able to differentiate between 32 bit and 64 bit if it's only looking for %programfiles(x86)% .......?

- %programfiles(x86)% points to Program Files on 32-bit machines.
- %programfiles(x86)% points to Program Files (x86) on 64-bit machines.

Hemoco · ‎07-10-2013

Could you please check the Config\Scanned Info\File Info section of one problem machine's Lansweeper webpage. If you submit the file scans below, there will be two results for 64-bit machines.
- Lansweeper will verify whether edpa.exe is present in Program Files.
- Lansweeper will verify whether edpa.exe is present in Program Files (x86).
- If the executable is missing from either location, the machine will show up in the report.

%programfiles%\symantec\endpoint agent\edpa.exe
%programfiles(x86)%\symantec\endpoint agent\edpa.exe

If the file is present in Program Files on 32-bit machines and Program Files (x86) on 64-bit machines, you only need the file scan below.

%programfiles(x86)%\symantec\endpoint agent\edpa.exe

dsnyrs · ‎07-10-2013

The report I am referring to is:

Workstation: Symantec DLP not installed

Here is the sql for this query:

Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetUnique,
tblFileVersions.Found,
tblFileVersions.FileVersion,
tblAssets.Assettype,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.Domain
From tblAssets
Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblFileVersions.Found = 0 And (tsysOS.OSname = 'win xp' Or
tsysOS.OSname = 'win 7') And tblAssets.Domain = 'CORP' And
tblFileVersions.FilePathfull Like '%edpa.exe'
Order By tblAssets.AssetUnique,
tblFileVersions.FilePathfull

Hemoco · ‎07-10-2013

Could you clarify what you mean by "showing up as DLP not installed". File/registry data doesn't show up in the Software tab of an asset's Lansweeper webpage, if this is what you're asking. It's listed under Config/Scanned Info instead.

dsnyrs · ‎07-10-2013

Yes, I've rescanned the assests. They are still showing up as DLP not installed.
"Last Scan at 07/10/2013 08:47:00 took 0.06 seconds, waittime is 1 days.

dsnyrs · ‎07-10-2013

Hello,

I have everything configured the way Lansweeper has suggested but I am still getting false positives.

I'm getting quite a few workstations showing up as Symantec DLP not installed when in fact it is. I've confirmed the following for both (XP and Win7 workstations)

%programfiles%\symantec\endpoint agent\edpa.exe
%programfiles(x86)%\symantec\endpoint agent\edpa.exe

Also,

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Endpoint\DisplayName = Endpoint

On either the xp machines or Win7 machines, the executable is present, the service is running and the REG key is also present.

Please assist in resolving this false positive.

Thanks in advance.

Hemoco · ‎07-10-2013

dsnyrs wrote:
On either the xp machines or Win7 machines, the executable is present, the service is running and the REG key is also present.

Did you rescan your machines after submitting your file/registry scans?
- You can rescan assets by clicking the Assets link at the top of the web console, ticking the checkboxes in front of the assets and hitting the Rescan button on the left.
- You can also verify when file/registry info was last rescanned for a particular machine by checking the FILES/REGISTRY item in the Scan Time tab of the machine's Lansweeper webpage.

paladium · ‎06-26-2013

Thanks for the response. Had a boss pushing me for a response so I did the "bump". Its always the bosses fault 🙂

----------------------------------------- DC, CISSP/CISM Lansweeper Enterprise User

File Search Report

Reports & Analytics

New to Lansweeper?

Try Lansweeper For Free