This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

File Search Report

Go to solution
paladium
Engaged Sweeper

‎06-25-2013 07:15 PM

Hello,

I am struggling to customize this query. I want to generate a report that tells us when our DLP executable is not found on just the WIN XP and WIN 7 clients. I can get the full report of everything with and without the DLP executable in it across all OS platforms, but only the WIN XP and WIN 7 clients without the DLP executable needs to be in the report.

Any assistance would be appreciated 🙂

-----------------------
Current query
-----------------------

Select Top 1000000 tsysOS.Image As icon,
  tblAssets.AssetID,
  tblAssets.AssetUnique,
  tblFileVersions.Found,
  tblFileVersions.FileVersion,
  tblAssets.Assettype,
  tblAssets.IPAddress,
  tsysOS.OSname
From tblAssets
  Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblFileVersions.FilePathfull Like '%edpa.exe'
Order By tblAssets.AssetUnique,
  tblFileVersions.FilePathfull
----------------------------------------- DC, CISSP/CISM Lansweeper Enterprise User
Labels:
0 Kudos
1 ACCEPTED SOLUTION
Go to solution
Hemoco
Lansweeper Alumni

‎06-26-2013 04:26 PM

Please use the report below. (Do not bump threads that are less than a day old. We reply to each post as quickly as possible.)
Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetUnique,
tblFileVersions.Found,
tblFileVersions.FileVersion,
tblAssets.Assettype,
tblAssets.IPAddress,
tsysOS.OSname
From tblAssets
Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblFileVersions.Found = 0 And (tsysOS.OSname = 'win xp' Or
tsysOS.OSname = 'win 7') And tblFileVersions.FilePathfull Like '%edpa.exe'
Order By tblAssets.AssetUnique,
tblFileVersions.FilePathfull

View solution in original post

10 REPLIES 10
Go to solution
dsnyrs
Engaged Sweeper

‎07-10-2013 06:35 PM

I've disabled:

%programfiles%\symantec\endpoint agent\edpa.exe

and only enabled:

%programfiles(x86)%\symantec\endpoint agent\edpa.exe

I still have HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Endpoint\DisplayName = Endpoint enabled.

My concern is that it will only be scanning 64bit OS'. How will the system be able to differentiate between 32 bit and 64 bit if it's only looking for %programfiles(x86)% .......?

Thanks
0 Kudos
Go to solution
Hemoco
Lansweeper Alumni
In response to dsnyrs

‎07-10-2013 06:59 PM

dsnyrs wrote:
My concern is that it will only be scanning 64bit OS'. How will the system be able to differentiate between 32 bit and 64 bit if it's only looking for %programfiles(x86)% .......?

- %programfiles(x86)% points to Program Files on 32-bit machines.
- %programfiles(x86)% points to Program Files (x86) on 64-bit machines.
Go to solution
Hemoco
Lansweeper Alumni

‎07-10-2013 06:00 PM

Could you please check the Config\Scanned Info\File Info section of one problem machine's Lansweeper webpage. If you submit the file scans below, there will be two results for 64-bit machines.
- Lansweeper will verify whether edpa.exe is present in Program Files.
- Lansweeper will verify whether edpa.exe is present in Program Files (x86).
- If the executable is missing from either location, the machine will show up in the report.
%programfiles%\symantec\endpoint agent\edpa.exe
%programfiles(x86)%\symantec\endpoint agent\edpa.exe


If the file is present in Program Files on 32-bit machines and Program Files (x86) on 64-bit machines, you only need the file scan below.
%programfiles(x86)%\symantec\endpoint agent\edpa.exe
Go to solution
dsnyrs
Engaged Sweeper

‎07-10-2013 05:40 PM

The report I am referring to is:

Workstation: Symantec DLP not installed


Here is the sql for this query:

Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetUnique,
tblFileVersions.Found,
tblFileVersions.FileVersion,
tblAssets.Assettype,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.Domain
From tblAssets
Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblFileVersions.Found = 0 And (tsysOS.OSname = 'win xp' Or
tsysOS.OSname = 'win 7') And tblAssets.Domain = 'CORP' And
tblFileVersions.FilePathfull Like '%edpa.exe'
Order By tblAssets.AssetUnique,
tblFileVersions.FilePathfull
0 Kudos
Go to solution
Hemoco
Lansweeper Alumni

‎07-10-2013 05:34 PM

Could you clarify what you mean by "showing up as DLP not installed". File/registry data doesn't show up in the Software tab of an asset's Lansweeper webpage, if this is what you're asking. It's listed under Config/Scanned Info instead.
Go to solution
dsnyrs
Engaged Sweeper

‎07-10-2013 05:28 PM

Yes, I've rescanned the assests. They are still showing up as DLP not installed.
"Last Scan at 07/10/2013 08:47:00 took 0.06 seconds, waittime is 1 days.
0 Kudos
Go to solution
dsnyrs
Engaged Sweeper

‎07-10-2013 05:02 PM

Hello,

I have everything configured the way Lansweeper has suggested but I am still getting false positives.

I'm getting quite a few workstations showing up as Symantec DLP not installed when in fact it is. I've confirmed the following for both (XP and Win7 workstations)

%programfiles%\symantec\endpoint agent\edpa.exe
%programfiles(x86)%\symantec\endpoint agent\edpa.exe

Also,

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Endpoint\DisplayName = Endpoint

On either the xp machines or Win7 machines, the executable is present, the service is running and the REG key is also present.

Please assist in resolving this false positive.

Thanks in advance.
0 Kudos
Go to solution
Hemoco
Lansweeper Alumni
In response to dsnyrs

‎07-10-2013 05:18 PM

dsnyrs wrote:
On either the xp machines or Win7 machines, the executable is present, the service is running and the REG key is also present.

Did you rescan your machines after submitting your file/registry scans?
- You can rescan assets by clicking the Assets link at the top of the web console, ticking the checkboxes in front of the assets and hitting the Rescan button on the left.
- You can also verify when file/registry info was last rescanned for a particular machine by checking the FILES/REGISTRY item in the Scan Time tab of the machine's Lansweeper webpage.
Go to solution
paladium
Engaged Sweeper

‎06-26-2013 04:54 PM

Thanks for the response. Had a boss pushing me for a response so I did the "bump". Its always the bosses fault 🙂
----------------------------------------- DC, CISSP/CISM Lansweeper Enterprise User
0 Kudos

Reports & Analytics

Ask about reports you're interested in and share reports you've created. Subscribe to receive daily updates of reports shared in the Community.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now
li.common.scroll-to.top