→ Having trouble accessing our new support portal or creating a ticket? Please notify our team here

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
paladium
Engaged Sweeper
Hello,

I am struggling to customize this query. I want to generate a report that tells us when our DLP executable is not found on just the WIN XP and WIN 7 clients. I can get the full report of everything with and without the DLP executable in it across all OS platforms, but only the WIN XP and WIN 7 clients without the DLP executable needs to be in the report.

Any assistance would be appreciated 🙂

-----------------------
Current query
-----------------------

Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetUnique,
tblFileVersions.Found,
tblFileVersions.FileVersion,
tblAssets.Assettype,
tblAssets.IPAddress,
tsysOS.OSname
From tblAssets
Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblFileVersions.FilePathfull Like '%edpa.exe'
Order By tblAssets.AssetUnique,
tblFileVersions.FilePathfull
----------------------------------------- DC, CISSP/CISM Lansweeper Enterprise User
1 ACCEPTED SOLUTION
Hemoco
Lansweeper Alumni
Please use the report below. (Do not bump threads that are less than a day old. We reply to each post as quickly as possible.)
Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetUnique,
tblFileVersions.Found,
tblFileVersions.FileVersion,
tblAssets.Assettype,
tblAssets.IPAddress,
tsysOS.OSname
From tblAssets
Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblFileVersions.Found = 0 And (tsysOS.OSname = 'win xp' Or
tsysOS.OSname = 'win 7') And tblFileVersions.FilePathfull Like '%edpa.exe'
Order By tblAssets.AssetUnique,
tblFileVersions.FilePathfull

View solution in original post

10 REPLIES 10
dsnyrs
Engaged Sweeper
I've disabled:

%programfiles%\symantec\endpoint agent\edpa.exe

and only enabled:

%programfiles(x86)%\symantec\endpoint agent\edpa.exe

I still have HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Endpoint\DisplayName = Endpoint enabled.

My concern is that it will only be scanning 64bit OS'. How will the system be able to differentiate between 32 bit and 64 bit if it's only looking for %programfiles(x86)% .......?

Thanks
Hemoco
Lansweeper Alumni
dsnyrs wrote:
My concern is that it will only be scanning 64bit OS'. How will the system be able to differentiate between 32 bit and 64 bit if it's only looking for %programfiles(x86)% .......?

- %programfiles(x86)% points to Program Files on 32-bit machines.
- %programfiles(x86)% points to Program Files (x86) on 64-bit machines.
Hemoco
Lansweeper Alumni
Could you please check the Config\Scanned Info\File Info section of one problem machine's Lansweeper webpage. If you submit the file scans below, there will be two results for 64-bit machines.
- Lansweeper will verify whether edpa.exe is present in Program Files.
- Lansweeper will verify whether edpa.exe is present in Program Files (x86).
- If the executable is missing from either location, the machine will show up in the report.
%programfiles%\symantec\endpoint agent\edpa.exe
%programfiles(x86)%\symantec\endpoint agent\edpa.exe


If the file is present in Program Files on 32-bit machines and Program Files (x86) on 64-bit machines, you only need the file scan below.
%programfiles(x86)%\symantec\endpoint agent\edpa.exe
dsnyrs
Engaged Sweeper
The report I am referring to is:

Workstation: Symantec DLP not installed


Here is the sql for this query:

Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetUnique,
tblFileVersions.Found,
tblFileVersions.FileVersion,
tblAssets.Assettype,
tblAssets.IPAddress,
tsysOS.OSname,
tblAssets.Domain
From tblAssets
Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tblFileVersions.Found = 0 And (tsysOS.OSname = 'win xp' Or
tsysOS.OSname = 'win 7') And tblAssets.Domain = 'CORP' And
tblFileVersions.FilePathfull Like '%edpa.exe'
Order By tblAssets.AssetUnique,
tblFileVersions.FilePathfull
Hemoco
Lansweeper Alumni
Could you clarify what you mean by "showing up as DLP not installed". File/registry data doesn't show up in the Software tab of an asset's Lansweeper webpage, if this is what you're asking. It's listed under Config/Scanned Info instead.
dsnyrs
Engaged Sweeper
Yes, I've rescanned the assests. They are still showing up as DLP not installed.
"Last Scan at 07/10/2013 08:47:00 took 0.06 seconds, waittime is 1 days.
dsnyrs
Engaged Sweeper
Hello,

I have everything configured the way Lansweeper has suggested but I am still getting false positives.

I'm getting quite a few workstations showing up as Symantec DLP not installed when in fact it is. I've confirmed the following for both (XP and Win7 workstations)

%programfiles%\symantec\endpoint agent\edpa.exe
%programfiles(x86)%\symantec\endpoint agent\edpa.exe

Also,

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Endpoint\DisplayName = Endpoint

On either the xp machines or Win7 machines, the executable is present, the service is running and the REG key is also present.

Please assist in resolving this false positive.

Thanks in advance.
Hemoco
Lansweeper Alumni
dsnyrs wrote:
On either the xp machines or Win7 machines, the executable is present, the service is running and the REG key is also present.

Did you rescan your machines after submitting your file/registry scans?
- You can rescan assets by clicking the Assets link at the top of the web console, ticking the checkboxes in front of the assets and hitting the Rescan button on the left.
- You can also verify when file/registry info was last rescanned for a particular machine by checking the FILES/REGISTRY item in the Scan Time tab of the machine's Lansweeper webpage.
paladium
Engaged Sweeper
Thanks for the response. Had a boss pushing me for a response so I did the "bump". Its always the bosses fault 🙂
----------------------------------------- DC, CISSP/CISM Lansweeper Enterprise User