/build/static/layout/Breadcrumb_cap_w.png

Custom Inventory Rule to grab file information on a Trend pattern file

We are trying to have kace show if users have up to date virus pattern files for TrendMicro.

We've identified what file we need to grab, but a small annoyance is its actually 2 files with the same name, but different extension e.g icrc$oth.665 and icrc$oth.667 (one is the previous pattern file so it can roll back to it if need be)

I've tried using the below syntax with and without quotes around the file path. I've tried other things like simply just  grabbing notepad to see if it exists, and nothing wants to populate the custom inventory field. Any help is appreciated.

FileInfoReturn("C:\Program Files (x86)\Trend Micro\OfficeScan Client\icrc$oth.*", modification_time, DATE)

0 Comments   [ + ] Show comments

Answers (3)

Posted by: aragorn.2003 8 years ago
Red Belt
1
We´re not using TrendMicro, but it looks like that these settings can be found within the registry and it´s easier to get a value from a registry key. If i´am right there should be a REG_DWORD value named PatternVer and maybe also PatternDate and PatternTooOldDays.


Custom Inventory Rule then looks like

RegistryValueReturn(HKEY_LOCAL_MACHINE\PATH, KEY, TEXT)

Comments:
  • Thanks for the information.

    It doesnt seem to want to return any information in the CIR field.

    You were correct about a PatternVer existing, but the data in it doesn't differ from older versions of trend vs new, so I decided to go with PatternDate to see when it was last updated.

    I use the below syntax but it still isnt returning anything, am I missing something obvious?

    RegistryValueReturn(HKEY_LOCAL_MACHINE\Software\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc, PatternDate, REG_SZ) - Ouytree 8 years ago
    • Try swapping REG_SZ for TEXT. - jknox 8 years ago
      • I've switched out the reg_sz to text but its still not returning anything.

        Could it be some type of permissions thing? I've just come back from holiday so im about to jump in and give it some more testing. - Ouytree 8 years ago
Posted by: aragorn.2003 8 years ago
Red Belt
0
Hi Quytree. Some questions/ideas. 

  • did you see the registry value?
  • try to enable debug logging in amp.conf by adding this line "debug=detail" and restart the KACE agent.
    then check the KAgent.log under C:\ProgramData\Dell\KACE\user. If this includes error=183 please read the following. https://support.software.dell.com/kb/115133
  • Have you setup the right supported operating system in Software Detail view

Comments:
  • Ive been able to get the registry value return to work on HKeyCurrentUser, nothing returns when using the HKeyLocalMachine paths though.

    I've enabled debugging and do get the error 183 and have tried that fix in the link provided but still doesnt work, and still gives an error 183 which you can see below

    Custom Inventory Rule failed on registry operation: logop=6, key='HKLM64\Software\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc\': error=183

    Its definitely targeting the right OS as I have gotten this command to work.

    EDIT: I've also tried all of this on a couple of 32bit windows machines, and still nothing. - Ouytree 8 years ago
Posted by: jknox 8 years ago
Red Belt
0
I agree with Aragorn.  I set up something similar for McAfee:

RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine, AVDatVersion, TEXT) AND RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine, AVDatDate, TEXT)

It returns this:



Comments:
  • I've switched out the reg_sz to text but its still not returning anything.

    Could it be some type of permissions thing? I've just come back from holiday so im about to jump in and give it some more testing. - Ouytree 8 years ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ