Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GLPI Agent 1.12 does not retrieve antivirus information (GLPI 10.0.18) on Windows Server 2022 Datacenter Azure Edition #868

Open
Kisoune opened this issue Mar 11, 2025 · 14 comments
Open

GLPI Agent 1.12 does not retrieve antivirus information (GLPI 10.0.18) on Windows Server 2022 Datacenter Azure Edition #868

Kisoune opened this issue Mar 11, 2025 · 14 comments
Labels
bug Something isn't working

Comments

@Kisoune
Copy link

Kisoune commented Mar 11, 2025

Bug reporting acknowledgment

Yes, I read it

Professional support

None

Describe the bug

Hello,

We are experiencing an issue with the GLPI Agent (version 12) installed on our servers. It does not retrieve information about the installed antivirus, while the same agent works correctly on workstations.

System Information:
GLPI Version: 10.0.18
GLPI Agent Version: 12.0
Affected Systems: Windows Server 2022 Datacenter Azure Edition

Image

To reproduce

  1. Install lastest glpi and glpi agent

Expected behavior

Installed antivirus software (e.g., Windows Defender, SentinelOne..) is not detected in GLPI.
On Windows 10/11 workstations, antivirus information is retrieved correctly.

Operating system

Windows

GLPI Agent version

v1.12

GLPI version

10.0.17

GLPIInventory plugin or other plugin version

Not applicable

Additional context

We would like to know if this is a known bug or a configuration issue specific to servers. Is there a fix or a workaround for this issue?

Thank you in advance for your help!
@Kisoune Kisoune added the bug Something isn't working label Mar 11, 2025
@g-bougard g-bougard changed the title GLPI Agent 1.12 does not retrieve antivirus information (GLPI 10.0.18) GLPI Agent 1.12 does not retrieve antivirus information (GLPI 10.0.18) on Windows Server 2022 Datacenter Azure Edition Mar 11, 2025
@g-bougard
Copy link
Member

Hi @Kisoune

maybe "Windows Server 2022 Datacenter Azure Edition" doesn't provide expected datas.

Due to Microsoft restriction, on desktop, we can use WMI dedicated objects, but on servers, we can only rely on detecting a dedicated service.

Can share the output of the following commands from that kind of server ?

wmic /namespace:\\root\SecurityCenter path AntiVirusProduct get /format:list
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:list
wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list
wmic path Win32_Service get /format:list

@Kisoune
Copy link
Author

Kisoune commented Mar 11, 2025
edited
Loading

Hi @g-bougard

**wmic /namespace:\\root\SecurityCenter path AntiVirusProduct get /format:list**

wmic:ERROR

**wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:list**

wmic:ERROR

**wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list**

AMEngineVersion=1.1.25010.7

AMProductVersion=4.18.25010.11

AMRunningMode=Normal

AMServiceEnabled=TRUE

AMServiceVersion=4.18.25010.11

AntispywareEnabled=TRUE

AntispywareSignatureAge=0

AntispywareSignatureLastUpdated=20250311015218.000000+000

AntispywareSignatureVersion=1.423.336.0

AntivirusEnabled=TRUE

AntivirusSignatureAge=0

AntivirusSignatureLastUpdated=20250311015218.000000+000

AntivirusSignatureVersion=1.423.336.0

BehaviorMonitorEnabled=TRUE

ComputerID=BDD30981-EC61-41FD-9F2F-6CD7438FEA4B

ComputerState=0

DefenderSignaturesOutOfDate=FALSE

DeviceControlDefaultEnforcement=

DeviceControlPoliciesLastUpdated=16010101000000.000000+000

DeviceControlState=Disabled

FullScanAge=4294967295

FullScanEndTime=

FullScanOverdue=FALSE

FullScanRequired=FALSE

FullScanSignatureVersion=

FullScanStartTime=

InitializationProgress=ServiceStartedSuccessfully

IoavProtectionEnabled=TRUE

IsTamperProtected=TRUE

IsVirtualMachine=TRUE

LastFullScanSource=0

LastQuickScanSource=2

NISEnabled=TRUE

NISEngineVersion=1.1.25010.7

NISSignatureAge=0

NISSignatureLastUpdated=20250311015218.000000+000

NISSignatureVersion=1.423.336.0

OnAccessProtectionEnabled=TRUE

ProductStatus=524288

QuickScanAge=126

QuickScanEndTime=20241105043428.413000+000

QuickScanOverdue=FALSE

QuickScanSignatureVersion=1.421.93.0

QuickScanStartTime=20241105043311.666000+000

RealTimeProtectionEnabled=TRUE

RealTimeScanDirection=0

RebootRequired=FALSE

SmartAppControlExpiration=

SmartAppControlState=Off

TamperProtectionSource=ATP

TDTCapable=N/A

TDTMode=N/A

TDTSiloType=N/A

TDTStatus=N/A

TDTTelemetry=N/A

TroubleShootingDailyMaxQuota=

TroubleShootingDailyQuotaLeft=

TroubleShootingEndTime=

TroubleShootingExpirationLeft=

TroubleShootingMode=

TroubleShootingModeSource=

TroubleShootingQuotaResetTime=

TroubleShootingStartTime=`

PS CUsersXXXXX wmic path Win32_Serv.txt

wmic path Win32_Service get /format:list | findstr /I "Defender SentinelOne"

Caption=SentinelOne Agent Log Processing Service
Description=Manage logs for SentinelOne Endpoint Protection
DisplayName=SentinelOne Agent Log Processing Service
PathName="C:\Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelServiceHost.exe"
Caption=Windows Defender Firewall
Description=Windows Defender Firewall helps protect your computer by preventing unauthorized users from ga
ining access to your computer through the Internet or a network.
DisplayName=Windows Defender Firewall
Description=Internet Protocol security (IPsec) supports network-level peer authentication, data origin aut
hentication, data integrity, data confidentiality (encryption), and replay protection. This service enfor
ces IPsec policies created through the IP Security Policies snap-in or the command-line tool "netsh ipsec"
. If you stop this service, you may experience network connectivity issues if your policy requires that c
onnections use IPsec. Also,remote management of Windows Defender Firewall is not available when this serv
ice is stopped.
Caption=Windows Defender Advanced Threat Protection Service
Description=Windows Defender Advanced Threat Protection service helps protect against advanced threats by
monitoring and reporting security events that happen on the computer.
DisplayName=Windows Defender Advanced Threat Protection Service
PathName="C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"
Description=SentinelOne Endpoint Protection Agent
PathName="C:\Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe"
Description=Helper service for SentinelOne Endpoint Protection Agent
PathName="C:\Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelHelperService.exe"
Caption=SentinelOne Static Service
Description=Manage static engines for SentinelOne Endpoint Protection
DisplayName=SentinelOne Static Service
PathName="C:\Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelStaticEngine.exe"
Caption=Microsoft Defender Antivirus Network Inspection Service
DisplayName=Microsoft Defender Antivirus Network Inspection Service
PathName="C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25010.11-0\NisSrv.exe"
Caption=Microsoft Defender Antivirus Service
DisplayName=Microsoft Defender Antivirus Service
PathName="C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25010.11-0\MsMpEng.exe"

@g-bougard
Copy link
Member

Weird, to me, at least Windows Defender should be reported with the provided datas.

We don't have support actually for SentinelOne. Is it detected on Desktop computers ? And if yes, does it report every expected data ? Can you share eventually previous commands run on Desktop where SentinelOne is installed (the 3 first ones, the one for Win32_Service is not required for desktop computers).

Can you also share the output of the following command to generate a partial antivirus inventory ? Run it in an administrative console and on server and desktop computers. You can also share the generated av.json inventory file but only keeping the "antivirus" json node to not share any sensible data.

glpi-inventory --debug --debug --partial=antivirus >av.json

Do you know how to retrieve SentinelOne AV status datas ?

@Kisoune
Copy link
Author

Kisoune commented Mar 11, 2025
edited
Loading

It seems to be working for SentinelOne on desktops. We are actually retrieving the name, version, manufacturer, and whether the agent is active and updated. When I check GLPI's history on a computer, it states that the information was added by user inventory.

Find below the information you requested:

CUsersXXXXXXXwmic namespacerootSecu.txt

av computer.json

when I try the same command on server it's showing only hardware and bios data.

{ "action": "inventory", "content": { "bios": { "assettag": "", "bdate": "2024-08-23", "bmanufacturer": "Microsoft Corporation", "bversion": "Hyper-V UEFI Release v4.1", "mmanufacturer": "Microsoft Corporation", "mmodel": "Virtual Machine", "msn": "", "smanufacturer": "Microsoft Corporation", "smodel": "Virtual Machine", "ssn": "" }, "hardware": { "chassis_type": "Desktop", "memory": , "name": "", "uuid": "", "vmsystem": "Hyper-V", "winlang": "", "winprodid": "", "winprodkey": "", "workgroup": "" }, "versionclient": "GLPI-Inventory_v1.12" }, "deviceid": "", "itemtype": "Computer", "partial": true }

@g-bougard
Copy link
Member

Okay for SentinelOne on Desktop: Only it is enabled and which AV version are provided. There's nothing related to a license expiration or base version. That parts are actually not supported and may not be indeed required. Let us know if this is totally sufficient from your point of view.

About the case on server, I requested the command output, not just generated json, so including all the debug log as maybe we missed something from there. I don't see it in the datas you provided.

@g-bougard
Copy link
Member

Hi @Kisoune

I still need the requested command output.

For SentinelOne on Windows Server, can you check if there's a registry key I can check for interesting values ? I need SentinelOne version and eventually to know if it is up-to-date and what's the virus database version. This could also help for Desktop support too.

@Kisoune
Copy link
Author

Kisoune commented Mar 12, 2025

Hi @Kisoune

I still need the requested command output.

For SentinelOne on Windows Server, can you check if there's a registry key I can check for interesting values ? I need SentinelOne version and eventually to know if it is up-to-date and what's the virus database version. This could also help for Desktop support too.

Hi @g-bougard

Which data are missing ? I put the output of the 3 command wmic in the .txt file. The Json file called "Computer av.json" is for the computer part you asked with the debug command for server there's no AV node only bios and data.

I'll check for the registry key on the server.

@g-bougard
Copy link
Member

The "command output" means also what you should see on the command line: all the script debug lines. You didn't share them. I need to see the debug lines from Win32::Antivirus module.

@Kisoune
Copy link
Author

Kisoune commented Mar 12, 2025

The "command output" means also what you should see on the command line: all the script debug lines. You didn't share them. I need to see the debug lines from Win32::Antivirus module.

You are right, I misunderstood what you asked me. Here are the two files you meant:

Output command computer.txt
Output command server.txt

@g-bougard
Copy link
Member

Okay, the output remembers me I added SentinelOne support for linux and MacOSX, but not for Windows as I didn't have sufficient datas. Maybe you'll have the missing part.

Do you have a command like sentinelctl.exe somewhere under C:\Program Files\SentinelOne ? If yes, can you run the command: sentinelctl.exe version, sentinelctl.exe status, sentinelctl.exe engines status, sentinelctl.exe control status, sentinelctl.exe management status. These commands are inspired by what we do for the inventory on linux and MacOSX, but I really don't know if this is with the right options, feel free to fix them.

@g-bougard
Copy link
Member

Assuming sentinelctl.exe exists and works like the MacOSX version, can you try this updated Antivirus module ?
SentinelOne-win32.zip

Extract the included pm file over the one in your installed agent.

@Kisoune
Copy link
Author

Kisoune commented Mar 12, 2025

Okay, the output remembers me I added SentinelOne support for linux and MacOSX, but not for Windows as I didn't have sufficient datas. Maybe you'll have the missing part.

Do you have a command like sentinelctl.exe somewhere under C:\Program Files\SentinelOne ? If yes, can you run the command: sentinelctl.exe version, sentinelctl.exe status, sentinelctl.exe engines status, sentinelctl.exe control status, sentinelctl.exe management status. These commands are inspired by what we do for the inventory on linux and MacOSX, but I really don't know if this is with the right options, feel free to fix them.

Yes, we have Sentinelctl.exe in C:\Program Files\SentinelOne\Sentinel Agent 23.4.4.223

Image

@g-bougard
Copy link
Member

g-bougard commented Mar 12, 2025
edited
Loading

Thank you @Kisoune

sentinelclt.exe version is missing but I assume the output doesn't change from the MacOSX output.

For status option, it changes from MacOSX case.

Anyway, can you test the following updated module ?

SentinelOne-win32-v2.zip

@g-bougard
Copy link
Member

Humpf, sorry, saw few typos in the module. Here is my last (I hope) version:

SentinelOne-win32-v3.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@g-bougard @Kisoune