Failure to detect software as Antivirus.

[danielbarciela]

It has been detected that the GLPI agent's software inventory does not correctly recognize the antivirus categorization for some assets. For instance, Cortex XDR™ Advanced Endpoint Protection does recognize it as an antivirus; however, Cortex XDR 8.1.2.47081 does not. Both have the same version and the same manufacturer.

[g-bougard]

Hi @danielbarciela

this means this AV is not supported by GLPI-Agent. If you want this support, can you provide what can be done on the system to recover its status ? version, database version, if it is enabled or if it up-to-date and so. Also on which operating system does this AV run ?

[danielbarciela]

Hi @g-bougard,

The antivirus version is 8.1.2.47081. The antivirus is enabled and up to date. The antivirus is running on systems 'Microsoft Windows 10 Pro', 'Microsoft Windows 10 Enterprise', and 'Microsoft Windows 11 Pro'.

Thanks !

[g-bougard]

Hi @danielbarciela

okay thank you.

Can it be downloaded publicly and installed as trial version ? If yes, can you provide a link to the official download site ?

[danielbarciela]

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.1/Cortex-XDR-Agent-Administrator-Guide/Install-the-Cortex-XDR-Agent-with-Installer-and-Content-Update-Package

[g-bougard]

Hello @danielbarciela

as far as I can see, there's no public release of Cortex XDR agent. I only see we can request a demo. But this is definitively not a process which match my need to just find how to inventory this AV agent. So I won't be able to test a support by myself.

Anyway, in the doc link you pointed out, it seems we can use the cytool command which seems to be installed in the C:\Program Files\Palo Alto Networks\Traps folder. Can you confirm this is the case ?

Then if yes, we can try to find the required information. First, can you report the output of glpi-inventory --partial=antivirus when runs from an administrative console and from the agent installation folder. Just to check if something is detected and finally only the details are missing.

So, if I read well the documentation, can you share the output of the following commands, run from an administrative console and from the C:\Program Files\Palo Alto Networks\Traps folder ?

cytool info
cytool info query
cytool protect query service
cytool protect query file
cytool protect query pipe
cytool protect query registry
cytool protect query process

The last 5 ones may not be required if the xdr agent register itself to windows as an AV agent and windows reports it is enabled. This is the purpose of the glpi-inventory output request. In that case, only the first 2 outputs may be required.

[danielbarciela]

Hello,

I apologize for the delay; I haven't been able to gather the requested information earlier.

Indeed, the 'cytool' command is installed in the path 'C:\Program Files\Palo Alto Networks\Traps'.

The output of glpi-inventory --partial=antivirus:

{
   "action": "inventory",
   "content": {
      "bios": {
         "bdate": "2020-11-12",
         "biosserial": "VMware-42 08 c4 ef 59 b8 92 0a-c7 21 65 8a 50 e3 bc f8",
         "bmanufacturer": "Phoenix Technologies LTD",
         "bversion": "6.00",
         "mmodel": "440BX Desktop Reference Platform",
         "smanufacturer": "VMware, Inc.",
         "smodel": "VMware Virtual Platform",
         "ssn": "VMware-42 08 c4 ef 59 b8 92 0a-c7 21 65 8a 50 e3 bc f8"
      },
      "hardware": {
         "chassis_type": "Other",
         "description": "Enterprise PC",
         "memory": 16383,
         "name": "enterprise-pc",
         "uuid": "EFC40842-B859-0A92-C721-658A50E3BCF8",
         "vmsystem": "VMware",
         "winlang": "1033",
         "winowner": "Windows User",
         "winprodid": "XXXXX-XXXXX-XXXXX-XXXXX",
         "winprodkey": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",
         "workgroup": "entreprise.int"
      },
      "versionclient": "GLPI-Inventory_v1.4"
   },
   "deviceid": "enterprise-pc.enterprise.int-2024-03-12-11-43-38",
   "itemtype": "Computer",
   "partial": true
}

If I run the 'glpi -inventory' command, I obtain that the cortex classifies it as software.

<SOFTWARES>
  <ARCH>x86_64</ARCH>
  <FROM>registry</FROM>
  <GUID>{D3FC186A-F2AA-4FA9-8E2D-C48F49ADAFA1}</GUID>
  <HELPLINK>http://www.paloaltonetworks.com</HELPLINK>
  <INSTALLDATE>25/02/2024</INSTALLDATE>
  <NAME>Cortex XDR 8.2.1.47908</NAME>
  <PUBLISHER>Palo Alto Networks, Inc.</PUBLISHER>
  <SYSTEM_CATEGORY>application</SYSTEM_CATEGORY>
  <UNINSTALL_STRING>MsiExec.exe /X{D3FC186A-F2AA-4FA9-8E2D-C48F49ADAFA1}</UNINSTALL_STRING>
  <VERSION>8.2.1.47908</VERSION>
</SOFTWARES>

[danielbarciela]

Is there any news on this topic? Do you know when it will be included in a new version?

[g-bougard]

Hi @danielbarciela

I'll try to update AV support to include this detection. But it seems it doesn't register itself as AV on the system, that's still weird.

Anyway thank you for the output sharing.

I'll tell you if I need other information.

[g-bougard]

Hi @danielbarciela

can you share the output of the following command run from an administrative console where Cortex is installed ?

wmic /namespace:\\root\SecurityCenter path AntiVirusProduct get /format:list
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:list
wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list

I need these output to verify how to include support for this AV.