Jump to content
[[Template core/front/profile/profileHeader is throwing an error. This theme may be out of date. Run the support tool in the AdminCP to restore the default theme.]]

DarrenWhite99 last won the day on September 10

DarrenWhite99 had the most liked content!

Community Reputation

386 Excellent

My Information

  • Location
    Redding, California, US
  • Agent Count
    2000 - 3000 Agents

Converted

  • OCCUPATION
    Senior Systems Engineer

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. The heart of the call to LTPoSh is: try {(new-object Net.WebClient).DownloadString('http://bit.ly/LTPoSh') | iex} catch {(new-object Net.WebClient).DownloadString('%~dp0LabTech.psm1') | iex}; Get-Service @('LTSvcMon','LTService') -EA 0 | Select-Object -Property * | FL; Get-LTServiceInfo -EA 0; Reinstall-LTService -Server '%LTServerHostname%' -LocationID %LTLOCATIONID% It will try http://bit.ly/LTPoSh first, and then look for LabTech.psm1 in the same folder as the batch file.
  2. The AV detection process works basically exactly like this: (I hate partial information, so I reviewed the code actually used to choose the AV ID from LTService version 190.225 (19 Patch 8)) Loop through AV Detection types in ascending order by ID, when done go to Step 10. Evaluate the OS Type setting. If the target OS specified doesn't match the current machine OS, Go to Step 1. Evaluate the Program Location path. Is it a valid file? If not, Go to Step 1. Evaluate the Definition Location. If it is blank, go to Step 1. Is it a valid file? Extract the timestamp as the Definition Date and go to Step 5. Is it a valid folder? Extract the timestamp as the Definition Date and go to Step 5. Use the "Date Mask" regex pattern to extract the Definition Date from the Definition Location value. If nothing was extracted, go to Step 1. Evaluate the Version Check value. If it is blank, go to Step 6. Is Version Mask blank? Go to Step 1. Is Version Check a file? Capture the file version as the Version Check value. Does the Version Mask pattern match the Version Check value? If not, Go to Step 1. We now have a complete "AV" profile to test. Is this the first AV ID candidate? Go to Step 7. Is the Definition Date equal to or newer than the last found AV ID? If not, Go to Step 1. The current AV ID becomes the currently "Chosen" AV ID. Evaluate the AP Process. (Split on ":" if found and loop). Does it match a process that is running? If not running, AV Running is set to False, Go to Step 1. The current AV ID is added to a list of running AV IDs. AV Running is set to True. Go To Step 1. Check the list of Running AVs (built in Step 9). If 1 or less were found, go to Step 14. Loop through the Running AV IDs. When done, go to Step 14. Does the Definition Location contain "Windows Defender"? Go to Step 11. The current AV ID becomes the currently "Chosen" AV ID. Go to Step 11. Is the "Chosen" AV AP Process value blank or does it end with "*"? Go to Step 17. Is the WMI Class \root\SecurityCenter2:AntiVirusProduct found? Set AV Running to the state indicated by the "ProductState" attribute and Go to Step 17. Is the WMI Class \root\SecurityCenter:AntiVirusProduct found? Set AV Running to the state indicated by the "onAccessScanningEnabled" attribute and Go to Step 17. Report the Chosen AV ID, and the AV Running State. When two AV definitions are compared, the first one tested (lowest ID) has the advantage, but it will still lose to another AV match with a newer signature date. And if multiple running AV products are found, one of them will be picked over a "newer" product that wasn't running. In general the first chosen Running AV with the newest definitions will be the one returned, and the AV Running state will be based on matching the process name or what Windows Security Center is indicating. (I think I summarized that right..) If your Primary AV product definitions get a day behind, a secondary AV could suddenly be the reported AV. In my experience, outdated AV definitions are the most common reason for Windows Defender to show up even when you know you have another AV product in place. If it's definition date is newer, it will be reported as the active AV product.
  3. Could you provide an example of the output before a valid key had been applied, and after?
  4. File system permissions definitely could be an issue, but no users would be able to access some/all screenshots for some/all computers if it was a filesystem permission issue. If screenshots for any given computer are available for certain users (superadmins) but not other users (non-admins), it sounds like you are hitting a Known Issue @Ross Bowman. The root issue is related to the CW File Service, but the problem is a table permission that is not granted to non-admins. Try viewing a screenshot as an admin, and then have the user try again. Sometimes (I assume if the table was recently referenced by the API endpoint) the offending query to the table is not triggered and the screenshot is accessible. After a period of time, it will begin failing again. My ticket (#11947080 - "19.0.5.138> User Class other than SuperAdmin cannot browse screenshots") was escalated to Dev on June 12th.
  5. In the additional condition, add AND Eventlogs.timegen > DATE_ADD(NOW(), INTERVAL -2 HOUR)
  6. Make sure the Pipe character is really a | character. Actually, I suspect what is happening is that schtasks is being called directly, not as a parameter to cmd.exe. The shell is what splits commands and redirects input/output on the pipe. Try this instead: cmd.exe /c "schtasks /query /tn "Adobe Acrobat Update Task" /v /fo LIST | find "Last Result:""
  7. When you retired, what was the state of the agent? Was it online? Was it uninstalled? Are you hitting Un-Retire, opening the agent, and then expecting Control to connect? What is the Control icon status (Orange/Red/Gray/etc.)? Has the Control Session been terminated? Is the session still active in Control before you un-retire in Automate? Once the Automate agent is operating, if you deploy Control it should detect whatever sessionid the agent has and report it back. If the Control Session was terminated, a reinstall of Control on the agent will be necessary. Even if Automate remembers the Control session associated with an agent, unless the session is currently working in Control restoring the Automate agent will have no effect.
  8. Did you mention that you had set yourself as the computer/location/client contact? That could be it. Also, check the global properties in the dashboard. Do any of the properties have your email address assigned?
  9. Just import the script, open it, and copy out the powershell. I mean, honestly... “I don’t like the way this is bundled. Bundle it differently so that I don’t have to take 4 minutes of my time to do the same steps I’m asking to be done.” ¯\_(ツ)_/¯
  10. AFAIK @david.wolfie.. (I don’t know if they have incorporated the change into the official monitor, and no database changes have occurred that would make this monitor not work)
  11. I think you need to track one alert through and figure it out, which should help solve all of them. Is the email coming from a script or from a ticket? Are you syncing tickets to another system (Manage?) or are you purely using the Automate ticketing? Try setting the monitor default template to “Do Nothing” to help determine if it’s using the global settings or if it’s another group alert template that is overriding it? Etc.
  12. This monitor is not sniffing the network or “detecting” devices. It works by comparing AD information (gathered by the AD plugin) to see which Windows machines on the domain have been recently active and comparing this to Automate agents. It is designed to only notify you regarding Domain joined Windows systems, where you actually could install an agent. There is no point in alerting that a new Access Point or Printer is “missing an agent”. It cannot return anything that isn’t joined to the domain. If you are getting alerts like that they must be coming from somewhere else.
  13. An alternative to the VBS - Uses the LabTech PowerShell Module (LTPoSh) https://slack-files.com/T0SD04DSM-F8RA68F53-da5f31ba6a Just set the server and locationid on lines 9/10. The locationid can also be specified from the command line as a parameter.
  14. Is %userdomain% available? \\domainname\netlogon should work just as well as \\specificdc\netlogon A possible option to force the variable to be processed is to just use a command line copy with Shell As Admin. The shell will definitely expand the variable if the File Copy As Admin function doesn’t.
  15. @Dayrak, you need to identify which group is controlling the monitor (All Agents?), open the group, select the Computer tab, then the Remote Monitors tab. Select the monitor from the list at the bottom of the window, edit the settings and then hit Update.
×
×
  • Create New...