Jump to content

Virus Scan Question


Recommended Posts

Additional note:  I have tried using one definition per version.  After entering all of them in, I did a Command->Inventory->Update All on a client.

Still no luck - the systems list Windows Defender 10 instead.

Edited by LoneWolf
Link to post
Share on other sites
1 minute ago, Juan Carlos Romero said:

Hello Wolf,

I gave up on this, because it has to be changed every version and Sentinel does not work as other AVs, I even tried to contact Connectwise and Sentinel but no luck.

BTW, Sorry you have to work with PAX8

I haven't had too many issues, but it definitely complicates support. It does keep licensing costs down on multiple products, though.

While I'd hate to have to change it every version, I'd still do so, if I could ensure that it would report accurately.  At this point though, it's either not finding something, or Automate is letting "Windows Defender 10" override and show as the antivirus even when "Sentinel Agent" is listed as an installed program. I've restarted the database agent after setting up the definitions and sent the "update config" command to an entire client.

I need the reporting, as we're trying to monitor for the presence of SentinelOne, so that if a machine is introduced to a client network without our knowledge, we can be notified of a new agent that doesn't have SentinelOne. This piece is one of a larger puzzle, and it's frustrating that I'm not getting proper results back on something that ought to work.

Link to post
Share on other sites

So - I had this problem a while back, and after working with a few different people in the MSP Geek Slack Channel, it was determined that Automate scans for AV Software by the Scanner ID.  So, if you're adding SentinelOne entries, they need to have an ID in the Automate DB that is a lower number than other AV Software (Windows Defender, especially - since that's on everything).

In the attached cwa_s1_vscan.png screenshot, you can see that I've moved the first 25-ish entries, and replaced them with S1 entries (we have S1 that we manage on clients, and S1 that is managed by other companies on other clients, so versioning is hard to control).

Also in the screenshot, are the settings I use for detection on each version of S1 - so you can see how they differ between the versions.

For moving the Virus Scan entries, it's up to you how you wanna do that - but here's what I did, in case it helps:

  1. Made each new S1 entry that I needed (this gives it a GUID in Automate)
  2. For Each new S1 entry that I made, I had to find an entry at the front/top of the table that I didn't need/care about, and then:
    1. INSERT INTO all the info about that entry with ID at the back/bottom of the table.
    2. UPDATE all the S1 info (with the GUID) WHERE ID is the ID of the entry I just moved.

So, now - Automate will check down the list, and stop after it finds S1.  Rather than stopping at Windows Defender, or wherever (since S1 can coexist with other AV solutions).

Then hammered TF out of the Update Plugin, Update Inventory/Config, Reload DB Cache, etc.

Eventually, everything started reporting correctly.  But, I won't lie - keeping up with the versioning can get tiresome.  Would be nice if there was another approach.

cwa_s1_vscan.png

  • Thanks 1
Link to post
Share on other sites
1 minute ago, LoneWolf said:

@Seth I'm going to try this.  It's idiotic that Automate does it this way, and that one can't just change the priorities with a different field.

Thanks for the info, I'll follow back here when I have this set.

Agreed! I haven't updated the Virus Scanners in the Solution Center, either - for fear of resetting the DB. 😬

Good luck - hopefully you get it working straight away, but if not, I'll be happy to help as best I can.

Link to post
Share on other sites
46 minutes ago, Seth said:

Agreed! I haven't updated the Virus Scanners in the Solution Center, either - for fear of resetting the DB. 😬

Good luck - hopefully you get it working straight away, but if not, I'll be happy to help as best I can.

You're best off not doing anything with the Solution Center that you make modifications to yourself.  It will just screw that right up.

That's been problematic for years, and Connectwise is not unaware of it. Probably someday, when the thick client goes away and Web Plugins are the only option, that will all go away with it.

Link to post
Share on other sites

Just notice the request for updated info.

There has been some issues over the last few updates to the S1 package.

I am not sure why some of the components in the original screenshot has changed in the latest version, it has frustrated my team with how inconsistent it is.

I named it V2 because not all agents have been updated to 4.1.x

image.png.eb3444d9b20dd55f4507fc63ef451e60.png

  • Thanks 1
Link to post
Share on other sites
On 8/19/2020 at 11:49 AM, Seth said:

need to have an ID in the Automate DB that is a lower number than other AV Software (Windows Defender

In theory, it's more complicated than that, see:

 However that said, as I mentioned in that thread we deleted the Windows Defender 10 virus config to bypass the incorrect detections that still occurred.

Link to post
Share on other sites
  • 1 month later...
On 8/19/2020 at 9:49 AM, Seth said:

So - I had this problem a while back, and after working with a few different people in the MSP Geek Slack Channel, it was determined that Automate scans for AV Software by the Scanner ID.  So, if you're adding SentinelOne entries, they need to have an ID in the Automate DB that is a lower number than other AV Software (Windows Defender, especially - since that's on everything).

In the attached cwa_s1_vscan.png screenshot, you can see that I've moved the first 25-ish entries, and replaced them with S1 entries (we have S1 that we manage on clients, and S1 that is managed by other companies on other clients, so versioning is hard to control).

Also in the screenshot, are the settings I use for detection on each version of S1 - so you can see how they differ between the versions.

For moving the Virus Scan entries, it's up to you how you wanna do that - but here's what I did, in case it helps:

  1. Made each new S1 entry that I needed (this gives it a GUID in Automate)
  2. For Each new S1 entry that I made, I had to find an entry at the front/top of the table that I didn't need/care about, and then:
    1. INSERT INTO all the info about that entry with ID at the back/bottom of the table.
    2. UPDATE all the S1 info (with the GUID) WHERE ID is the ID of the entry I just moved.

So, now - Automate will check down the list, and stop after it finds S1.  Rather than stopping at Windows Defender, or wherever (since S1 can coexist with other AV solutions).

Then hammered TF out of the Update Plugin, Update Inventory/Config, Reload DB Cache, etc.

Eventually, everything started reporting correctly.  But, I won't lie - keeping up with the versioning can get tiresome.  Would be nice if there was another approach.

cwa_s1_vscan.png

Thanks for this but we decided to just use 1 entry as version isn't important to know via Automate.  Plus we didn't need to do anything to Windows Defender.

Here is what we have, so it's easier for anyone else to just copy paste:

Name = SentinalOne Agent

Program Location = {%-HKLM\SYSTEM\CurrentControlSet\Services\SentinelMonitor\Config:InProcessClientsDir-%}SentinelAgent.exe

Definition Location = {%-HKLM\SYSTEM\CurrentControlSet\Services\SentinelMonitor\Config:ConfigsBaseDir-%}\hashes

AP Process = SentinelAgent*

Version Check =  {%-HKLM\SYSTEM\CurrentControlSet\Services\SentinelMonitor\Config:InProcessClientsDir-%}SentinelAgent.exe

Date Mask = (.*)

Version Mask = (.*)

Works like a charm but the version check doesn't do anything.

Edited by ryan1cf
Link to post
Share on other sites

We also did a single version. I can do version management from SentinelOne.  The important thing is showing that it exists, and for flagging "AV Missing" tickets.

I have also created two groups with autojoin searches:

-Agents located in SentinelOne clients that do not have SentinelOne installed

-Agents that have both SentinelOne and Webroot (which we are transitioning away from) installed simultaneously, since Webroot doesn't always remove itself gracefully

This has really helped ensure we are seeing things the way we should.

Link to post
Share on other sites
3 hours ago, ryan1cf said:

Thanks for this but we decided to just use 1 entry as version isn't important to know via Automate.  Plus we didn't need to do anything to Windows Defender.

Here is what we have, so it's easier for anyone else to just copy paste:

Name = SentinalOne Agent

Program Location = {%-HKLM\SYSTEM\CurrentControlSet\Services\SentinelMonitor\Config:InProcessClientsDir-%}SentinelAgent.exe

Definition Location = {%-HKLM\SYSTEM\CurrentControlSet\Services\SentinelMonitor\Config:ConfigsBaseDir-%}\hashes

AP Process = SentinelAgent*

Version Check =  {%-HKLM\SYSTEM\CurrentControlSet\Services\SentinelMonitor\Config:InProcessClientsDir-%}SentinelAgent.exe

Date Mask = (.*)

Version Mask = (.*)

Works like a charm but the version check doesn't do anything.

Thanks for providing these settings.  Did you have to do any other configuration of your Automate environment?  Does not seem to work for us.  The Antivirus panel now shows Not Installed as opposed to it showing Windows Defender installed.

UPDATE AFTER INITIAL POST:

So SentinelOne shows up as the installed anti-virus solution now in the computer management screen on the Web Control Center but the block on the desktop client for Antivirus is still reporting not installed.

2020-10-07_17-35-48.jpg

2020-10-07_17-36-33.jpg

Edited by CallS2Tom
Added additional info relating to issue
Link to post
Share on other sites
  • 1 month later...
On 11/7/2020 at 4:38 PM, jhand said:

until I closed the Control Center and re-opened

I've found/deduced he control center reads the virus scan IDs at launch so if you add one, you need to close/reopen.  Otherwise it knows the PC has ID 94 but has no idea what that is.

Also I've found in recent years the detection of a new virus config on the agent end often takes an overnight...resend configs doesn't seem to get the job done.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...