Jump to content
SteelTech

Virus Scan - File Not Found

Recommended Posts

Hello everyone, new Automate user, and just joined the forums, so this is my first post.  I have attempted to do my homework before posting by searching other Virus Scan related posts for key details and while I have found useful information I have not been able to resolve my issue.

I run Cisco AMP for Endpoints.  Currently on Connector version 7.0.5.  Virus Scan does not detect that the AV product exists.

I have followed the guide here, with no luck so far. I have applied the exclusions listed here.  I found DarrenWhite99's post here and I believe part of the issue is that in step#3 the programs file is not being detected.

**Edited** I have conducted further testing from the Agents Command Prompt and discovered that I cannot perform the DIR command and get any data back other than File Not Found.  I tried pointing the command at a 7-Zip executable, and ended up with the same result.  I am wondering if this isn't permissions related somehow.

From the Computer Management screen I click the Wrench icon and open a Command Prompt.  I then execute an ECHO and DIR command with the string from the Program Location definition entry.

Example:  ECHO {%HKLM\SYSTEM\ControlSet001\Services\CiscoAMP_7.0.5:ImagePath-%}\sfc.exe

DIR {%HKLM\SYSTEM\ControlSet001\Services\CiscoAMP_7.0.5:ImagePath-%}\sfc.exe

or

ECHO %ProgramFiles%\Cisco\AMP\7.0.5\sfc.exe

DIR %ProgramFiles%\Cisco\AMP\7.0.5\sfc.exe

The ECHO returns the directory and file fine, but the DIR command comes up stating File Not Found.

So I believe this is proof that the agent cannot evaluate the Program Location path, and that Cisco AMP is protecting itself from detection possibly.

To remediate issues with step#3 I have white-listed Automate processes LTSVC.exe, LTSvcMon.exe, LTTray.exe within Cisco AMP.

Despite having done this I perform the above mentioned commands again, and still my DIR command returns a value of File Not Found.

 

I have two DEFs that I am testing and the first one uses the Registry path to determine the Program Location as follows:

Prog Loc:  {%HKLM\SYSTEM\ControlSet001\Services\CiscoAMP_7.0.5:ImagePath-%}\sfc.exe

Def Loc:  %ProgramFiles%\Cisco\AMP\tetra\versions.dat

AP Process:  sfc*

Date Mask:  (.*)

OS Type:  All OS's

Version Check:  {%HKLM\SYSTEM\ControlSet001\Services\CiscoAMP_7.0.5:ImagePath-%}\sfc.exe

 

Second DEF for testing uses the Program Files path instead of the registry, as follows:

Prog Loc:  {%HKLM\SYSTEM\ControlSet001\Services\CiscoAMP_7.0.5:ImagePath-%}\sfc.exe

Def Loc:  %ProgramFiles%\Cisco\AMP\tetra\versions.dat

AP Process:  sfc*

Date Mask:  (.*)

OS Type:  All OS's

Version Check: 

 

I have also substituted the actual file path for the Program Location in both tests:

%ProgramFiles%\Cisco\AMP\7.0.5\sfc.exe

 

Despite these settings the agent is not being detected.  In my Computer Management screen the Antivirus tile shows "Not Installed".

In addition I had the issues with Windows Defender 10 being populated every time and performed the export/import trick to reduce it's priority in the AV list.

 

Any advice on getting this AV to populate properly?

Edited by SteelTech
updated to reflect AV exclusions for Automate added.
  • Like 2

Share this post


Link to post
Share on other sites
On 10/23/2019 at 10:15 AM, SteelTech said:

DIR command comes up stating File Not Found.

Did you quote the string at the command prompt? e.g.

DIR "{%HKLM\SYSTEM\ControlSet001\Services\CiscoAMP_7.0.5:ImagePath-%}\sfc.exe"

After entering a new config you may need to close and reopen the client to get it to recognize the ID number of the new config.  In addition especially if Defender is being detected, simply do nothing and wait overnight.  😕

Share this post


Link to post
Share on other sites

Hello Steve,

I don't believe I did use quotes because there were no spaces in the path.

I also don't believe I closed out of the client and reopened it.  I do however always resend everything from the device's Inventory.

I've also tried leaving the AP Process with just an asteriks "*", something a consultant had recommended.

Still no luck so far.

Share this post


Link to post
Share on other sites
On 11/12/2019 at 12:23 PM, SteelTech said:

I don't believe I did use quotes because there were no spaces in the path.

OK, I was assuming the .exe was in Program Files.  If you can't see the exe or definition files from the remote command line via dir then it's not going to detect, i.e. that's not the right path.

If you can't find someone else with it maybe ask Cisco?  When we used Symantec I did contact them when they changed engines and virus definition file paths, and even if they don't know Automate they can tell you where the file is.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...