Detect Machines with no Antivirus installed

[Dan Massameno 0]

How can I setup a Dynamic Group Template to identify machines that have no antivirus on them?  

I want to use this Dynamic Group Template to identify those machines that are ready to get ESET Endpoint Security installed.  I want to exclude machines that have Symantec, Panda, Norton, Vipre, AVG, etc. installed (they need remediation steps before I have the ERA Agent install EES.)  

Thank you.  

[MichalJ 434]

Basically, you want to have a template that has ERA agent, and does not have any of the mentioned solutions, correct?

I would suggest the following:

- enable reporting of non-eset apps in ERA Agent policy

- creating report of all installed apps, containing app name, version, vendor, and if it supports silent uninstall

- creating either a nested template, where one will have just the mask and another one will use "or" condition for the vendors of the competitive products. Or one template per vendor, like here:

Edited February 26, 2017 by MichalJ

[Dan Massameno 0]

This seems like a good area to request a feature enhancement (ERA v6.6).  To detect if any antivirus is installed I can use:

Functionality/Protection problems-Feature NOT-EQUAL Antivirus

That will trigger TRUE if something is installed, including EES or Defender or other 3rd party app (e.g., Symantec),  I can use 

Computer-Managed Products Mask 

To detect if it is a ESET product is installed.  None of these existing filters get us to what we want.  We want to know if a 3rd party app is installed.  

I think we need a dynamic group filter named Foreign Antivirus Installed.  It will trigger TRUE if  Symantec, Panda, Norton, Vipre, AVG, etc. are installed (anything other than Defender or Security Essentials.)

We could then use that dynamic group filter to create a dynamic group and then trigger the OPSWAT removal tool.  If the removal is successful the computer will drop out of the dynamic group and it will be ready to get ESET installed.

Does that sound like a reasonable feature enhancement request for ERA 6.6?

Thanks.

[Marcos 5,070]

55 minutes ago, Dan Massameno said:

Computer-Managed Products Mask 

To detect if it is a ESET product is installed.  None of these existing filters get us to what we want.  We want to know if a 3rd party app is installed.  

I think we need a dynamic group filter named Foreign Antivirus Installed.  It will trigger TRUE if  Symantec, Panda, Norton, Vipre, AVG, etc. are installed (anything other than Defender or Security Essentials.)

The second screen shot in the last MichalJ's post shows conditions of a dynamic group that contains computers with software from any of the mentioned vendors installed.

[Dan Massameno 0]

I'm a VAR and I walk into a a number of sites where the management of the IT systems is a little "haphazard," to be kind.  :-)

The method from MichalJ would work if all the machines in the organization had one particular 3rd party antivirus app installed.  That assumption breaks down quickly when you find out that the machines out in Shipping Department have Kaspersky  installed.  OK, well you might have been able to identify that if you ran a report on all apps installed across all machines and manually looked through a huge list and said "ah ha!  Kaspersky" and added it to the filter.

Then EES fails to install on all the Human Resources machines because they had FRISK installed.  What!?  Who the heck is FRISK?  I would not have even recognized that from the huge list if I had looked through it.  (Link provided, just in case you think I'm making this up.)

All these 3rd party foreign antivirus software vendors would be identified by my proposed Dynamic Group Filter.  Then the ERA administrator could identify these machines and take the appropriate action.  Maybe he would just run the ERA OPSWAT removal tool.  Failing that maybe he would physically go to the machine and do manual remediation steps.  These are all valuable steps if we want the EES product installation to go smoothly.

Thoughts?

 

[Marcos 5,070]

You'd need to make a list of available AV vendors and create a condition for each of them.

[Dan Massameno 0]

Yes.  I know that's how you need to do it now with ERA 6.4.  I'm asking if this is a great idea for an enhancement to a future version of ERA.

[MichalJ 434]

Hello,

Your idea would be nice, but it´s quite tricky. Security products are not always correctly indicating themselves as "security products (there is no flag, that a product is Security / AV). What you basically expect is some sort of an ESET maintained application catalog, of 3rd party security products, which will then be compared with the list of apps reported by ERA Agent, and match a DG template.  

So we could base the dynamic group template only by names of the vendors / their respective products. But as vendors tend to change the names of their products, and even vendor name is not always the same (even ESET has "vendor" in 3 forms, due to the support of also older products), maintenance and validity of such dynamic group template might be tricky.

We will track it as an improvement, but I can´t promise that we will be able to come up with some valid solution (because as of now, considering the current framework of ERA, to determine how each of the apps is reported, we will need to install them, and create such template manually). 

 

[rekun 43]

Hi

I would like that feature too, however it has been stated that Eset is currently working on a feature which will bundle tasks. This way we can just bundle an available remover task together with an install task. I know this will make an remover run, even if it is not needed, but it would work 

[Dan Massameno 0]

Bundled tasks would be a useful feature.  Bundling the remover and the EES installer would be something I would do.

But it still would be nice to have a Dynamic Group Template to identify Foreign 3rd party antivirus.  Maybe the removal process didn't work.  In which case it would be nice to have a report or dynamic group to show the administrator what machines need manual remediation.

 

[Dan Massameno 0]

MichalJ,

I totally see where you're coming from.  Requiring the ERA Agent to be knowledgeable of every Antivirus software on the planet would be impossible!  

May I suggest the following pseudo code that I suspect would catch 99% of the antivirus packages out there...

 

1. Does the OS report a antivirus app is installed?  If yes…

    1.a Is it the built-in OS antivirus (e.g., Windows Defender, or Windows Security Essentials?)  If yes, return FALSE.

    1.b. Otherwise, return TRUE.  <<One would hope this would catch just about everything.  :-)

2. Does the list of installed applications on the machine match anything on the OPSWAT list?  If yes, return TRUE.  This is a finite list so it should be easy to check against.

3. Does the list of installed applications match anything know by ESET developers to not be an OS-recognized package and is not on the OPSWAT list?  If yes, return TRUE.

4. Otherwise, no known foreign antivirus software exists.  Return FALSE.