Dynamic group creation

[j-gray 35]

I'm trying to create a dynamic group of workstations that are 1) presently online, and 2) have the Agent installed, and 3) do not have Antivirus installed.

 

Unfortunately, I'm not finding the logic for this in the expression builder.

 

Can anyone offer any suggestions how to most effectively locate online systems that need AV installed?

 

Thank you.

[bbraunstein 27]

Well steps 2 and 3 are easy enough:

Installed software . Application Name == ESET Remote Administrator Agent

Installed software . Application Name =/= ESET Endpoint Antivirus (or whichever product you use)

 

I don't know if there is anyway to test the online/offline status of computers. If a computer is offline, it reports fine without any errors. The 'Last Updated Time' shows when it last checked in with the server. Until the Agent talks to the Server, there's no way the Server will know if it's offline, virus sig db out of date, OS is up to date, etc.

 

What are you trying to accomplish through this dynamic group? Maybe there's an alternate method.

[j-gray 35]

Thanks, bbraunstein.

 

That's what I have, but it continues to pull all systems recently checked in.

 

My Rule is:

Installed software . Application name = (equal) ESET Remote Administrator Agent

Installed software . Application name ≠ (not equal) ESET Endpoint Antivirus

 

I also tried specifically 'ESET Endpoint Antivirus (6.1.2227.0)' since this is what's specified in the console, but still got all systems.

 

I've been rolling out ESET slowly using Rip and Replace. It's been a bit spotty, so I'm trying to keep an eye on things with more manual management. At this point I'm trying to capture the systems where it was only able to install the agent and not the rest of the product.

[jimwillsher 65]

You could always create a nested group, to test if it's the combination of software checks that's causing the problem. Have your first group checking just for the agent version, then a group inside it to check for the av version.

We use it to list computers that have the current agent but an outdated av.

[Marcos 5,155]

It seems a new condition "does not contain" would be really useful, especially if one doesn't want to use nested groups We'll consider it as an improvement for ERA 6.3 that should be available later this year.

[j-gray 35]

...then a group inside it to check for the av version.

This seems to be the issue.  I can't seem to construct the logic for 'no av'.

 

To me, "Installed software . Application name ≠ (not equal) ESET Endpoint Antivirus" means the client has software installed that is *not* ESET. Which would be anything other than ESET, hence all systems are returned.

[Brits 1]

I've done something similar using three nested groups to detect whether Eset Endpoint was not installed and Vipre (my old product) was also not installed. Took a while to work out how to get this to work using three separate dynamic group templates which are applied to nested dynamic groups (each one filtering out the machines that do not match the rule) and the 'Operation" option (setting to NAND so it's looking for queries that return FALSE). 

 

My rules (nested) are:

 

Name: "Installed Software List Populated" - Operation: "AND" - Rule: "Installed software . Application vendor" contains "Microsoft"

 

Name: "No ESET Endpoint Security" - Operation "NAND" - Rule: "Installed software . Application name" contains "ESET Endpoint Security"

 

Name: "No Vipre" - Operation: "NAND" - Rule: "Installed software . Application vendor" contains "ThreatTrack Security, Inc."

 

 

The first rule was added because sometimes newly added clients had not populated the software list (and as such rules checking if something is not installed would always return TRUE); there will always be something from Microsoft installed so this just confirms that the list has been populated.

 

Note that I'm not looking at whether the agent is on-line (the task triggered by the group will not run if it's not online so this is not a concern). I'm also not sure that its worth checking if the Agent is installed because the software list will not be populated if the agent is not on the machine.

 

Hope this is of some use.

[Marcos 5,155]

The good news is that negation of conditions will be improved in ERA 6.3 which will be available later this year (v6.2 is just about to be released).

[j-gray 35]

 

I've done something similar using three nested groups to detect whether Eset Endpoint was not installed and Vipre (my old product) was also not installed. Took a while to work out how to get this to work using three separate dynamic group templates which are applied to nested dynamic groups (each one filtering out the machines that do not match the rule) and the 'Operation" option (setting to NAND so it's looking for queries that return FALSE). 

 

My rules (nested) are:

 

Name: "Installed Software List Populated" - Operation: "AND" - Rule: "Installed software . Application vendor" contains "Microsoft"

 

Name: "No ESET Endpoint Security" - Operation "NAND" - Rule: "Installed software . Application name" contains "ESET Endpoint Security"

 

Name: "No Vipre" - Operation: "NAND" - Rule: "Installed software . Application vendor" contains "ThreatTrack Security, Inc."

 

 

The first rule was added because sometimes newly added clients had not populated the software list (and as such rules checking if something is not installed would always return TRUE); there will always be something from Microsoft installed so this just confirms that the list has been populated.

 

Note that I'm not looking at whether the agent is on-line (the task triggered by the group will not run if it's not online so this is not a concern). I'm also not sure that its worth checking if the Agent is installed because the software list will not be populated if the agent is not on the machine.

 

Hope this is of some use.

 

Yes, very helpful.  Thank you.