By default, IAG is capable of detecting a wide range of software on the client side. What happen if the software I want to check is not in the list ?
I had that constraint with one of my partners, Skyrecon
Here is the methodology we used :
1) asked the partner to create a VBS that will do the checks and will display at the end the result (wscript.echo “XXX”)
2) implement this script in IAG, replace the “Wscript.echo” by “RESULTS”
=> If you are not familiar about how to extend client-side analysis in IAG, check this post :click
Here is the script that we have implemented. WARNING : this script is not supported and is supplied AS IS :
'********************************************** '** authors '** Skyrecon :fbonneville@skyrecon.com '** Microsoft :fesnouf@microsoft.com '** V1.5 : SUPPLIED AS IS '**********************************************
Dim isdebug 'set this variable to true if you want to run the VBS on a workstation, will use "wscript.echo" functions isdebug=False
'Vars for IAG Dim StormShield_running StormShield_running = False Dim StormShield_installed StormShield_installed = False Dim StormShield_version StormShield_version = False If isdebug=True then wscript.echo "IAG/StormShield detection script version 1.0" End If strVersion = "4.802" strProcess = "Srservice.exe" strProcess2 = "Framework.exe" If isdebug=True Then wscript.echo "Check StormShield registry keys" End If Const HKEY_CLASSES_ROOT = &H80000000 strComputer = "." Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv") 'Retrieve StormShield Working Dir From the Registry strKeyPath = "CLSID\{57E31333-9DE9-49ad-9B65-9DAE61FBFFE3}\Agent\Service\Process0" strValueName = "WorkingDir" oReg.GetStringValue HKEY_CLASSES_ROOT,strKeyPath,strValueName,strWrkDir
If isdebug=true then wscript.echo "Working directory is " &strWrkDir End If strKeyPath = "CLSID\{57E31333-9DE9-49ad-9B65-9DAE61FBFFE3}"
strValueName = "Version_id"
oReg.GetStringValue HKEY_CLASSES_ROOT,strKeyPath,strValueName,strValue
If strValue > 0 Then
If isdebug=true then wscript.echo "Registry key exists (" & StrValue & ") => StormShield_installed=True, Now check version " & strVersion End If StormShield_installed=True Else If isdebug=true then wscript.echo "Reg key is missing => StormShield_installed=false" End If StormShield_installed=False End If
'Check StormShield Version '==================== Function ReadTextFileTest Const ForReading = 1, ForWriting = 2, ForAppending = 8 Dim fso, f, Msg Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.OpenTextFile( strWrkDir & "\conf\version.sro", ForReading) ReadTextFileTest = f.Read(10) End Function
If ReadTextFileTest <> strVersion Then If isdebug=true then wscript.echo StrVersion & "Current version is not correct (" & StrVersion & ") => StormShield_version=False" End If StormShield_version=False Else If isdebug=true Then wscript.echo "Current version is correct (" & StrVersion & ") => StormShield_version=True Now check " & StrProcess End If StormShield_version=True
End If
'Check If StormShield is running
'=======================
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colProcesses = objWMIService.ExecQuery _ ("Select * from Win32_Process Where Name = '" & strprocess & "'") If colProcesses.Count > 0 Then If isdebug=True then wscript.echo StrProcess & " is Running, Now check " & StrProcess2 End If Set colProcesses = objWMIService.ExecQuery ("Select * from Win32_Process Where Name = '" & strprocess2 & "'") If colProcesses.Count > 0 Then If isdebug=True Then wscript.echo StrProcess2 & " => StormShield_running=True" End If StormShield_running=True Else If isdebug=true then wscript.echo StrProcess2 & " => StormShield_running=False" End If StormShield_running=False End If Else
If isdebug=true then wscript.echo StrProcess2 & " is not Running => StormShield_running=False" End If StormShield_running=False End If If isdebug=true then WScript.Echo "Installed = " & StormShield_installed WScript.Echo "Running = " & StormShield_running WScript.Echo "Currentversion = " & StormShield_version ELSE Results("StormShield_installed")= StormShield_installed Results("StormShield_running")= StormShield_running Results("StormShield_version")= StormShield_version END IF
‘<END OF THE SCRIPT>
As you can see at the end, we just put in remark the “wscript.echo” created by the developper of the script (skyrecon) and use the RESULTS function to send this variables/values back to IAG server.