glpi-project / glpi-agent

GLPI Agent
GNU General Public License v2.0
252 stars 61 forks source link

Failure to detect software as Antivirus. #565

Closed danielbarciela closed 4 months ago

danielbarciela commented 11 months ago

It has been detected that the GLPI agent's software inventory does not correctly recognize the antivirus categorization for some assets. For instance, Cortex XDR™ Advanced Endpoint Protection does recognize it as an antivirus; however, Cortex XDR 8.1.2.47081 does not. Both have the same version and the same manufacturer.

g-bougard commented 11 months ago

Hi @danielbarciela

this means this AV is not supported by GLPI-Agent. If you want this support, can you provide what can be done on the system to recover its status ? version, database version, if it is enabled or if it up-to-date and so. Also on which operating system does this AV run ?

danielbarciela commented 10 months ago

Hi @g-bougard,

The antivirus version is 8.1.2.47081. The antivirus is enabled and up to date. The antivirus is running on systems 'Microsoft Windows 10 Pro', 'Microsoft Windows 10 Enterprise', and 'Microsoft Windows 11 Pro'.

Thanks !

g-bougard commented 10 months ago

Hi @danielbarciela

okay thank you.

Can it be downloaded publicly and installed as trial version ? If yes, can you provide a link to the official download site ?

danielbarciela commented 10 months ago

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.1/Cortex-XDR-Agent-Administrator-Guide/Install-the-Cortex-XDR-Agent-with-Installer-and-Content-Update-Package

g-bougard commented 10 months ago

Hello @danielbarciela

as far as I can see, there's no public release of Cortex XDR agent. I only see we can request a demo. But this is definitively not a process which match my need to just find how to inventory this AV agent. So I won't be able to test a support by myself.

Anyway, in the doc link you pointed out, it seems we can use the cytool command which seems to be installed in the C:\Program Files\Palo Alto Networks\Traps folder. Can you confirm this is the case ?

Then if yes, we can try to find the required information. First, can you report the output of glpi-inventory --partial=antivirus when runs from an administrative console and from the agent installation folder. Just to check if something is detected and finally only the details are missing.

So, if I read well the documentation, can you share the output of the following commands, run from an administrative console and from the C:\Program Files\Palo Alto Networks\Traps folder ?

cytool info
cytool info query
cytool protect query service
cytool protect query file
cytool protect query pipe
cytool protect query registry
cytool protect query process

The last 5 ones may not be required if the xdr agent register itself to windows as an AV agent and windows reports it is enabled. This is the purpose of the glpi-inventory output request. In that case, only the first 2 outputs may be required.

danielbarciela commented 8 months ago

Hello,

I apologize for the delay; I haven't been able to gather the requested information earlier.

Indeed, the 'cytool' command is installed in the path 'C:\Program Files\Palo Alto Networks\Traps'.

cytool_commands

The output of glpi-inventory --partial=antivirus:

{
   "action": "inventory",
   "content": {
      "bios": {
         "bdate": "2020-11-12",
         "biosserial": "VMware-42 08 c4 ef 59 b8 92 0a-c7 21 65 8a 50 e3 bc f8",
         "bmanufacturer": "Phoenix Technologies LTD",
         "bversion": "6.00",
         "mmodel": "440BX Desktop Reference Platform",
         "smanufacturer": "VMware, Inc.",
         "smodel": "VMware Virtual Platform",
         "ssn": "VMware-42 08 c4 ef 59 b8 92 0a-c7 21 65 8a 50 e3 bc f8"
      },
      "hardware": {
         "chassis_type": "Other",
         "description": "Enterprise PC",
         "memory": 16383,
         "name": "enterprise-pc",
         "uuid": "EFC40842-B859-0A92-C721-658A50E3BCF8",
         "vmsystem": "VMware",
         "winlang": "1033",
         "winowner": "Windows User",
         "winprodid": "XXXXX-XXXXX-XXXXX-XXXXX",
         "winprodkey": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",
         "workgroup": "entreprise.int"
      },
      "versionclient": "GLPI-Inventory_v1.4"
   },
   "deviceid": "enterprise-pc.enterprise.int-2024-03-12-11-43-38",
   "itemtype": "Computer",
   "partial": true
}

If I run the 'glpi -inventory' command, I obtain that the cortex classifies it as software.

<SOFTWARES>
  <ARCH>x86_64</ARCH>
  <FROM>registry</FROM>
  <GUID>{D3FC186A-F2AA-4FA9-8E2D-C48F49ADAFA1}</GUID>
  <HELPLINK>http://www.paloaltonetworks.com</HELPLINK>
  <INSTALLDATE>25/02/2024</INSTALLDATE>
  <NAME>Cortex XDR 8.2.1.47908</NAME>
  <PUBLISHER>Palo Alto Networks, Inc.</PUBLISHER>
  <SYSTEM_CATEGORY>application</SYSTEM_CATEGORY>
  <UNINSTALL_STRING>MsiExec.exe /X{D3FC186A-F2AA-4FA9-8E2D-C48F49ADAFA1}</UNINSTALL_STRING>
  <VERSION>8.2.1.47908</VERSION>
</SOFTWARES>
danielbarciela commented 7 months ago

Is there any news on this topic? Do you know when it will be included in a new version?

g-bougard commented 7 months ago

Hi @danielbarciela

I'll try to update AV support to include this detection. But it seems it doesn't register itself as AV on the system, that's still weird.

Anyway thank you for the output sharing.

I'll tell you if I need other information.

g-bougard commented 7 months ago

Hi @danielbarciela

can you share the output of the following command run from an administrative console where Cortex is installed ?

wmic /namespace:\\root\SecurityCenter path AntiVirusProduct get /format:list
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:list
wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list

I need these output to verify how to include support for this AV.

g-bougard commented 6 months ago

Hi @danielbarciela

do you still require this AV integration ? If yes, please, share the last required output or I will finally close this issue.

keguira commented 6 months ago

Hi @danielbarciela

do you still require this AV integration ? If yes, please, share the last required output or I will finally close this issue.

We also use Cortex at my job. I'll share this info next week (as i'm on vacation)

keguira commented 5 months ago

Hello.

From different test servers :

Windows Server 2012 R2 :

PS C:\Windows\system32> wmic /namespace:\\root\SecurityCenter path AntiVirusProduct get /format:list
ERREUR : 
Description = Espace de noms non valide
PS C:\Windows\system32> wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:list
ERREUR :
Description = Espace de noms non valide
PS C:\Windows\system32> wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list
ERREUR :
Description = Espace de noms non valide

on a Windows Server 2022 :

PS C:\Windows\system32> wmic /namespace:\\root\SecurityCenter path AntiVirusProduct get /format:list
ERREUR : 
Description = Espace de noms non valide
PS C:\Windows\system32> wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:list
ERREUR :
Description = Espace de noms non valide
PS C:\Windows\system32> wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list

AMEngineVersion=1.1.24050.5
AMProductVersion=4.18.24040.4
AMRunningMode=Normal
AMServiceEnabled=TRUE
AMServiceVersion=4.18.24040.4
AntispywareEnabled=TRUE
AntispywareSignatureAge=2
AntispywareSignatureLastUpdated=20240601094035.000000+000
AntispywareSignatureVersion=1.413.42.0
AntivirusEnabled=TRUE
AntivirusSignatureAge=2
AntivirusSignatureLastUpdated=20240601094035.000000+000
AntivirusSignatureVersion=1.413.42.0
BehaviorMonitorEnabled=TRUE
ComputerID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
ComputerState=0
DefenderSignaturesOutOfDate=FALSE
DeviceControlDefaultEnforcement=
DeviceControlPoliciesLastUpdated=16010101000000.000000+000
DeviceControlState=Disabled
FullScanAge=4294967295
FullScanEndTime=
FullScanOverdue=FALSE
FullScanRequired=FALSE
FullScanSignatureVersion=
FullScanStartTime=
InitializationProgress=ServiceStartedSuccessfully
IoavProtectionEnabled=TRUE
IsTamperProtected=FALSE
IsVirtualMachine=TRUE
LastFullScanSource=0
LastQuickScanSource=2
NISEnabled=TRUE
NISEngineVersion=1.1.24050.5
NISSignatureAge=2
NISSignatureLastUpdated=20240601094035.000000+000
NISSignatureVersion=1.413.42.0
OnAccessProtectionEnabled=TRUE
ProductStatus=524288
QuickScanAge=0
QuickScanEndTime=20240603021958.229000+000
QuickScanOverdue=FALSE
QuickScanSignatureVersion=1.413.42.0
QuickScanStartTime=20240603021927.319000+000
RealTimeProtectionEnabled=TRUE
RealTimeScanDirection=0
RebootRequired=FALSE
SmartAppControlExpiration=
SmartAppControlState=Off
TamperProtectionSource=Signatures
TDTCapable=N/A
TDTMode=N/A
TDTSiloType=N/A
TDTStatus=N/A
TDTTelemetry=N/A
TroubleShootingDailyMaxQuota=
TroubleShootingDailyQuotaLeft=
TroubleShootingEndTime=
TroubleShootingExpirationLeft=
TroubleShootingMode=
TroubleShootingModeSource=
TroubleShootingQuotaResetTime=
TroubleShootingStartTime=

Tried with powershell and command.

I'm triying to figure out why it's not working. When i find something, i'll post it here.

On my test computer with Windows 10 21H2 :

PS C:\Users\jdoe> wmic /namespace:\\root\SecurityCenter path AntiVirusProduct get /format:list
Aucune instance disponible.

PS C:\Users\jdoe> wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:list

displayName=Cortex XDRT Advanced Endpoint Protection
instanceGuid={039B84C6-9093-15D8-05F9-71749802F984}
pathToSignedProductExe=%ProgramFiles%\Palo Alto Networks\Traps\cyserver.exe
pathToSignedReportingExe=C:\Program Files\Palo Alto Networks\Traps\cyserver.exe
productState=266240
timestamp=Mon, 03 Jun 2024 06:38:07 GMT

displayName=Cortex XDRT Advanced Endpoint Protection
instanceGuid={6E23F8F6-B632-FB88-DD69-8B180C4DF186}
pathToSignedProductExe=%ProgramFiles%\Palo Alto Networks\Traps\cyserver.exe
pathToSignedReportingExe=C:\Program Files\Palo Alto Networks\Traps\cyserver.exe
productState=266240
timestamp=Mon, 15 May 2023 07:19:59 GMT

displayName=Windows Defender
instanceGuid={D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe=windowsdefender://
pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
productState=393472
timestamp=Thu, 18 Apr 2024 07:05:22 GMT

displayName=Kaspersky Endpoint Security for Windows
instanceGuid={0AB30972-4BAC-7BEE-CBCA-B8F9E68797D8}
pathToSignedProductExe=C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\wmiav.exe
pathToSignedReportingExe=C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\wmi64.exe
productState=270336
timestamp=Wed, 01 Sep 2021 09:33:06 GMT

PS C:\Users\jdoe> wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list

AMEngineVersion=0.0.0.0
AMProductVersion=4.18.2202.4
AMRunningMode=Not running
AMServiceEnabled=FALSE
AMServiceVersion=0.0.0.0
AntispywareEnabled=FALSE
AntispywareSignatureAge=4294967295
AntispywareSignatureLastUpdated=
AntispywareSignatureVersion=0.0.0.0
AntivirusEnabled=FALSE
AntivirusSignatureAge=4294967295
AntivirusSignatureLastUpdated=
AntivirusSignatureVersion=0.0.0.0
BehaviorMonitorEnabled=FALSE
ComputerID=58XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
ComputerState=0
DefenderSignaturesOutOfDate=FALSE
DeviceControlDefaultEnforcement=N/A
DeviceControlPoliciesLastUpdated=16010101000000.000000+000
DeviceControlState=N/A
FullScanAge=4294967295
FullScanEndTime=
FullScanOverdue=FALSE
FullScanRequired=FALSE
FullScanSignatureVersion=
FullScanStartTime=
IoavProtectionEnabled=FALSE
IsTamperProtected=FALSE
IsVirtualMachine=FALSE
LastFullScanSource=0
LastQuickScanSource=0
NISEnabled=FALSE
NISEngineVersion=0.0.0.0
NISSignatureAge=4294967295
NISSignatureLastUpdated=
NISSignatureVersion=0.0.0.0
OnAccessProtectionEnabled=FALSE
ProductStatus=1
QuickScanAge=4294967295
QuickScanEndTime=
QuickScanOverdue=FALSE
QuickScanSignatureVersion=
QuickScanStartTime=
RealTimeProtectionEnabled=FALSE
RealTimeScanDirection=0
RebootRequired=FALSE
TamperProtectionSource=Signatures
TDTMode=N/A
TDTStatus=N/A
TDTTelemetry=N/A

also wmic has been deprecated, that's why i tried multiples os

g-bougard commented 5 months ago

Hi @keguira

first of all, as far I know, Anti-virus inventory as glpi-agent do is not supported on Windows Server. I really don't know why but this a microsoft decision.

Anyway it seems MS Defender is really active on your Windows Server 2022.

On your windows 10 test computer, can you also share the output of the following command run from an administrative console ?

C:\Program Files\Palo Alto Networks\Traps\cytool info
C:\Program Files\Palo Alto Networks\Traps\cytool info query
danielbarciela commented 5 months ago

Hello again,

Sorry for the delay, I missed the notification. I have executed the commands and obtained the following results:

C:\Users\daniel>wmic /namespace:\\root\SecurityCenter path AntiVirusProduct get /format:list
ERROR:
Description = Invalid namespace
C:\Users\daniel>wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:list
ERROR:
Description = Invalid namespace
C:\Users\daniel>wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list

AMEngineVersion=1.1.19600.3
AMProductVersion=4.18.2104.5
AMRunningMode=Normal
AMServiceEnabled=TRUE
AMServiceVersion=4.18.2104.5
AntispywareEnabled=TRUE
AntispywareSignatureAge=610
AntispywareSignatureLastUpdated=20221004035225.000000+000
AntispywareSignatureVersion=1.375.1493.0
AntivirusEnabled=TRUE
AntivirusSignatureAge=610
AntivirusSignatureLastUpdated=20221004035225.000000+000
AntivirusSignatureVersion=1.375.1493.0
BehaviorMonitorEnabled=TRUE
ComputerID=F658988D-42DC-43B6-A2BC-6486D9F95A34
ComputerState=0
FullScanAge=4294967295
FullScanEndTime=
FullScanStartTime=
IoavProtectionEnabled=TRUE
IsTamperProtected=FALSE
IsVirtualMachine=TRUE
LastFullScanSource=0
LastQuickScanSource=2
NISEnabled=TRUE
NISEngineVersion=1.1.19600.3
NISSignatureAge=610
NISSignatureLastUpdated=20221004035225.000000+000
NISSignatureVersion=1.375.1493.0
OnAccessProtectionEnabled=TRUE
QuickScanAge=0
QuickScanEndTime=20240605000641.181000+000
QuickScanStartTime=20240605000036.171000+000
RealTimeProtectionEnabled=TRUE
RealTimeScanDirection=0
TamperProtectionSource=E3 transition
g-bougard commented 5 months ago

Hi @danielbarciela

you seem to be in a case only MS Defender is reported as active. It's like the case for Keguira's "Windows Server 2022" case. But you said earlier you are using 'Microsoft Windows 10 Pro', 'Microsoft Windows 10 Enterprise', and 'Microsoft Windows 11 Pro' systems.

Is Cortex really running at the same time than MS Defender ?

danielbarciela commented 5 months ago

Hello @g-bougard

In this case, it is also a Windows Server 2022 Standard, like Keguira. Yes, Cortex is active, and in GLPI the agent does not recognize any antivirus on this machine and categorizes Cortex as software, but not as firewall.

g-bougard commented 5 months ago

As I still said to Keguira, Windows Server is actually not supported.

Maybe I can try to look for runable cytool command in that case.

g-bougard commented 5 months ago

As I still said to Keguira, Windows Server is actually not supported.

But indeed I see here an opportunity to implement an alternative as we have a way to find the service is active checking cytool protect query service output for service policy. I'm not definitively sure about the command but maybe you can make some tests looking at the documentation and tell me if this is correct.

So I just updated the Antivirus windows module with Cortex XDR support and it should also work on Windows Server. Here is the patch: cortex.patch.txt

But you can directly try it by replacing Antivirus module by the one from this archive: AntiVirus.pm.zip Can you test it @danielbarciela & @keguira and report me the result on Windows 10 or 11 and on Windows Servers ?

Actually, I'm not able with the discovered datas to set license expiration date and find if the antivirus database is up-to-date (here only for Windows Server case). If you find a way to know that 2 datas, please, tell me.

keguira commented 5 months ago

I tested the new file. Did an inventory before applying the patch and then redid it.

On a Windows 10 computer :

Antivirus section before patch : image

Antivirus section after patch : image

Will update with server when I can

g-bougard commented 5 months ago

Hi @keguira

do you mean you still had Cortex before patch and nothing changed or did you mess up the screenshots ?

keguira commented 5 months ago

Hi @keguira

do you mean you still had Cortex before patch and nothing changed or did you mess up the screenshots ?

damned, yes : this computer had "Cortex XDR Advanced Endpont Protection" as antivirus already and yes, no regression. I'm trying to find a computer who has Cortex installed but not appearing as Antivirus with win 10 or 11. As for servers, the patch doesn't change anything on my side but as you already said : it will never appear

g-bougard commented 5 months ago

Hi @keguira

as I explained, the patch is also an attempt to detect AV on Windows Server. Can you confirm you tested it on Windows Server without success ?

keguira commented 5 months ago

Hi @keguira

as I explained, the patch is also an attempt to detect AV on Windows Server. Can you confirm you tested it on Windows Server without success ?

Retried on two servers to avoid issues

Conf :

Method : used servers (test environments) with an activated Cortex and detected as active in our system consoles. I relaunched a full inventory with a not patched version of the agent then full inventory with patch.

On windows Server 2012 R2 : Cortex XDR 8.2.2.49708 inventoried as software but no antivirus entry On windows Server 2022 Standard : Cortex XDR 8.2.2.49708 inventoried as software but no antivirus entry

Edit : In logs, the only info related to antivirus is this :

[Wed Jun 19 09:22:16 2024][debug] Running GLPI::Agent::Task::Inventory::Win32::AntiVirus
[Wed Jun 19 09:22:16 2024][debug2] Win32::OLE ERROR: Invalid namespace
[Wed Jun 19 09:22:16 2024][debug2] Win32::OLE ERROR: Invalid namespace

I'm trying to understand the process in the patch to see if this is not a typo or a simple thing that make it not working. If i find something, I'll keep you in touch

danielbarciela commented 5 months ago

Hi @g-bougard ,

Right now, I can't test it. I am waiting for some permissions on the installation folder. As soon as I have them, I will test it and inform you of the result.

g-bougard commented 5 months ago

Hi @keguira & @danielbarciela

I may have another way to find if an AV is running on a Windows Server: check if a dedicated service is running.

So can you share the output of the following command on windows server OS where Cortex is running ? I really only need the part reporting a Cortex related service is running.

wmic path Win32_Service get /format:list

Also as I ask some time before, have you any clue to find the licence expiration and to know if the AV database is up-to-date ?

danielbarciela commented 5 months ago

Hi @g-bougard ,

I have executed the command, the information related to Cortex that it runs is as follows:

AcceptPause=FALSE
AcceptStop=FALSE
Caption=Cortex XDR
CheckPoint=0
CreationClassName=Win32_Service
DelayedAutoStart=FALSE
Description=Cortex XDR Service
DesktopInteract=FALSE
DisplayName=Cortex XDR
ErrorControl=Normal
ExitCode=0
InstallDate=
Name=cyserver
PathName="C:\Program Files\Palo Alto Networks\Traps\cyserver.exe"
ProcessId=2836
ServiceSpecificExitCode=0
ServiceType=Own Process
Started=TRUE
StartMode=Auto
StartName=LocalSystem
State=Running
Status=OK
SystemCreationClassName=Win32_ComputerSystem
SystemName=MYPC
TagId=0
WaitHint=0

AcceptPause=FALSE
AcceptStop=FALSE
Caption=Cortex XDR Health Helper
CheckPoint=0
CreationClassName=Win32_Service
DelayedAutoStart=FALSE
Description=
DesktopInteract=FALSE
DisplayName=Cortex XDR Health Helper
ErrorControl=Normal
ExitCode=0
InstallDate=
Name=xdrhealth
PathName="C:\Program Files\Palo Alto Networks\Cortex XDR Health Helper\xdrhealth.exe"
ProcessId=0
ServiceSpecificExitCode=0
ServiceType=Own Process
Started=FALSE
StartMode=Auto
StartName=LocalSystem
State=Stopped
Status=OK
SystemCreationClassName=Win32_ComputerSystem
SystemName=MYPC
TagId=0
WaitHint=0

The result is somewhat extensive, I have copied only the references to Cortex. Let me know if you need anything else.

g-bougard commented 5 months ago

Hi @danielbarciela

thank you this is enough.

I prepared an update (167b5c7). I pushed it to develop branch because I modified 2 files. This way it will be integrated in next nightly build.

So can I ask you to test with next nightly build or you can take current development build from Windows-Build-x64 archive artifact from this GH Actions job ?

danielbarciela commented 5 months ago

Hi @g-bougard I have conducted tests with the latest update and it still does not recognize the Antivirus on Windows Server.

g-bougard commented 5 months ago

Hi @danielbarciela thank you. Can you share the trace from the inventory log with debug=2 enabled where it check AV ?

danielbarciela commented 5 months ago

Hello,

I have run it with debug=2 and I get the following; however, it does not appear as antivirus in GLPI. The log file was very extensive; if you need any more information, please let me know.

` ... more information ...

[Mon Jul 1 17:14:53 2024][debug] Running GLPI::Agent::Task::Inventory::Win32::AntiVirus [Mon Jul 1 17:14:53 2024][debug2] Win32::OLE ERROR: Invalid namespace [Mon Jul 1 17:14:53 2024][debug2] Win32::OLE ERROR: Invalid namespace [Mon Jul 1 17:14:53 2024][debug2] Looking for Win32_Service class WMI objects [Mon Jul 1 17:14:54 2024][debug2] Added Cortex XDR

... more information ...

[Mon Jul 1 17:15:08 2024][debug2] [http client] 6A96E491: sending message: { "action": "inventory", "content": { "accesslog": { "logdate": "2024-07-01 17:14:25" }, "antivirus": [ { "company": "Palo Alto Networks", "enabled": true, "name": "Cortex XDR" } ],

... more information ... `

g-bougard commented 4 months ago

Hello @danielbarciela

that's weird, after I added your "antivirus" node in a test json and after I imported the json, the antivirus is appearing in my test instance: image

So the format is still correct even if I see version is not detected. My understanding is you have done something on the server that prevents this antivirus to be integrated in GLPI.

g-bougard commented 4 months ago

Okay, anyway, I just found an issue with my code. Can you replace the AntiVirus.pm module by this one ? https://raw.githubusercontent.com/glpi-project/glpi-agent/f13cda5727fbaa0bc1171e97d4c9b9ec82f221b2/lib/GLPI/Agent/Task/Inventory/Win32/AntiVirus.pm

Or you can wait for next nightly build or use the Windows build from the Windows-Build-x64 artifacts archive of this GH Actions run: https://github.com/glpi-project/glpi-agent/actions/runs/9757898787

danielbarciela commented 4 months ago

Hi @g-bougard ,

I have tested with the changes and it still does not appear in GLPI. It does send it in the log, though. Could there be a problem with the formats?

g-bougard commented 4 months ago

As I said and show, it appears in my GLPI 10.0.15 test instance. To me something is blocking inventory to be integrated in GLPI on your side. You should maybe check your php-errors.log. Can you confirm what's your GLPI version ?

@keguira Is this better for you on Windows Server with the latest build ?

danielbarciela commented 4 months ago

Hi @g-bougard ,

It is a GLPI 10.0.10. There doesn't seem to be anything significant in the php-errors.log. However, I will try to load an XML file with that information in another development environment to check if it loads correctly there.

g-bougard commented 4 months ago

Hi @danielbarciela

10.0.16 will be released today. You should really think to upgrade your GLPI soon. 10.0.10 is still too old.

Just in case, try to run inventory with full-inventory-postpone option set to 0.

danielbarciela commented 4 months ago

Hi @g-bougard ,

I think I have found the root of the problem. I have extracted the XML file locally, and with the past modifications, it does not extract the basic information such as the name, which appears contained in the <HARDWARE></HARDWARE> tag. I have some rules activated so that if the computer name is not found, it won't be inventoried.

I have tested it with the original version of the agent, and this works correctly, so it must be a small error in the past modifications. Could you check it?

g-bougard commented 4 months ago

Hi @danielbarciela

HARDWARE node support didn't change recently. As I said, with fresh instance, it just seems to work. As you're telling you "have some rules activated", do you mean you changed rules ? If yes, check if you may have mixed something.

If you think something is wrong in a given context, please share some datas to clarify your purpose. I'm not in your head and I can't always guess what you're meaning.

danielbarciela commented 4 months ago

I have already resolved it, your work is correct. I was using agent 1.4 with your modifications, but if I use agent 1.10, it works correctly. I didn't notice that small detail. Thank you very much!

g-bougard commented 4 months ago

Hi @keguira & @danielbarciela

do you have any Cortex Agent installed on linux or MacOS ? Following the Cortex XDR documentation, I'm trying to also support this detection on these OS.

keguira commented 4 months ago

@g-bougard hello, i didn't have the time to try these this past couple of week sorry. I'll try tomorrow or next week. And indeed, i have some debian servers with cortex. I'll also try to run a scan with the 1.9 and the latest build to report you the detection state.

g-bougard commented 4 months ago

Hi @keguira

thank you for your feedback.

About linux server case, I'll publish linux support and you'll be able to test nightly build from tomorrow. It would be cool if you can test it before the next release planned on next Tuesday.

For linux, can you eventually share the output of the following commands ?

As far I understood from official documentation, cytool command full path is /opt/traps/bin/cytool.

g-bougard commented 4 months ago

Hi,

I'm closing the issue as I just released glpi-agent 1.10.

But feel free to update if necessary.