Combining results for a OSX Analysis

Shannon · January 31, 2019, 8:42pm

Ok so we have an analysis for a product called Fireeye and we would like to use one analysis to query Windows and OSX devices for “version” and “state” information.

The following works for Windows
All the things
if exists service “xagt” then (version of it, state of it) of service “xagt” as string else “Not installed”

The following works for Mac
Fireeye Version
if (exists file “/Library/FireEye/xagt/xagt.app/Contents/Info.plist”) then (string “CFBundleShortVersionString” of dictionary of file ("/Library/FireEye/xagt/xagt.app/Contents/Info.plist" as string)) else “Not installed”

Fireeye Running
exists names whose(it starts with “xagt”) of processes as string

What we would like is to combine all of these questions into one tidy property in an analysis like the following

if (windows of operating system and exists service “xagt”) then (version of it, state of it) of service “xagt” as string else “Not installed” if (mac of operating system and exists file “/Library/FireEye/xagt/xagt.app/Contents/Info.plist”) then ((string “CFBundleShortVersionString” of dictionary of file ("/Library/FireEye/xagt/xagt.app/Contents/Info.plist")), (exists names whose(it starts with “xagt” OR it starts with “FireEye”) of processes as string)) else “Not Installed”

The first portion for Windows of course works beautifully, the next sections for OSX however fail miserably because, I assume, it’s not a real computer and deserves to be shamed into a non-functioning state for its pretension!

That or it’s because the If Then Else query perhaps does not like trying to be combined with data queries against two different sources?

Or if anyone has an idea of how we could make this work I’d be most grateful!

Kind regards,
Shannon

alinder · February 1, 2019, 2:51pm

There are all sorts of ways you could do this. I took a stab at one below. I think one issue you’re running into is that your Windows half is supposed to return a tuple consisting of (version, string) and your Mac half seems to be trying to return (string, boolean). Your types will have to match, so casting everything to a string will help on that front. It’s also the case that “Not Installed” is a singular string and your tuples won’t be, so that’s another mismatch.

The other thing is that there is a more efficient way to write this query (and probably an even more efficient way than I used…). Rather than checking if the file or service exists, you can use the | operator to report “Not Installed” if the service/value/what have you doesn’t exist.

Here are the examples broken down by OS:

Windows: If the service “xagt” exists, this gives (version of it, state of it) as one singular string:

q: ((version of it, state of it) as string) of service "xagt" | "Not Installed"
A: Not Installed
T: 0.208 ms
I: singular string

Mac: This one is a little less pretty. It gives the value of the CFBundleShortVersion String if the file exists, otherwise it says “Not Installed.” It also reports true/false regarding whether there’s a process with “xagt” or “FireEye” in the name. The tuple gets cast as a singular string, then, for parity with the Windows version, it reports “Not Installed” if it’s not installed, otherwise it reports the version and the status.

Q:  (if it contains "Not Installed" then "Not Installed" else it) of ((string "CFBundleShortVersionString" of dictionary of file "/Library/FireEye/xagt/xagt.app/Contents/Info.plist" | "Not Installed", (exists names whose(it starts with "xagt" OR it starts with "FireEye") of processes)) as string)
A: Not Installed
T: 451

Putting that all together and adding If/then/else to catch OSes, we get the below, which correctly reports “Not Installed” on all my test devices. You’ll have to test it on devices with the software to make sure I didn’t screw something up along the way.

if windows of operating system then (((version of it, state of it) as string) of service "xagt" | "Not Installed") else if mac of operating system then (if it contains "Not Installed" then "Not Installed" else it) of ((string "CFBundleShortVersionString" of dictionary of file "/Library/FireEye/xagt/xagt.app/Contents/Info.plist" | "Not Installed", (exists names whose(it starts with "xagt" OR it starts with "FireEye") of processes)) as string) else "Not Mac/PC"

Shannon · February 1, 2019, 5:35pm

That…was splendid, and works perfectly! Thank you ever so much!