Installing AV client to an image - how to enable reporting via BigFix?

system 2009-04-24 04:46:22 UTC #1

(imported topic written by mcgougm91)

So…

The company that I’m at has a requirement to install BigFix on their XP desktop image and they want the AV client installed and configured on the image as well…but not by enabling a policy in BigFix. Instead they want the image to be using the Computer Associates AV stand alone install and magically have it link back to BigFix for logging / reporting when a virus is detected on a client.

We have the Computer Associates client and it installs just fine and the realtime and scheduled scans work perfectly. Unfortunately, BigFix is not aware of the scan results from the clients that are installed using this method. Because really we should be installing AV via a BigFix policy. But that is not what the customer wants. I don’t make the rules, I just try to follow them. =)

I’ve been through the action script in the BigFix task that installs the AV client and am trying to pick out the parts that are needed to link the stand alone AV client back to BigFix. The BESLoggingService needs to be invoked and the services need to be restarted. Is there more that I need to do? I do know there are these registry keys as well, which aren’t created with the stand alone install:

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\LoggingService\Plugins\Locations

@=""

“CA_AV”=“C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\lib\antivirus.dll”

and here is a key and set of values created after a scan has been run (this was created by a client that got AV installed via BigFix policy)

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\AntiVirus

“InstallationDate”=“Tue, 10 Mar 2009 08:48:48 -0700”

“FilesScanned”=“0”

“VirusesFound”=“0”

“VirusesFoundTotal”=“0”

“InfectedFilesFound”=“0”

“Path”=“C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\AV”

“ErrorFiles”=“0”

“ScanParameters”="-MEM -ENG Vet -MOD Secure -ACT Cure -SCA RF -MCA RI -ARC -SFI -ARF -SYS -EXE "

“LastSigUpdate”=“Thu, 23 Apr 2009 12:22:03 -0700”

“ScanDirectories”=""

“FirstScan”=“Tue, 03 Feb 2009 20:09:57 -0800”

“ScanCount”=“8”

“LastScan”=“Tue, 24 Mar 2009 12:00:54 -0700”

“RenamedFiles”=“0”

“CuredFiles”=“0”

“CuredFilesTotal”=“0”

“MovedFiles”=“0”

“DeletedFiles”=“0”

“LastScanDuration”=“00:09:29”

“AvgScanDuration”=“00:09:29”

“SDKPath”=“C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\lib”

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\AntiVirus\Statistics

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\AntiVirus\Statistics\OverallRunStats

“RTTotalVirusesBlocked”=“49”

Any ideas about how I can script the Computer Associates AV install so that it simulates an install via BigFix policy? Thank you in advance for patiently reading through this post and not replying that I should hit the customer over the head with the “use the BigFix task” frying pan.

system 2009-04-24 06:41:34 UTC #2

(imported comment written by jessewk)

Make sure your image version of CA is using InoOEM.dll version 7.1.501.0 and ino_fltr.sys version 5.0.6100.156.

Then you need to take the following steps I’ve adapted from the deploy Task (completely untested)

Create and run a batch file to remove the UI:

@echo off

del /F /Q /S “%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Computer Associates” > NUL 2> NUL

rmdir /Q /S “%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Computer Associates” > NUL 2> NUL

Import the following reg file. Note I’ve hard coded an install time value, it would be better to generate this in script, but getting a MIME formatted date in DOS is hard. I’ve done it before so if you care let me know and I’ll dig up the code. I’ve also hard coded the BES client install directory

REGEDIT4

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\AntiVirus
"InstallationDate"="Thu, 23 Apr 2009 19:37:48 -0700"
“FilesScanned”="0"
“VirusesFound”="0"
“VirusesFoundTotal”="0"
“InfectedFilesFound”=“0"
“Path”=“C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\AV”
“ErrorFiles”=“0"
“ScanParameters”=”-ENG Vet”

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustAntivirus\CurrentVersion\SystemSetting
"RTAboutBox"=dword:00000000

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustAntivirus\CurrentVersion\Realtime
"dwFileFilterType"=dword:00000000
"dwPopUpMsgLimit"=dword:00000064
"Scan Engine"=dword:00000002

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustAntivirus\CurrentVersion\InternalSettings
"RPCThreadContext"=dword:ffffffff

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Realtime Monitor"=""

HKEY_LOCAL_MACHINE\Software\BigFix\AntiVirus
"SDKPath"=“C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\BESClientLoggingService\lib”
“CA_AV”=“C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\BESClientLoggingService\lib\antivirus.dll”

Use the change service start mode utility in the BigFix AV site to disable the CA management services:

wait changeservicestartmode inorpc disabled
wait changeservicestartmode inotask disabled

Install the BigFix Logging Service from http://software.bigfix.com/download/LoggingService/BESClientLoggingServiceSetup-7.1.0.15.exe

BESClientLoggingServiceSetup.exe /s /v"/qn REBOOT=REALLYSUPPRESS"

Stop the logging service:

C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\BESClientLoggingService.exe -e

Download the logging service AV plugin from http://software.bigfix.com/download/LoggingService/lib/antivirus.dll

Download the AV SDK from http://software.bigfix.com/download/LoggingService/lib/eavrtsdk.dll

Copy them here:

C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\lib

Start the logging service

C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\BESClientLoggingService.exe -s

No idea if it will work, but it should be close.

system 2009-04-24 18:03:01 UTC #3

(imported comment written by mcgougm91)

Thank you jessewk! I will post results after testing.

system 2009-04-28 02:49:05 UTC #4

(imported comment written by mcgougm91)

Thanks again! Here is what worked:

Execute %SYS32%\msiexec.exe /i “%MAINDIR%\eTrust Antivirus.msi” /q (Wait)

Execute %SYS32%\msiexec.exe /i “%MAINDIR%\BES Logging Service.msi” /qn (Wait)

Edit 21 registry keys - the keys pointing to the two .dll files copied to the lib folder of the BES Logging Agent are the most important. (reg keys below)

Stop Service inorpc

Stop Service inort

Stop Service inotask

Execute %PROGRAM_FILES%\BigFix Enterprise\BES Client\BESClientLoggingService\BESClientLoggingService.exe -e

Install File eavrtsdk.dll to %PROGRAM_FILES%\BigFix Enterprise\BES Client\BESClientLoggingService\LIB\EAVRTSDK.DLL

Install File antivirus.dll to %PROGRAM_FILES%\BigFix Enterprise\BES Client\BESClientLoggingService\lib\antivirus.dll

Execute %PROGRAM_FILES%\BigFix Enterprise\BES Client\BESClientLoggingService\BESClientLoggingService.exe -S

Execute %SYS32%\sc.exe Config inorpc start= disabled (Wait)

Execute %SYS32%\sc.exe Config inotask start= disabled (Wait)

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\AntiVirus

“InstallationDate”=“Thu, 23 Apr 2009 00:24:11 +0100” ** I used the environment variable for this **

“FilesScanned”=“1874”

“VirusesFound”=“0”

“VirusesFoundTotal”=“0”

“InfectedFilesFound”=“0”

“Path”=“C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\AV”

“ErrorFiles”=“0”

“ScanParameters”="-MEM -ENG Vet -MOD Secure -ACT Cure -SCA RF -MCA RI -ARC -SFI -ARF -SYS -EXE "

“SDKPath”=“C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\lib”

“CA_AV”=“C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\lib\antivirus.dll”

“ScanDirectories”=""

“FirstScan”=

“ScanCount”=

“LastScan”=

“RenamedFiles”=

“CuredFiles”=

“CuredFilesTotal”=

“MovedFiles”=

“DeletedFiles”=

“LastScanDuration”=

“AvgScanDuration”=

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\AntiVirus\Statistics

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\AntiVirus\Statistics\OverallRunStats

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\LoggingService\Plugins\Locations

@=""

“CA_AV”=“C:\Program Files\BigFix Enterprise\BES Client\BESClientLoggingService\lib\antivirus.dll”

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustAntivirus\CurrentVersion\Path

“HOME”=“C:\Program Files\CA\eTrust Antivirus”

“Debug”=“C:\Program Files\CA\eTrust Antivirus\DEBUG”

“Outgoing”=“C:\Program Files\CA\eTrust Antivirus\OUTGOING”

“DBDir”=“C:\Program Files\CA\eTrust Antivirus\DB”

“MovePath”=“C:\Program Files\CA\eTrust Antivirus\Move”

“Help”=“C:\Program Files\CA\eTrust Antivirus\Lang\English\Help”