I’m trying to get some mixed OS relevance and only get PCs. I know the Mac bit works when used independently, but if I add it to the PC bit I only get PCs…
For example:
((mac of operating system) AND (exists folder “/Library/FireEye/xagt”)) works and returns several macs
but if I add a clause for the PC
((mac of operating system) AND (exists folder “/Library/FireEye/xagt”)) OR ((windows of operating system) AND (exists running service “xagt”))
it returns only the PCs, the macs found above are no longer found
I tried another way using processes on the mac instead of folder existence:
((it starts with “mac” AND exists process “xagt”) OR (it starts with “win” AND exists running service “xagt”)) of (name of it as lowercase) of operating system
same, I only get PCs but If I truncate it to just use the mac portion, it works…
Am I missing something, can’t you have mac+PC relevance in the same statement ? I’ve seen it done before in analysis using similar syntax…
I was going to say that I write my Analysis code using IF/THEN/ELSE statements to avoid this, but when I tested this on my Windows and Mac desktops, it fails to return the correct result on the Mac.
IF ((windows of operating system) AND (exists running service "BESClient")) THEN ("Win w/Service") ELSE (IF ((mac of operating system) AND (exists folder "/Library/FireEye/xagt")) THEN ("Mac w/Folder") ELSE (NOTHING))
Windows Results:
A: Win w/Service
Mac Results:
E: The operator "running service" is not defined.
Where as if I write it this way …
IF (Windows of Operating System) THEN (Exists Running Service "BESClient") ELSE (IF (Mac of Operating System) THEN (Exists Folder "/Library/FireEye/xagt") ELSE (NOTHING))
It responds as expected.
The Windows client doesn’t error out because it understands what a FOLDER is while the Mac client has no idea what a Running Service is.
To my way of thinking, the Mac Relevance Engine should never even try to evaluate RUNNING SERVICE since the first element is FALSE and it’s an AND operator there fore it CANNOT be evaluated as TRUE no matter what the second element is.
But then, I’m not one of the Developers, and I’m sure they have a reason it errors out the way it does.
The answer generally is that syntax errors don’t bubble up through if/then/else statements.
Q: if (Windows of Operating System) then (true) else (Complete Garbage)
A: True
T: 0.151 ms
I: singular boolean
Q: complete garbage
E: The operator "complete garbage" is not defined.
Q: (complete garbage) or true
E: The operator "complete garbage" is not defined.
Q: true or (complete garbage)
E: The operator "complete garbage" is not defined.
As @TimRice pointed out, the Mac agent doesn’t know what a running service is it errors, the error isn’t caught by the relevance engine in the if/then/else and it bubbles up.
For this reason, whenever we fork and use OS-Specific inspectors we need to wrap them in an if/then/else or all of the inspectors must be present on all of your target platforms to not return an error.
In the last case, it doesn’t matter that it is impossible for us to reach (complete garbage), it’s a syntax error and so we do not evaluate.
Agree on all replies thus far. This is also the reason for testing a property’s existence; “proxy agents” were added in some version of Bigfix, and to ensure something is not relevant on proxies one would use
if exists property "in proxy agent context" then not in proxy agent context else true
The idea being, of the client is of a version that knows what a ‘proxy agent’ is, then it might be one; but if the client does not know what “in proxy agent context” then it couldn’t possibly be a proxy agent so ‘true’
This is also the reason for the construct of
exists true whose (if true then (expression that may have an error) else false)