Odd response to a Linux Retrieved Property relevance clause

The value returned is …

RPM child process error (from: PARENT type: ProtocolError file: c/ChildWorkerManager.cpp line: 284 debugInfo: (type: execError file: c/ChildWorkerManager.cpp line: 338 debugInfo: Permission denied))

The Relevance for the Retrieved Property is …

IF (Windows of Operating System) THEN (if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps" of registry) then ((if (exists value "SAVCE" of it AND exists file "rtvscan.exe" of (value "SAVCE" of it as folder)) then (version of file "rtvscan.exe" of (value "SAVCE" of it as folder) as string) else (if (exists value "SAVCE" of it AND exists file "rtvstart.exe" of (value "SAVCE" of it as folder)) then (version of file "rtvstart.exe" of (value "SAVCE" of it as folder) as string) else "Not Installed")) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps" of registry) else "Not Installed") ELSE (IF (Mac of Operating System) THEN IF (exists application whose (name of it as string as lowercase contains "symantec endpoint protection")) THEN (string "CFBundleShortVersionString" of dictionary of file ((pathname of application whose (name of it as string as lowercase contains "symantec endpoint protection")) & "/Contents/info.plist") as string) ELSE ("Not Installed") ELSE (IF (Exists Operating System Whose (name of it as string as lowercase contains "red hat" OR name of it as string as lowercase contains "centos")) THEN (IF (exists name whose (it as string as lowercase starts with "savap-") of packages of rpm) THEN (Version of package whose (name of it as string as lowercase starts with "savap-") of rpm) ELSE (nothing)) ELSE (nothing)))

The system returning the error is a Linux Red hat Enterprise Server 6.5 (2.6.32-431.11.2.el6.x86_64 system running the 9.0.876.0 BES Client.

Since the system is a Red Hat server, the Relevance returning the Error Message is …

IF (exists name whose (it as string as lowercase starts with "savap-") of packages of rpm) THEN (Version of package whose (name of it as string as lowercase starts with "savap-") of rpm) ELSE (nothing)

Most other systems are successfully returning the version of the Symantec Anti Virus client installed. Can someone point me in the direction to correct this error on this machine? I get the same error message attempting to retrieve the version of the Splunk Forwarder installed on the same system. Clearly the issue is on the system and NOT with the BES Client, I just need to know where to start looking on the system in order to fix the issue.

Hi Tim, I am working on an analysis to detect symantec also. Here is what I am using for relevance:

if name of operating system contains “Linux” and name of operating system does not contain “Ubuntu” then (if exists (package “sav” of rpm as string) then (version of package “sav” of rpm as string) else “Not Installed”) else if name of operating system contains “Ubuntu” then (if exists (package “sav” of debianpackage as string) then (version of package “sav” of debianpackage as string) else “Not Installed”) else “N/A”

Not sure what version of Symantec you’re working with, but this seems to get anything from 1.0.13-16 to 12.1.7061-6600 in my deployment for SEP.

For some reason is just returns <error> instead of “Not Installed” or “N/A” if there is no sav .rpm file though

Additionally here is what I have for

Symantec Service Status:

if (exists process “smcd” AND exists process “symcfgd” AND exists process “rtvscand”) then “Running” else “Not Running”

and Virus Definition Version:

if (exists file “/opt/Symantec/virusdefs/definfo.dat”) then (following texts of firsts “CurDefs=” of lines whose (it starts with “CurDefs=”) of file “/opt/Symantec/virusdefs/definfo.dat”) else “No Definitions”

Looks a lot like an unhappy RPM database, or BigFix agent’s connection to said RPM database. I wonder if bouncing the BigFix agent on that box clears your issue?