I would have thought this would be obvious given the integration of BigFix with Trend Micro, but I’m not finding any information to help. Does anyone have an Analysis or Relevance to show the current definitions versions for Trend Micro ServerProtect? I haven’t been able to locate the registry key or file that contains the definitions versions information.
1 Like
FYI, I found my answer in the “Trend Micro ServerProtect Information” analysis of the “Client Manager for Endpoint Protection” site, which checks
if (exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilter" whose (exists value "CurrentPatternName" of it) of registry) then (following text of last "." of (value "CurrentPatternName" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilter" of registry as string))else if (exists key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmXPFlt" whose (exists value "CurrentPatternName" of it) of registry) then (following text of last "." of (value "CurrentPatternName" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmXPFlt" of registry as string)) else "N/A"
Also, the fixlet “UPDATE: Outdated Trend Micro ServerProtect Virus Pattern File Detected (x64)” of the same site checks the modification time of the definitions file itself. That fixlet gets updated when TrendMicro releases new definitions; I was able to adapt its relevance for the check I wanted, that the signatures are more than 30 days old:
exists service "SpntSvc" or exists running application "SpntSvc.exe" whose ((version of it = "5.56" AND version of it >= "5.56.0.2002") OR (version of it > "5.56"))
AND
now - maximum of ( if (exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\CurrentVersion" of (x64 registries; x32 registries)) then ((maximum of modification times of files whose (name of it starts with "lpt$vpn") of it) of folders (values "HomeDirectory" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\CurrentVersion" of (x64 registries; x32 registries) as string)) else "1 Jan 1970 00:01:00 -0000" as time) > 30 * dayThis should be equivalent:
exists service "SpntSvc" or exists running application "SpntSvc.exe" whose ((version of it = "5.56" AND version of it >= "5.56.0.2002") OR (version of it > "5.56"))
AND exists (now - it) whose(it > 30 * day) of maxima of modification times of files whose (name of it starts with "lpt$vpn") of folders ( (it as string) of values "HomeDirectory" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\CurrentVersion" of (x64 registries; x32 registries))
Also, while I don’t know much about the format of the files themselves, it would be nice to validate their contents if they have a date or version number somewhere rather than just relying on the modification time of the file.
I would recommend creating an analysis for the product similar to:
http://bigfix.me/analysis/details/2994621
http://bigfix.me/analysis/details/2994634
1 Like
Agreed, I don’t much like using the modification date either. The files are a compressed format so not much good to look at the content. The filenames have a sequential number in them, but knowing my definitions are at ‘version 773’ is less than helpful.
I am tracking that version number separately, but I wanted to give our helpdesk a date. And I don’t want to update a fixlet to warn for outdated definitions for each daily update.
1 Like