I am attempting to run an analysis to display the version of the Carbon Black Cloud Sensor.
I’ve copied some of the other analysis’s that I have done but for some reason this will not display the version of the exe.
Relevance “Version of CB”
versions of regapps “c:\program files\confer\RepMgr.exe”
Relevance Service Is Running
((name of it = “Win2016”) OR (name of it = “Win2019”) OR (name of it = “Win2022”)) of operating system AND (exist service “CbDefense”)
@roberteastman, we don’t have CB, so I can’t directly help with that, but I’ll share a idea to deal with something similar. Please see below:
// Not sure if your app is actually a regapp. To identify that, you can run the following relevance:
Q: names of regapps whose (name of it as string as lowercase contains "power" as lowercase)
A: POWERPNT.EXE
A: powershell.exe
T: 90.791 ms
// Once you confirm that it is a regapp, you can use relevance like this:
Q: version of regapp "powershell.exe"
A: 10.0.22621.3085
T: 9.750 ms
// If there is no regapp but you’re still interested in the version of an .exe file:
Q: version of file "C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe"
A: 11.0.1.104
T: 4.095 ms
// If your app is running as a service and contains a version, you can grab that as well:
Q: version of service "besclient"
A: 11.0.1.104
T: 2.148 ms
// Now, if you want to improve your relevance, you can try something like this:
// Relevance: "Version of CB"
Q: if exists regapp whose (name of it as string as lowercase contains "RepMgr.exe" as lowercase) then version of regapp "RepMgr.exe" as string else "No Regapp"
A: 10.0.22621.3085
T: 485.548 ms
// Relevance: Service is Running
Q: if not windows of operating system then "N/A" else if exists service "CbDefense" then state of service "CbDefense" else "None"
A: None
T: 480.257 ms
Assuming you are Windows only OS you can parse the version for the service name. I don’t believe Cb Cloud registers as a regapp as it isn’t one the users would typically try to run via the Run command on explorer, which is what a regapp really is.
Q: version of service "CbDefense" as string
A: 4.0.1.1428
I: singular string
Depending on the size of your estate, an approach you could use is an analysis that is only relevant when the CbDefense service exists, then create properties in that analysis for inspections such as the version, the service state, sensor ID etc that way you are only creating a workload on devices that have the service
Analysis applicability
Q: exists service "CbDefense"
A: True
I: singular boolean
CbCVersion
Q: version of service "CbDefense" as string
A: 4.0.1.1428
I: singular string
CbCState
Q: state of service "CbDefense"
A: Running
I: singular string
CbCID
Q: (following text of first "=" of variables whose (it contains ".RegistrationId") of it | "") of file "cfg.ini" of (if (version of service "CbDefense" >= "3.7") then (folder (pathname of csidl folder 35 & "\CarbonBlack\DataFiles")) else (parent folder of file (concatenation "" of substrings between "%22" of image path of service "CbDefense")))
A: 1234-123456789
I: singular string
If you have Windows/Nix mix of OS, this approach is still possible, just need a slightly different way of pulling the data depending on the OS
Perhaps you could change your Version relevance to:
versions of files "C:\program files\confer\RepMgr.exe"
Wow32 redirection may play a part too. Try
versions of native files "C:\program files\confer\RepMgr.exe"
Thanks for all of your suggestions. Since I am trying to keep it simple because it is just a report that Management wants to verify what has the service running and it’s version. I will have to add Linux in the mix once I verify that the Window servers are reporting back with their version. When Broadcom purchased VMware & Carbon Block they took away a management dashboard, which is what they originally used to verify that CB was running and the version.
We have an entire analysis built around our security tools, listing versions and status.
Challenges were when the file itself does not have a version number but you can find it in the registry.
I wrote a couple of these but other team members wrote some as well, the analysis has 12 tools it checks.
Here are a couple…
IF (exists service whose (service name of it as string as lowercase = "csfalconservice")) THEN (state of it & " - " & (version of it as string | "Version Unavailable")) of service whose (service name of it as string as lowercase = "csfalconservice") ELSE "Not Installed"
(if exists services whose (service name of it as string as lowercase starts with "ir_agent") then concatenation " || " of (state of it & " - "& (unique value of ((values "DisplayVersion" of keys whose (value "DisplayName" of it as string contains "Rapid7") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (if x64 of operating system then (x32 registry; x64 registry) else registry)) as string) | "Version Unavailable")) of services whose (service name of it as string as lowercase starts with "ir_agent") else "Not Installed")
This one was a lot of fun. No service, just a process. The version comes from the name of a folder and we added if the tool is configured or not.
IF (exists Process whose ( name of it as string as lowercase = "AMAExtHealthMonitor.exe" as lowercase)) THEN "Running - " & (if exists (names of folders of folders "C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent\") Then(name of folders of folders "C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent\" | "Version Unavailable") else "Version Unavailable") & " - " & (if exists file ("C:\WindowsAzure\Resources\AMADataStore." & computer name & "\mcs\mcsconfig.latest.xml") or exists file "C:\Resources\Directory\AMADataStore\mcs\mcsconfig.latest.xml" then "configured" else "Not Configured") ELSE "Not Installed"
Example of the results.
