8 Replies Latest reply on Dec 17, 2013 1:41 PM by rmetzger

    csscan.exe" -Versions | find "DAT version"

    cyrker

      Hello,

      When I run these 2 commands inside a batch, the commands never finish ...
      If I run them manually, I don't have any problem.

      -------------------------------------------------------------------------------- --------------
      "C:\Program Files (x86)\Common Files\McAfee\SystemCore\csscan.exe" -Versions   | find "DAT version"
      "C:\Program Files (x86)\Common Files\McAfee\SystemCore\csscan.exe" -Versions   | find "Engine"
      -------------------------------------------------------------------------------- --------------

      With PROCESS EXPLORER (x64), I make a DUMP file (82.9 Mb !)

      and I push it inside the WINDBG.EXE tool.

      and I have this message :

      -------------------------------------------------------------------------------- ----------------------

      Microsoft (R) Windows Debugger Version 6.3.9600.16384 X86
      Copyright (c) Microsoft Corporation. All rights reserved.


      Loading Dump File [C:\TEMP\plugins\cmd_winmcafee.dmp]
      User Mini Dump File with Full Memory: Only application data is available

      Symbol search path is: *** Invalid ***
      ****************************************************************************
      * Symbol loading may be unreliable without a symbol search path.           *
      * Use .symfix to have the debugger choose a symbol path.                   *
      * After setting your symbol path, use .reload to refresh symbol locations. *
      ****************************************************************************
      Executable search path is:
      Windows 7 Version 7601 (Service Pack 1) MP (2 procs) Free x64
      Product: Server, suite: Enterprise TerminalServer SingleUserTS
      Machine Name:
      Debug session time: Mon Dec 16 14:12:08.000 2013 (UTC + 1:00)
      System Uptime: 4 days 10:54:25.967
      Process Uptime: 0 days 0:01:46.000
      .........................................................
      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -

      ************* Symbol Loading Error Summary **************
      Module name            Error
      ntdll                  The system cannot find the file specified

      You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
      You should also verify that your symbol search path (.sympath) is correct.
      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for wow64cpu.dll -
      wow64cpu!TurboDispatchJumpAddressEnd+0x6c0:
      00000000`749d2e09 c3              ret

      -------------------------------------------------------------------------------- ----------------------

      --

      --

      --

      -------------------------------------------------------------------------------- ----------------------

      THE SCRIPT IS HERE :

      -------------------------------------------------------------------------------- ----------------------

      : McAfee Anti Virus VERSION ENGINE et VERSION DAT

      ::

      C:\temp\emptyrecycle.exe

      ::

      c:

      cd \

      DIR /S /B csscan.exe > C:\temp\temp\DIRCSCANEXE.txt

      C:\sysadmin\invagent\autoupdate\sleep.exe 2

      FOR /F "tokens=*" %%a IN (C:\temp\temp\DIRCSCANEXE.txt) Do (

      "%%a" -Versions | find "DAT version" > C:\temp\TEMP\MCVERDAT1.txt

      "%%a" -Versions | find "Engine" > C:\temp\TEMP\MCVERENG1.txt

      )

      ::

      C:\sysadmin\invagent\autoupdate\sleep.exe 3

      ::

      FOR /F "tokens=*" %%a IN (C:\temp\TEMP\MCVERDAT1.txt) DO (

      FOR /F "tokens=*" %%c IN (C:\temp\TEMP\MCVERENG1.txt) DO (

        ECHO "%%a";"%%c" > C:\temp\TEMP\WINMCAFEE.out

      )

      )

      -------------------------------------------------------------------------------- ----------------------

       

      Message was edited by: cyrker on 12/17/13 2:56:02 AM CST

       

      Message was edited by: cyrker on 12/17/13 2:58:39 AM CST
        • 1. Re: csscan.exe" -Versions | find "DAT version"
          pato

          My feeling tells me that Access Protection is blocking your script. Can you check the logfiles of Mcafee if you have some blocked actions?

          • 2. Re: csscan.exe" -Versions | find "DAT version"
            cyrker

            Hello,

            I check the log actually just after the running of the script ...

            I come back after analysis ...

            Regards,

            • 3. Re: csscan.exe" -Versions | find "DAT version"
              cyrker

              Hello,

              Yes, it's right !
              The log show me what are the files blocked by Access Protection (McAfee).

              (sorry, I can't show you the exact message...)

               

              In fact, all the scripts stored inside a folder named "Temp" are blocked !


              Well, it's necessary for me to allow the blocked files to be run.
              How I can do it, without graphic interface, but with command line ?
              Regards,

               

              Message was edited by: cyrker on 12/17/13 8:13:02 AM CST
              • 4. Re: csscan.exe" -Versions | find "DAT version"
                pato

                Move your scripts to a different folder which is not inside the Temp folder. It might work then, depending on your security policy.

                • 5. Re: csscan.exe" -Versions | find "DAT version"
                  rmetzger

                  Hi cyrker,

                  cyrker wrote:

                   

                  In fact, all the scripts stored inside a folder named "Temp" are blocked !


                  Well, it's necessary for me to allow the blocked files to be run.
                  How I can do it, without graphic interface, but with command line ?

                  As pato stated, move the folder to another location outside of Temp.

                  Alternatively, create a sub-directory under Temp and create an Exclusion for this new sub-directory. (Avoid creating an exclution for %TEMP% or %TMP% as this would truely compromise security.)

                   

                  Your script is incomplete as to it's intent (at least from what I can see). If you simply need to get McAfee version information, consider this code which eliminates the need of running csscan.exe:

                  [code]

                      for /F "usebackq skip=4 tokens=1-2*" %%G in (`Reg QUERY "HKLM\SOFTWARE\McAfee\AVEngine" /v "EngineVersion32Major" 2^>NUL`) do set /a EngineVersion32Major = %%~I

                      for /F "usebackq skip=4 tokens=1-2*" %%G in (`Reg QUERY "HKLM\SOFTWARE\McAfee\AVEngine" /v "EngineVersion32Minor" 2^>NUL`) do set /a EngineVersion32Minor = %%~I

                      for /F "usebackq skip=4 tokens=1-2*" %%G in (`Reg QUERY "HKLM\SOFTWARE\McAfee\AVEngine" /v "AVDatDate" 2^>NUL`)    do set AVDatDate=%%~I

                      for /F "usebackq skip=4 tokens=1-2*" %%G in (`Reg QUERY "HKLM\SOFTWARE\McAfee\AVEngine" /v "AVDatVersion" 2^>NUL`) do set /a AVDatVersion = %%~I

                  [/code]

                  This code simply queries the system's registry for McAfee related version information as installed on that system.

                   

                  Hope this is helpful.

                  Ron Metzger

                  • 6. Re: csscan.exe" -Versions | find "DAT version"
                    cyrker

                    Hello,

                    Considering that a policy is done to block the scripts located inside a folder "Temp";
                    I update my scripts, using the value "Tempo" (and not "Temp").

                    i have again the same message inside the log of McAfee :

                     

                    The rule block these files :

                    "C:\Windows\SysWOW64\cscript.exe c:\Tempo\RESULTSCHTASK.txt"

                     

                    Then, It seems that "Temp" or "Tempo" is the same thing for McAfee Access Protection.
                    I try with a full diferent folder, like "TXT"

                     

                    Regards,

                     

                    Message was edited by: cyrker on 12/17/13 10:56:14 AM CST
                    • 7. Re: csscan.exe" -Versions | find "DAT version"
                      cyrker

                      Hello "METZGER",

                       

                      Yes, the real goal is to obtain the versions of ENGINE and DAT for the McAfee software installed.
                      But, I need to be sure that the results are formated inside a file, to be re-used by a other software dedicated to build inventories.
                      If I want to use your proposal, i need to spend times (days) to verify this kind of script on many type of Windows :
                      XP (fat32, ntfs)

                      XP 64bit

                      2003

                      2003 R2
                      2003 customized by our company

                      2003 64bit
                      2008

                      2008 customized by our company

                      2008 R2
                      2012

                      ...

                      I don't have enough time for this kind of tests ...

                      ...
                      My script works on the most of system (85%), but i discover that some rules 'block scripts stored on "Temp" folder" is used ...
                      Then, many choices :
                      1 + change the rule (disable)
                      2 + improve the script with small changes (considering short delays)
                      3 + do nothing, wait for the next months ...
                      ..

                      I try point 2 ....
                      ...

                      Well, the point 1 could be a good thing too ...
                      How can I do it by command lines ?

                      ...

                      Regards,

                      • 8. Re: csscan.exe" -Versions | find "DAT version"
                        rmetzger

                        cyrker wrote:

                         

                        Yes, the real goal is to obtain the versions of ENGINE and DAT for the McAfee software installed.

                        But, I need to be sure that the results are formated inside a file, to be re-used by a other software dedicated to build inventories.
                        If I want to use your proposal, i need to spend times (days) to verify this kind of script on many type of Windows :
                        XP (fat32, ntfs)

                        XP 64bit

                        2003

                        2003 R2
                        2003 customized by our company

                        2003 64bit
                        2008

                        2008 customized by our company

                        2008 R2
                        2012

                        ...

                        I don't have enough time for this kind of tests ...

                        ...
                        My script works on the most of system (85%), but i discover that some rules 'block scripts stored on "Temp" folder" is used ...
                        Then, many choices :
                        1 + change the rule (disable)
                        2 + improve the script with small changes (considering short delays)
                        3 + do nothing, wait for the next months ...
                        ..

                        I try point 2 ....
                        ...

                        Well, the point 1 could be a good thing too ...
                        How can I do it by command lines ?

                        ...

                        Regards,

                        I appreciate your testing concerns.

                         

                        I have used my scripts on all OS' up to but not including Windows Server 2012 or 2012R2. My batch file uses only Reg.exe from either System32 or SysWOW64 (from whichever cmd.exe is active) and seems to work correctly from Win XP up. This includes Windows 8 (which is extremely close to Server 2012).

                         

                        The output of Reg.exe is consistent from Win XP and up. The Set Environment Variables set within my batch code:

                            EngineVersion32Major

                            EngineVersion32Minor

                            AVDatDate

                            AVDatVersion

                        could be redirected to your txt file in a form consistent with  and "formated inside a file, to be re-used by a other software."

                         

                        [code]

                            for /F "usebackq skip=4 tokens=1-2*" %%G in (`Reg QUERY "HKLM\SOFTWARE\McAfee\AVEngine" /v "EngineVersion32Major" 2^>NUL`) do set /a EngineVersion32Major = %%~I

                            for /F "usebackq skip=4 tokens=1-2*" %%G in (`Reg QUERY "HKLM\SOFTWARE\McAfee\AVEngine" /v "EngineVersion32Minor" 2^>NUL`) do set /a EngineVersion32Minor = %%~I

                            for /F "usebackq skip=4 tokens=1-2*" %%G in (`Reg QUERY "HKLM\SOFTWARE\McAfee\AVEngine" /v "AVDatDate" 2^>NUL`)    do set AVDatDate=%%~I

                            for /F "usebackq skip=4 tokens=1-2*" %%G in (`Reg QUERY "HKLM\SOFTWARE\McAfee\AVEngine" /v "AVDatVersion" 2^>NUL`) do set /a AVDatVersion = %%~I

                         

                            echo McAfee EngineVersion=%EngineVersion32Major%.%EngineVersion32Minor%     >C:\temp\TEMP\WINMCAFEE.out

                            echo McAfee AVDatVersion=%AVDatVersionr%     >>C:\temp\TEMP\WINMCAFEE.out

                            echo McAfee AVDatDate=%AVDatDate%     >>C:\temp\TEMP\WINMCAFEE.out

                        [/code]

                         

                        (I simply used the same file you used on a previous example. Use whatever output file you deem appropriate.) Use the environment variables to format the output file as needed.

                         

                        In my humble opinion, testing the OS provided and standard use of Reg.exe is far less difficult than testing and running csscan.exe from non-standard locations, %temp% or otherwise.

                         

                        "2003 customized by our company"

                        "2008 customized by our company"

                        Has your company removed Reg.exe? If so, then that is a problem. Not sure why they would do so, but . . .


                        "1 + change the rule (disable)"

                        "Well, the point 1 could be a good thing too ..."

                        Not if you are fighting the very security software you need to include in your image. Work with it rather than figuring ways around it.

                         

                        "My script works on the most of system (85%)"

                        "2 + improve the script with small changes (considering short delays)"

                        85% is not acceptable to me. If the cause of the last 15% is related to working around issues, then I would probably consider a different strategy, independent of the use of proprietary CsScan.exe. Executing any batch or executable from within a %Temp% folder is always a risky strategy. (However, sending text files or data to %temp% is acceptable.)

                         

                        Adding directory exclusions and changing rules should be the last resort when all other strategies have failed, not the first 'short delays' method.

                         

                        Good luck,

                        Ron Metzger

                         

                        Message was edited by: rmetzger on 12/17/13 2:14:49 PM EST

                         

                        Message was edited by: rmetzger on 12/17/13 2:41:14 PM EST