Jump to content

AV - Conflicting Programs or Services 1.0.0

   (0 reviews)

1 Screenshot

About This File

A challenge when managing endpoints is identifying which computers still have legacy AV products present once you have your preferred AV installed. This monitor will match program and service inventories to known AV products and alert when multiple solutions are found. Once you import the monitor you will need to make some adjustments to the first line in the "Additional Condition" section.

SET @PreferredAVList='ProductName1,ProductName2';  Set this to a list of AV products that you deploy and that are expected to work together. The names will need to match the AV names assigned in the monitor. Hit "Build and View Query" to see sample results and identify your preferred AV product names. If you don't set this the monitor will just alert for every agent that has multiple products installed.
SET @ReportPreferredAV=False;   Setting this to True will include preferred products in the alert message of the "Conflicting" applications. Since the alert is basically saying "These are what you should remove" you may not want preferred products mentioned.
SET @RequirePreferredAVInstalled=False; Setting this to True will only alert on an endpoint where a preferred AV product was found in addition to a non-preferred product. Setting to False will alert even when only multiple non-preferred products are found.

The monitor will import as a global monitor that targets all agents. You will want to select some groups to target instead, such as groups for computers under a service plan or groups for computers that should have a managed AV product deployed. This way you won't alert on agents that are not expected to have your preferred AV product installed.

If you need to add a new product, copy the format of existing products matched by program or service name.

Tweaks

If you want to alert when only 1 product is found but it is not a preferred product:

Change

HAVING COUNT(DISTINCT IF(FIND_IN_SET(innerdt.AVName,@PreferredAVList),'Preferred',innerdt.AVName))>1

To

HAVING COUNT(DISTINCT IF(FIND_IN_SET(innerdt.AVName,@PreferredAVList),NULL,innerdt.AVName))>=1

Help Out

Help identify unknown AV products by sharing the Product name and Software and Service names that indicate the product is installed. I can update the file periodically with new product definitions.

For Instance:

ESET - Application Names are like 'ESET Endpoint%' or 'ESET File%' or 'NOD32%'. Services have the Name 'ekrn' or 'ekrnEpfw'.

 

  • Thanks 1

User Feedback

Recommended Comments

I realized I didn't have a definition for ThreatLocker. I'll add this here if anyone wants to update their monitor to include it. ThreatLocker can only be detected by installed services, so this one line needs to be added into the services group:

SELECT 'ThreatLocker' AS AVName, ServiceId FROM services WHERE (`Name`='ThreatLockerService' OR `Name`='HealthTLService' OR `Name`='ThreatLockerDriver') UNION

 

Link to comment
Share on other sites

In our environment, 'EPSecurityService' belongs to Bitdefender, not SolarWindsMSP.

So this

SELECT 'SolarWindsMSP' AS AVName, ServiceId FROM services WHERE (`Name`='ManagedAntivirus' OR `Name`='EPSecurityService') UNION

Changed to this

SELECT 'SolarWindsMSP' AS AVName, ServiceId FROM services WHERE (`Name`='ManagedAntivirus') UNION

And this got added

SELECT 'Bitdefender' AS AVName, ServiceId FROM services WHERE (`Name` ='EPSecurityService') UNION

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...