?
Solved

Powershell or batch script to know Antivirus version

Posted on 2014-09-14
20
Medium Priority
?
865 Views
Last Modified: 2016-02-25
We are due to roll out Sophos on 1000+ computers in our network, some of the computers already have the newer version, what we are trying to achieve is to select a group of computers, and roll out on them first, but we need to know what version of Sophos is running on those computers, so i think best approach would be to run a script ( export it in CSV ) on those computers remotely and find out which version of particular software version they are running? Need help to write that script and export it, or power shell command which will achieve this purpose
0
Comment
Question by:Leo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 8
20 Comments
 
LVL 40

Expert Comment

by:footech
ID: 40322274
This is a duplicate of http://www.experts-exchange.com/Software/Anti-Virus/Q_28515108.html 
If you're not getting helpful information in a previous question (and you've responded to all experts' questions, and allowed enough time for them to respond), you can request attention.  If you want to re-ask the question, you should delete the previous question.
0
 
LVL 11

Expert Comment

by:Maclean
ID: 40322288
Just for clarity, would it not be easier to connect to the Sophos Enterprise Console, and under all computers, check Anti-Virus details to establish current versions?

I have done a few Sophos rollouts in the past. 1 of them to an environment which already had Sophos deployed on a failed Management server which had not been backed up by the clients local IT who built it, creating a bit of an issue.
I simply built a new DB & Console rather than following Sophos their recommendations which were rather laborious.

I simply created a deployment script which overwrote the old config, and updated the update manager to point to the new console, which than in turn would upgrade the AV where applicable at start-up of machine.

You can create a test deployment OU to assign this to and than from the console post reboot of a test machine, check that the systems reported in, and policies applied successfully.

I realize this is not what you asked for, but thought perhaps it might provide an alternate approach that could help. With this method, the previous version would become irrelevant. What matters is that the new machines check in, and update accordingly.

@ECHO OFF
 REM --- Deploy to Windows 2000/XP/2003/Vista/Windows7/2008/2008-R2
 \\ServerFQDN\SophosUpdate\CIDs\S000\SAVSCFXP\setup.exe -updp "\\ServerFQDN\SophosUpdate\CIDs\S000\SAVSCFXP" -user domain\SophosUpdateMgr -pwd ******** -mng yes
 REM --- End of the script
 :_End
0
 
LVL 8

Author Comment

by:Leo
ID: 40322431
@footech, will delete the duplicate, but that script doesnt work for me....
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 40

Expert Comment

by:footech
ID: 40322453
Never said it did.
0
 
LVL 8

Author Comment

by:Leo
ID: 40322463
@Maclean, thanks for your suggestion, but that wont work in our environment.
@footech: can you please guide me to write a powershell script which can generate list of computer from inside security group in OU......i have pasted below on what i am working at.... I dont know how to pass parameter to list computers inside a security group....
Get-ADComputer -Filter * -SearchBase " OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan" -Property Name, lastLogonDate | where lastLogonDate -ge (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv C:\TEMP\ActiveComputers-Last90Days.csv -noTypeInformation.

So there are few Security groups from which i want to pull up list of computers, one by one, so if i want to define a security group inside Corporate, lets say IT, how should i define it?
0
 
LVL 40

Expert Comment

by:footech
ID: 40322735
Why won't Maclean's suggestion work?  Depending on the problem, there may be a simple solution.

RE: computers in security group - this sounds like a completely separate question, but here's some guidance.  I find that if you ask the question the "right" way, the code to solve it becomes easier to discover.  So try to find different ways of asking the question.  For example, "What computer accounts are members of this security group?" vs. "What members of this security group are computer accounts?"


Here's a modified version of what was posted in http:Q_28517020.html that may work.
import-module activedirectory

$Computers = Get-ADComputer -Filter * -SearchBase "OU=Computers,DC=company,DC=lan" -properties SamAccountName |
 Select -ExpandProperty name
  
foreach ($Computer in $Computers) {
    if ( Test-Connection -ComputerName $Computer -Count 1 -ErrorAction SilentlyContinue -Quiet ){
        $Export = "C:\Scripts\Software_Inventory\CSV\$Computer.csv"
        Write-Host "$Computer is pingable"
        $RegBase = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$Computer)
        $RegUninstall = $RegBase.OpenSubKey('SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall')
        $RegUninstall.GetSubKeyNames() | 
        ForEach-Object {
            $DisplayName = ($RegBase.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$_")).GetValue('DisplayName')
            $DisplayVersion = ($RegBase.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$_")).GetValue('DisplayVersion')
            if ($DisplayName) {
                New-Object -TypeName PSCustomObject -Property @{
                                ComputerName = $Computer
                                ProgramName = $DisplayName
                                Version = $DisplayVersion
                                }
            }
        } | Sort-Object "ProgramName" | Export-Csv $Export -nti -delimiter ";"
    }
}

Open in new window

0
 
LVL 8

Author Comment

by:Leo
ID: 40322769
I have been asked to create a report l, by doing that it will also help in doing any future projects...and in some of older version of sophos if they are affected there is a separate procedure to clean them up...so we need to release sophos in a controlled environment...we also have Linux. ..Ubuntu. .and Mac. ...
0
 
LVL 8

Author Comment

by:Leo
ID: 40324480
@footech, thanks for the script, correct me if i am wrong, on line 6 code; i.e. foreach ($Computer in $Computers) {
I dont have to change anything? i have only change the searchbase path and the export path as C:\Temp\$Computer.csv

I am getting the errors, as pasted below;

Exception calling "OpenRemoteBaseKey" with "2" argument(s): "Attempted to
perform an unauthorized operation."
At line:5 char:9
+         $RegBase =
[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.W ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : UnauthorizedAccessException

OFFICE is pingable
0
 
LVL 40

Expert Comment

by:footech
ID: 40324685
Right, you shouldn't have to change anything there.  Are you running in an account that has administrator privileges on the remote system?
0
 
LVL 8

Author Comment

by:Leo
ID: 40324705
I am running it from my system on powershell with admin privileges.
I changed SearchBase to my Domain details, and changed the path in $export, to where i want to see the generated output file. i.e. from;

 $Export = "C:\Scripts\Software_Inventory\CSV\$Computer.csv"

to

C:\Temp\$Computer.csv
0
 
LVL 40

Expert Comment

by:footech
ID: 40325794
That doesn't exactly answer my question.  Just because you are running with admin privileges on the local machine doesn't mean you have admin privileges on the remote machine.  The command you need to get to run without error is:
[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,remotecomputername)

Open in new window

0
 
LVL 8

Author Comment

by:Leo
ID: 40329432
I have admin privileges on remote computer, i am getting an error when i tried the powershell command.
At line:1 char:95
+ ... ::LocalMachine,test123
+                    ~
Missing expression after ','.
At line:1 char:95
+ ... ::LocalMachine,test123
+                    ~~~~~~~~~
Unexpected token 'test123' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingExpressionAfterToken
0
 
LVL 40

Expert Comment

by:footech
ID: 40329686
Sorry, my example had one flaw, the computer name has to be a string (i.e. surrounded by quotes).  Just to be clear, the quotes don't have to be there when you're using a variable which contains a string, so the complete code above works.
[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,"remotecomputername")

Open in new window

It's probably worth mentioning that if you were looking for a complete inventory you would also have to query the HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall key as well on a 64-bit system.  Not certain where Sophos is mentioned, so you may need to query just one or the other.
0
 
LVL 8

Author Comment

by:Leo
ID: 40358525
apologies for late reply, i have been offsite.....
most of the machines onsite are 64bit.
i have run the query, it runs, but doesnt list anything....
PS C:\windows\system32>

[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,"test123")

Name                           Property                                                                                                            
----                           --------
0
 
LVL 40

Expert Comment

by:footech
ID: 40358625
That's fine.  For that command that's all you get.
I've tested the code I posted and it works fine.  If you just want to test on one or two machines, create a file named "computers.txt", put a couple names in there (one each line, with no blank lines), then substitute the following for lines 3 and 4.
$computers = @(Get-Content computers.txt)

Open in new window

0
 
LVL 8

Author Comment

by:Leo
ID: 40381238
making the changes as you suggested only shows computers which are pingable in computers.txt
0
 
LVL 8

Author Comment

by:Leo
ID: 40381241
I am going to request to close off this question if you dont mind, appreciate your help, but i havent found any resolution.
0
 
LVL 40

Expert Comment

by:footech
ID: 40381498
It's up to you.  All the information has been given and the code has been tested.  So now you're just left with figuring out what's sticking in your environment.
0
 
LVL 8

Accepted Solution

by:
Leo earned 0 total points
ID: 40414758
This is the VB script which works, and produce results once its attached to group policy, no matter which environment it is.

Option Explicit

Const HKLM = &H80000002 'HKEY_LOCAL_MACHINE
      
Dim objMessage : Set objMessage = CreateObject("CDO.Message")       
Dim objNetwork : Set objNetwork = CreateObject("WScript.Network")
Dim strComputer
Dim Architecture
Dim objReg
Dim strKey
Dim arrSubkeys
Dim strSubkey
Dim intRet1
Dim strDisplayName
Dim intVersionMajor
Dim intVersionMinor
Dim strProgramDisplayName
Dim intProgramVersionMajor
Dim intProgramVersionMinor


strComputer = objNetwork.ComputerName

Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

strKey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"

objReg.EnumKey HKLM, strKey, arrSubkeys

'WScript.Echo "Installed Applications" & VbCrLf
For Each strSubkey In arrSubkeys
      intRet1 = objReg.GetStringValue(HKLM, strKey & strSubkey, "DisplayName", strDisplayName)
      If intRet1 <> 0 Then
            objReg.GetStringValue HKLM, strKey & strSubkey, "QuietDisplayName", strDisplayName
      End If
      objReg.GetDWORDValue HKLM, strKey & strSubkey, "VersionMajor", intVersionMajor
      objReg.GetDWORDValue HKLM, strKey & strSubkey, "VersionMinor", intVersionMinor

      On Error Resume  Next
      'WScript.Echo strDisplayName
      On Error Goto 0
      If InStr(1, strDisplayName, "sophos", 1) Then
            strProgramDisplayName = strDisplayName
            intProgramVersionMajor = intVersionMajor
            intProgramVersionMinor = intVersionMinor
      End If
Next

If strProgramDisplayName <> "" Then
      WScript.Echo VbCrLf & "Display Name: " & strProgramDisplayName
      WScript.Echo "Version: " & intProgramVersionMajor & "." & intProgramVersionMinor
                  
      objMessage.Subject = "Sophos installed"
      objMessage.TextBody = objNetwork.Username & " " & strComputer & VbCrLf & "Display Name: " & strProgramDisplayName & VbCrLf & "Version: " & intProgramVersionMajor & "." & intProgramVersionMinor
Else
      objMessage.Subject = "Sophos not installed"
      objMessage.TextBody = objNetwork.Username & " " & strComputer
End If

objMessage.From = strComputer & "@EmailServer"
objMessage.To = "test1@EmailServer"

objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.EmailServer"
objMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMessage.Configuration.Fields.Update

objMessage.Send
0
 
LVL 8

Author Closing Comment

by:Leo
ID: 40421149
found answer, tested it and its working.
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question