How do I query my F-Secure installation for information

Hi there.

I am writing my own little utility that queries the local F-Secure installation for real time config information.The utility is meant to be run by users so they can see some system info and if necessary reset their UID by the click of a button.

I query the Windows registry to get the F-Secure install path, product name (i.e. "F-Secure Client Security") and the UID, and I use polutil.exe to get some other information. My problem is that I have now idea what OIDs to query.

This is what I have so far:

Version: POLUTIL.EXE G 1.3.6.1.4.1.2213.27.2.1

PMS address: POLUTIL.EXE G 1.3.6.1.4.1.2213.11.1.14.4.2.1 (not sure about this OID)

And I am looking for these

Last connection to PMS: POLUTIL.EXE G ?.?.?.?.?.?.?.?

Real-Time Scanner enabled/disabled: POLUTIL.EXE G ?.?.?.?.?.?.?.?.?.?

Firewall enabled/disabled: POLUTIL.EXE G ?.?.?.?.?.?.?.?.?.?

Can anyone help me with the missing OIDs?

Are there any other ways to query for this information other than using the polutil? The polutil uses a second or two to finish every query on slow computers, and when querying several OIDs then... you get the picture...

Thanks in advance for any help! Smiley Happy

Find more posts tagged with

Comments

Popeye

@MJ-perComp wrote:
some thoughts for you:

Finding PMS: define a DNS-entry in each network e.g. FSPMS.network-1.no. pointing to the local PMS in Network1. Then export an installation pack that points to "FSPMS" or "FSMPS:hostport" (do not use the full DNS-name) the machine will automatically expand FSPMS to FSPMS.<localdomain>. The host will register to the local PMS.

ResetUID and Version 9.x: Support can provide you with a special hotfix that will allow to use GUIds even with 9.01. If you still have older version 8 client you MUST upgrade them before 31. Dec.2011 anyway!!!! There is also a trick to force generation of GUID even if your clients still use the UID (due to upgrade) support will have that too!

HTH!

I think I see what you are suggesting regarding the PMSes. My servers have easy to remember names that would work with your idea (antivirus.mydomain.no and antivirus.student.mydomain.no), but would it not be a problem that the employee and student PMSes have different certificates? The clients would only connect to the PMS that created the installation package (either MSI, JAR or policy push) because of the certs, or am I mistaking something...?

Anyway, my utility would be querying the individual F-Secure installation to see what PMS that specific host is connected to and administered by. There are at least two OIDs that return the correct server address, but I do not know if both can be used or if one of the addresses is something else. I couldn't find the "comments in policy" option you mentioned earlier, so I kept with one of the two OIDs (picked at random) and hope it will work OK.

I have to talk to our support partner to see if I can get my hands on those GUID tools you mentioned. Thanks for the tip! Smiley Happy

We are currently upgrading all FSCS installations to FSCS 9.11 (upgraded 500 of approx. 1500 last week), but as the old UID is kept through an upgrade, my problem will not go away until all computers have had a UID reset or until all computers get a new image with FSCS 9.11 and the new GUID. I just know that even if I have told everybody about the FSCS 8.xx EOL, we are bound to have some older disk images with FSCS 8.xx online in 2012. Someone will forget to throw out the old boot CDs or just install the first MSI that he/she can find, no matter what version it is. And then someone cleverly powers up his/her old PC just to have a PC doing something not very important (to business, anyway) like Folding@home or similar.

Thanks again for your assistance. You provide excellent tips and give me something to work with every time.

Regards,

Popeye70 / Thomas
(Popeye because of the sailing, not the spinach)

MJ-perComp

@Popeye wrote:

With very different policies and with different PMSes, we would like to make it easy for the users themselves to find their computer name and UID (the two most important ones), and then supply them with a button that says "Reset UID". At least we can reduce the number of computers with the same name and UID, and we can identify the computers that are managed by the wrong PMS.

My plan was to create a small utility that will display some computer and F-Secure information (username, computer name, UID, what mangement server F-Secure is using etc) and supply our users with the mentioned "Reset UID button". As I'm just beginning to look into AutoIT (http://www.autoitscript.com/site/autoit/) this seemed like a fun first project. I get to read from the registry, run command line programs and collect the output and maybe even spawn upgrades (running MSIs) from the simple user interface.

I know that FSCS >= 9.10 uses a garanteed unique ID (I found my MAC address inside the UID), but our legacy of older F-Secure installation on older computer images makes it almost impossible to just ditch FSCS <=9.01 and upgrade all computers to FSCS 9.11. An upgrade won't reset the UID anyway, so I need to eiter do a fresh install on every image, or reset the UID after upgrading the existing images.

Hi, very interesting setup!

some thoughts for you:

Finding PMS: define a DNS-entry in each network e.g. FSPMS.network-1.no. pointing to the local PMS in Network1. Then export an installation pack that points to "FSPMS" or "FSMPS:hostport" (do not use the full DNS-name) the machine will automatically expand FSPMS to FSPMS.<localdomain>. The host will register to the local PMS.

ResetUID and Version 9.x: Support can provide you with a special hotfix that will allow to use GUIds even with 9.01. If you still have older version 8 client you MUST upgrade them before 31. Dec.2011 anyway!!!! There is also a trick to force generation of GUID even if your clients still use the UID (due to upgrade) support will have that too!

HTH!

I know that FSCS >= 9.10 uses a garanteed unique ID (I found my MAC address inside the UID), but our legacy of older F-Secure installation on older computer images makes it almost impossible to just ditch FSCS <=9.01 and upgrade all computers to FSCS 9.11. An upgrade won't reset the UID anyway, so I need to eiter do a fresh install on every image, or reset the UID after upgrading the existing images.

Siltanen

Hello Popeye,

There are some settings you can easily get with polutil, some of them require some sort of an interpretation;

Last connection to policy manager server (Returns unix time in seconds):
1.3.6.1.4.1.2213.11.2.14.8

Real-time scanning (0 is disabled, 1 is enabled):
1.3.6.1.4.1.2213.12.1.111.2.10

Firewall (returns active firewall level as defined in Policy Manager Console):
1.3.6.1.4.1.2213.25.1.30.30

Note that the firewall might still be disabled from systray icon (if it's allowed for users).

Popeye

Here's what I'm trying to do...

I'm a sysadmin and security manager at a 20000+ student business school. We are located at six different locations in Norway, and the smaller locations have no dedicated IT staff. They rely on a few trusted students that dump centrally made PC images (Ghost) onto computer lab computers more or less regularly to fix problems and distribute new software. We all know what needs to be done before saving a new image for the last time before cloning, but somehow the guys creating images forget to reset the UID and then ship the image across the country. The result is that one week later, I have 50 PCs with the same computer name and identical UID. The same happens (but less frequently) to employee computers. One other problem is that they use installation packages created for the student computer labs on employee students and vice versa.

To err is human, to repeat the error frequently must be very human, it seems. Smiley Mad

With very different policies and with different PMSes, we would like to make it easy for the users themselves to find their computer name and UID (the two most important ones), and then supply them with a button that says "Reset UID". At least we can reduce the number of computers with the same name and UID, and we can identify the computers that are managed by the wrong PMS.

My plan was to create a small utility that will display some computer and F-Secure information (username, computer name, UID, what mangement server F-Secure is using etc) and supply our users with the mentioned "Reset UID button". As I'm just beginning to look into AutoIT (http://www.autoitscript.com/site/autoit/) this seemed like a fun first project. I get to read from the registry, run command line programs and collect the output and maybe even spawn upgrades (running MSIs) from the simple user interface.

Oh, mostly I do it for fun, but with a serious thought behind it! Smiley Wink

Here is what I have so far ( a tabbed window that display info and let the user reset his/hers UID):

Hi,

"Restuid" becomes obsolete starting with 9.1x because it is replaced with GUID that is fix.

for the missing values: in PM activate "comments in policy", distribute or export a policy read the BPF with notepad.

Could you please explain a bit more about the intention of your program, as I think all this can perfectly be show from either the PM or WebReporting.

HTH