Reset Search
 

 

Article

KB41009 - How to use the ESAP diagnostic output to check if the client matches the requirements in the ESAP List Of Supported Products guide

« Go Back

Information

 
Last Modified Date6/14/2018 10:56 AM
Synopsis
This article describes how to cross-reference the  ESAP diagnostic output with the ESAP List Of Supported Products guide.
Problem or Goal
The ESAP diagnostic tool uses the same SDKs as Host Checker to generate a report that includes what antivirus products are installed and what features are available to test for Host Checker policies.  This article will highlight which entries in the diagnostic output correspond to the various detection methods so administrators can use the diagnostic tool and check what is being reported, for example if a new version of an antivirus product is released and the administrator wants to verify if the current Host Checker policies are still applicable or if they need to open a support case to request the failing detection methods be added in a later ESAP release.  
Cause
Solution
KB28146 - [Host Checker] Endpoint Security Assessment Plug-in (ESAP) Diagnostic Tool for PCS 7.2 / PPS 4.2 and above on Windows Platform and KB29633 - Endpoint Security Assessment Plug-in (ESAP) Diagnostic Tool for PCS 7.2 / PPS 4.2 and above on Mac OS Platform cover how to download and use the ESAP diagnostic tool.

The List Of Products Supported  and Release Notes documents for each ESAP release are available in the ESAP section of our Techpubs pages 

An administrator should download the Release Notes and List Of Products Supported for the ESAP version they are currently using that matches the version of SDK enabled on the PCS/PPS, see  KB40318 - Impact / Changes between V3 and V4 OPSWAT SDK  for more information about the two versions.   This can then be cross-referenced with the ESAP diagnostic output to confirm if it is detecting the methods correctly or if the endpoint is missing required privileges.

Here are examples using ESAP 3.1.2 for V4 SDK :

 

V4 SDK


In the ESAP 3.1.2 List Of Products Supported for OPSWAT V4 SDK the Introduction contains the following information on how to read the product entry:

Each supported product is listed with limitation, if any, in tabular form. 

• Method: This column list all method supported for Product.
  • Evaluation
  • Remediation
 
• Functionality: This column lists different functionalities supported for Product.
  • Virus Definition Check
  • Detection
  • Real Time Protection
  • Download Latest Virus Definitions
 
Note that there are no requirements for the methods with V4.
  • Check V4 product entry


Check what is listed for the antivirus product and version, this example uses CylancePROTECT version 2.0.1430.18 which is listed as:

CylancePROTECT ( 2.x ) :
Product Specific Limitations Method Functionality
Evaluation Detection
Evaluation Virus Definition Check
Evaluation Last Scan Time
Remediation AntiVirus Scan

 
So using V4 has an added remediation option to start a virus scan compared to V3.
  • Generate V4 diagnosis file

Run the ESAP diagnostic tool on an endpoint, for V4 it will create a text file called WaDiagnoseResults_1502457259.txt
(The number represents the timestamp in Unix epoch time format when the diagnosis executable was run, https://www.epochconverter.com/ can be used to convert it to a human-readable form).
  • Analyze the V4 diagnosis file

As there are no requirements to check for V4 we can skip straight to the Antivirus product section, open the file in a text editor and either search for the product name or skip to the following section to see the installed security products – check the expected antivirus product is listed in the security center:
 
"security_center" : [           
            {
                "name" : "CylancePROTECT",
                "interface" : "AntiVirusProduct",
                "namespace" : "SecurityCenter2",
                "guid" : "{B0D0XXF4-7F0B-0434-B825-1213D78DAK01}"
            }
        ],



Then the next section is the "detected_products" which lists installed programs, skip through to the antivirus product we are interested in, for the Cylance product it starts with the following, note that the method name is at the end of the stanza.
 
{
                "signature" : 2563,
                "sig_name" : "CylancePROTECT",
                "methods" : [                       
                        {
                            "result" : {
                                    "main" : "C:\\Program Files\\Cylance\\Desktop\\",
                                    "directories" : [
                                            "C:\\Program Files\\Cylance\\Desktop\\"
                                        ],
                                    "method" : 104,
                                    "code" : 0,
                                    "timing" : 0,
                                    "timestamp" : "1502457262",
                                    "signature" : 2563
                                },
                            "method_name" : "GetInstallationDirectories"


 
 
The method names we are interested in this section are:
 
FunctionalityKeys
Product NameGetComponents
Product VersionGetComponents
DetectionGetRealTimeProtectionState
Virus Definition Check GetDefinitionState
Last Scan TimeGetLastScanTime

Here is an example of the different method sections with the above keys highlighted, note that timestamps are also in Unix epoch format and need to be converted to human readable form:
 
{
                            "result" : {
                                    "signature" : 2563,
                                    "components" : [                                           
                                            {
                                                "path" : "C:\\Program Files\\Cylance\\Desktop\\CylanceUI.exe",
                                                "version" : "2.0.1430.18",
                                                "description" : "Cylance Protect"
                                            }
                                        ],
                                    "method" : 105,
                                    "code" : 0,
                                    "timing" : 0,
                                    "timestamp" : "1502457262"
                                },
                            "method_name" : "GetComponents"
                        }, 

                        {
                            "result" : {
                                    "enabled" : true,
                                    "code" : 0,
                                    "details" : {
                                            "antivirus" : true,
                                            "antispyware" : true
                                        },
                                    "signature" : 2563,
                                    "method" : 1000,
                                    "timing" : 0,
                                    "timestamp" : "1502457262"
                                },
                            "method_name" : "GetRealTimeProtectionState"
                        },
 
                        {
                            "result" : {
                                    "is_recent" : true,
                                    "definitions" : [                                           
                                            {
                                                "last_update" : "1502424000",
                                                "type" : "antimalware",
                                                "version" : "2017.08.11",
                                                "name" : "Cylance PROTECT",
                                                "source_time" : "1502424000",
                                                "engine_version" : ""
                                            }
                                        ],
                                    "timing" : 16,
                                    "method" : 1001,
                                    "code" : 0,
                                    "timestamp" : "1502457262",
                                    "signature" : 2563
                                },
                            "method_name" : "GetDefinitionState"
                        },
 
                        {
                            "result" : {
                                    "scan_type" : "default",
                                    "scan_time" : "1502126829",
                                    "method" : 1004,
                                    "code" : 0,
                                    "timing" : 0,
                                    "timestamp" : "1502457265",
                                    "signature" : 2563
                                },
                            "method_name" : "GetLastScanTime"
                        }
                    ]
            },


 
Related Links
Attachment 1 
Created ByMatthew Spiers

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255