KB28146 - [Host Checker] Endpoint Security Assessment Plug-in (ESAP) Diagnostic Tool for PCS 7.2 / PPS 4.2 and above on Windows Platform and KB29633 - Endpoint Security Assessment Plug-in (ESAP) Diagnostic Tool for PCS 7.2 / PPS 4.2 and above on Mac OS Platform cover how to download and use the ESAP diagnostic tool.
The List Of Products Supported and Release Notes documents for each ESAP release are available in the ESAP section of our Techpubs pages
An administrator should download the Release Notes and List Of Products Supported for the ESAP version they are currently using that matches the version of SDK enabled on the PCS/PPS, see KB40318 - Impact / Changes between V3 and V4 OPSWAT SDK for more information about the two versions. This can then be cross-referenced with the ESAP diagnostic output to confirm if it is detecting the methods correctly or if the endpoint is missing required privileges.
Here are examples using ESAP 3.1.2 for V4 SDK :
V4 SDK
In the ESAP 3.1.2 List Of Products Supported for OPSWAT V4 SDK the Introduction contains the following information on how to read the product entry:
Each supported product is listed with limitation, if any, in tabular form.
• Method: This column list all method supported for Product.
• Functionality: This column lists different functionalities supported for Product.
- Virus Definition Check
- Detection
- Real Time Protection
- Download Latest Virus Definitions
Note that there are no requirements for the methods with V4.
Check what is listed for the antivirus product and version, this example uses CylancePROTECT version 2.0.1430.18 which is listed as:CylancePROTECT ( 2.x ) :
| Product Specific Limitations Method | Functionality |
| Evaluation | Detection |
| Evaluation | Virus Definition Check |
| Evaluation | Last Scan Time |
| Remediation | AntiVirus Scan |
So using V4 has an added remediation option to start a virus scan compared to V3.
-
Generate V4 diagnosis file
Run the ESAP diagnostic tool on an endpoint, for V4 it will create a text file called WaDiagnoseResults_1502457259.txt
(The number represents the timestamp in Unix epoch time format when the diagnosis executable was run, https://www.epochconverter.com/ can be used to convert it to a human-readable form).
-
Analyze the V4 diagnosis file
As there are no requirements to check for V4 we can skip straight to the Antivirus product section, open the file in a text editor and either search for the product name or skip to the following section to see the installed security products – check the expected antivirus product is listed in the security center:
"security_center" : [
{
"name" : "CylancePROTECT",
"interface" : "AntiVirusProduct",
"namespace" : "SecurityCenter2",
"guid" : "{B0D0XXF4-7F0B-0434-B825-1213D78DAK01}"
}
],
Then the next section is the "detected_products" which lists installed programs, skip through to the antivirus product we are interested in, for the Cylance product it starts with the following, note that the method name is at the end of the stanza.
{
"signature" : 2563,
"sig_name" : "CylancePROTECT",
"methods" : [
{
"result" : {
"main" : "C:\\Program Files\\Cylance\\Desktop\\",
"directories" : [
"C:\\Program Files\\Cylance\\Desktop\\"
],
"method" : 104,
"code" : 0,
"timing" : 0,
"timestamp" : "1502457262",
"signature" : 2563
},
"method_name" : "GetInstallationDirectories"
The method names we are interested in this section are:
| Functionality | Keys |
|---|
| Product Name | GetComponents |
| Product Version | GetComponents |
| Detection | GetRealTimeProtectionState |
| Virus Definition Check | GetDefinitionState |
| Last Scan Time | GetLastScanTime |
Here is an example of the different method sections with the above keys highlighted, note that timestamps are also in Unix epoch format and need to be converted to human readable form:
{
"result" : {
"signature" : 2563,
"components" : [
{
"path" : "C:\\Program Files\\Cylance\\Desktop\\CylanceUI.exe",
"version" : "2.0.1430.18",
"description" : "Cylance Protect"
}
],
"method" : 105,
"code" : 0,
"timing" : 0,
"timestamp" : "1502457262"
},
"method_name" : "GetComponents"
},
{
"result" : {
"enabled" : true,
"code" : 0,
"details" : {
"antivirus" : true,
"antispyware" : true
},
"signature" : 2563,
"method" : 1000,
"timing" : 0,
"timestamp" : "1502457262"
},
"method_name" : "GetRealTimeProtectionState"
},
{
"result" : {
"is_recent" : true,
"definitions" : [
{
"last_update" : "1502424000",
"type" : "antimalware",
"version" : "2017.08.11",
"name" : "Cylance PROTECT",
"source_time" : "1502424000",
"engine_version" : ""
}
],
"timing" : 16,
"method" : 1001,
"code" : 0,
"timestamp" : "1502457262",
"signature" : 2563
},
"method_name" : "GetDefinitionState"
},
{
"result" : {
"scan_type" : "default",
"scan_time" : "1502126829",
"method" : 1004,
"code" : 0,
"timing" : 0,
"timestamp" : "1502457265",
"signature" : 2563
},
"method_name" : "GetLastScanTime"
}
]
},
