[Feature Request] MacOS support to collect Antivirus information

[tiangao88]

Your idea

Are there any plan to support collecting antivirus information on MacOS?
Is it technically possible?

So far the antivirus information is collected as software and available in GLPI but we found no way to requalify it as antivirus.
Thanks!

[g-bougard]

Hi @tiangao88

there's actually no plan to add such support. And indeed, you're the first person I see interested with that feature on MacOSX ;-)

This is surely technically possible. To start such an feature, we probably need a list of the major AV provider on MacOSX and we need to know if they at last provide a free or evaluation version so we can try them in a dedicated VM.

Do you know if system_profiler command gives any installed AV information ?

[tiangao88]

Hi,

Sorry for being such a noob but I couldn't find in the man pages how to run the system_profiler command with glpi-inventory or glpi-agent. Can you give me instructions?

glpi-inventory --partial antivirus returns no information about antivirus

glpi-inventory --partial software returns this regarding the antivirus we use
{
"install_date": "2023-02-21",
"name": "Microsoft Defender",
"system_category": "Applications",
"version": "101.97.94"
}

Here is the information about Microsoft Defender for Endpoint on Mac
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide

I am afraid it requires a subscription for use but probably does not block the installation.

On more noob question: it seems we don't need plugins on GLPI server side to receive the inventory from GPLI Agent so what is the plugin for?
https://plugins.glpi-project.org/#/plugin/glpiinventory

[tiangao88]

Hi @g-bougard

So I figured system_profile was an OS command and indeed I see traces of Microsoft Defender in the output

      Microsoft Defender:
      Version: 101.98.30
      Obtained from: Identified Developer
      Last Modified: 30/03/2023 18:12
      Kind: Universal
      Signed by: Developer ID Application: Microsoft Corporation (UBF8T346G9), Developer ID Certification Authority, Apple Root CA
      Location: /Applications/Microsoft Defender.app

There are also traces of all updates

      Microsoft Defender:
      Version: 101.96.85
      Source: 3rd Party
      Install Date: 23/01/2023 20:02

    Microsoft Defender:
      Version: 101.97.94
      Source: 3rd Party
      Install Date: 21/02/2023 14:56

    Microsoft Defender:
      Version: 101.98.30
      Source: 3rd Party
      Install Date: 30/03/2023 18:12

There is no specific section on Antivirus in the output though.

I have also installed GLPI Inventory Plugin to try to collect file information from the Mac but it does not work so well.

Is there any chance you put detecting antivirus on Mac on the roadmap for GLPI Agent?

Thanks.

[g-bougard]

Hi @tiangao88
do you have this information in the installed software section ?
Here this only show the AV is installed but we don't know if it's enabled. Also it would be nice to know if it's using the latest virus signature database.
Just checking the online I can see we may have a simple way to catch the required information.
So from a root terminal can you check if you have an output for this command: mdatp health
If yes, can you share it ?

[tiangao88]

Hi @g-bougard ,

Indeed the information about Microsoft Defender is in the Applications: section.
Here is the output of mdatp health

healthy                                     : true
health_issues                               : []
licensed                                    : true
engine_version                              : "1.1.20100.6"
app_version                                 : "101.98.30"
org_id                                      : "***anonymized***"
log_level                                   : "info"
machine_guid                                : "***anonymized***"
release_ring                                : "Production"
product_expiration                          : Sep 06, 2023 at 07:12:28 AM
cloud_enabled                               : true
cloud_automatic_sample_submission_consent   : "safe"
cloud_diagnostic_enabled                    : true
passive_mode_enabled                        : false
real_time_protection_enabled                : true
real_time_protection_available              : true
real_time_protection_subsystem              : "endpoint_security_extension"
network_events_subsystem                    : "network_filter_extension"
device_control_enforcement_level            : "audit"
tamper_protection                           : "block"
automatic_definition_update_enabled         : true
definitions_updated                         : May 02, 2023 at 06:26:13 PM
definitions_updated_minutes_ago             : 127
definitions_version                         : "1.387.2964.0"
definitions_status                          : "up_to_date"
edr_early_preview_enabled                   : "disabled"
edr_device_tags                             : []
edr_group_ids                               : ""
edr_configuration_version                   : "20.199999.main.2023.04.25.09-***anonymized***"
edr_machine_id                              : "***anonymized***"
conflicting_applications                    : []
network_protection_status                   : "stopped"
network_protection_enforcement_level        : "disabled"
data_loss_prevention_status                 : "disabled"
full_disk_access_enabled                    : true

[g-bougard]

Can you confirm where you put the AntiVirus.pm perl module ?
Anyway, you should probably enable debug = 2 in configuration, restart the service, force an inventory and check the log /var/log/glpi-agent.log to see if the module has been enabled and if it has run it.
In GLPI, you can download the json and check if it contains the antivirus entry.

[g-bougard]

Hi @tiangao88
indeed, you probably forgot to also fix L.17 with:

    return canRun('/usr/local/bin/mdatp');

[tiangao88]

So I fixed line 17 the file /Applications/GLPI-Agent/agent/GLPI/Agent/Task/Inventory/MacOS/AntiVirus.pm and added debug = 2 in the agent configuration

In /var/log/glpi-agent.log I found the following

"antivirus": [
         {
            "base_version": "1.389.207.0",
            "company": "Microsoft",
            "enabled": true,
            "expiration": "2023-09-06",
            "name": "Microsoft Defender",
            "uptodate": true,
            "version": "101.98.30"
         }
      ],

And in GLPI tadaaaa !

So the problem was indeed that full path /usr/local/bin/mdatp should be used everywhere in AntiVirus.pm

I will test the nightly version after you have confirmed this module is included.

[g-bougard]

Great !
I confirm you the latest nightly includes the same fix.
So you still can try it and confirm this works as expected.

[tiangao88]

hi @g-bougard

I confirm that with the nightly build of May 5th I can see antivirus information updating in GLPI Server.

We will wait for GLPI-Agent 1.5 to make a full deploy on all our Macs.
Thank you for adding this module!

[mrb-x]

Hello @g-bougard,
I wanted inventoried SentinelOne EPP on macOS.
I found this discussion, so I created (SentinelOne.pm.zip) (a mimic version of Cortex.pm from GLPI-Agent 1.10).
For now the agent report the Version and a Value of signature in base_version and state of Protection.
I'm not sure about the reliability of the datas sources for now :-)

Thanks

[g-bougard]

Hello @mrb-x

good job, can I ask you to better make a PR so you'll be the referenced as the code author ? I only see one point which is not optimized: you're calling 2 times the same command with "status" option where you can get the output of one launch and analyze it 2 times. You can try to change lines 55 to 77 with this shorter code:

    # Support file case for unittests if basefile is provided
    if (empty($params{basefile})) {
        $params{command} = "\"$command\" status";
    } else {
        $params{file} = $params{basefile}."-status";
    }
    my @status_lines = getAllLines(%params);
    my ($staticSignatures) = grep { /^\s.*staticSignatures:/i } @status_lines;
    $antivirus->{BASE_VERSION} = $1
        if $staticSignatures && $staticSignatures =~ /^\s.*staticSignatures:\s.*(\([0-9]+\))/i
    $antivirus->{ENABLED} = 1 if grep { /^\s.*Protection.*enabled$/i } @status_lines;

In the PR comment, I would also like to see the outputs of the command for the 2 cases with option version & status so I can add tests after the merge. If you don't know how to or don't want to make a PR. Can you provide these outputs here ?

In the outputs, did you see any relevant useful datas ? The format is described here: https://github.com/glpi-project/inventory_format/blob/2b46a1ee491fefcec668acede800cef5fb276618/inventory.schema.json#L60
The other relevant fields could be: UPTODATE, BASE_CREATION & EXPIRATION
Anyway, can you eventually provide a link to an official and public SentinelOne EPP documentation ?