Installing Cylance Package

jonathanla
New Contributor III

I'm having some difficulty figuring out how to use Casper to install Cylance on every Mac in our organization. I've tried to create a shell script that will run it (not through Casper yet) but when I try on a test Mac it fails.

I have the Cylance.pkg and a cylance_install_token file in the same folder as the script. I copied the verbiage from a larger script that someone in our InfoSeec team had created a while ago to install this and other security software and it works there. Maybe I missed something?

If I can get this script to actually install it then I can go to the next step and figure out how to use Casper to push it out.

!/bin/sh

Cylance AV Client Install

echo "Installing Cylance AV Agent for Mac. ";
echo "Cylance AV Agent Start: " date" " >> $LOG; installer -pkg CylancePROTECT.pkg -target LocalSystem
echo "Cylance AV Agent Stop: " date" " >> $LOG;
echo "Completed Cylance AV Agent for Mac Installation. ";

The output I get from Terminal is

BUR-JMENDEL4-i:~ jmendel$ /Users/jmendel/Desktop/Cylance Installer/Cylance.sh Installing Cylance AV Agent for Mac.

/Users/jmendel/Desktop/Cylance Installer/Cylance.sh: line 5: $LOG: ambiguous redirect
installer: Error the package path specified was invalid: 'CylancePROTECT.pkg'.
/Users/jmendel/Desktop/Cylance Installer/Cylance.sh: line 7: $LOG: ambiguous redirect
Completed Cylance AV Agent for Mac Installation.

BUR-JMENDEL4-i:~ jmendel$

1 ACCEPTED SOLUTION

Chris_Hafner
Valued Contributor II

@jonathanla Try this

• Open /private/tmp (On a computer with composer)
• Create a folder called "Cylance" (Just a suggestion on name)
• Drag the cylancePROTECT.pkg into this new folder.
• Create a shell script as suggested (example below) and call it something like "install_cylance_with_token.sh"

#!/bin/sh
#!/bin/bash

echo PLACE_TOKEN_HERE > /private/tmp/Cylance/cyagent_install_token 
sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

exit 0

• Copy the script into that new directory (/private/tmp/Cylance)
• Open Composer
• Drag the entire "Cylance" directory into Composer (the "Cylance" folder that you created in /private/tmp/)
• Check permissions on everything in that composer list.
• Package what you have in composer as a .pkg or a .dmg as you prefer. I see no benefit to having this packaged as a .dmg so...
• Upload this new package to Casper Admin with whatever notes and settings you prefer. In all likelihood, this will need to be installed after boot, but I'm not positive. • Create a policy as described above, using the "execute command" field in "Files and Processes" as described. In the case of my example, that would be:

/private/tmp/Cylance/install_cylance_with_token.sh

This is what I've done this morning to check. It's working well for me.

P.S. I did consider simply trying to edit the source of the installer as there seems to be a script in the package where we could stick the token, but this process seems simpler.

View solution in original post

108 REPLIES 108

Chris_Hafner
Valued Contributor II

@franton I laughed way too much at that comment. It must be a Monday. Hope to see you at JNUC this time, hopefully not self-funded.

franton
Valued Contributor III

@Chris_Hafner No conferences for me this year. Maybe a JAMF Roadshow in Munich, assuming I get time off. I'm saving for a personal training pass so I can do JSS 10 certs when they come out.

Chris_Hafner
Valued Contributor II

That's a good idea! I'm waiting for 10 before budgeting for my CCE. Anyways, back to Cylance:

Today is our transition and our JSS policy is running along at full bore. It's taking mear moments to uninstall Sophos and install Cylance. The Cylance dashboard is picking up everything beautifully! That said, my uninstall process is NOT doing anything to disassociate our device records from the Sophos console. Too bad, though. It would have been nice to pass that info along to all of you. I figured that I wouldn't bother as we're moving away from Sophos. That said, here's to you Sophos, you've treated us well.

P.S. 5-6 years into using the Casper suite, I am still amazed at how powerful this suite is. I continually think about how much work this would have been 15 years ago!

Chris_Hafner
Valued Contributor II

P.S. After initial deployment, Cylance has already quarantined some genio and trovi processes that Sophos didn't pick up across the fleet. It found a few other things too, but mostly windows crud on the personal Windows VM's around here. All 13 instances are labeled PUP as they should, and we're happily quarantined.

gachowski
Valued Contributor III

@Chris_Hafner Thanks for they update and keep them coming : ) I am thinking about looking in to Cylance.

C

Chris_Hafner
Valued Contributor II

@gachowski There is plenty of controversy surrounding some of their comparisons. Particularly between Cylance and Sophos. Yet, we've done our own POC and I find that it catches the Mac adware better than most. I was pretty skeptical at first, and there are certainly "gotchas" that other's mention in other threads (Particularly how it works offline... i.e. by not connecting to their servers for certain checks). The good news is, I'll have a whole high school full of students downloading 'stuff' in September. I guess I'll really see how it goes then!

Chris_Hafner
Valued Contributor II

Update: Reboot issue after installing Cylance during imaging.

OK, So I haven't gotten to the bottom of this yet, though I figured that I'd post it here and then follow up with what I discover. In any event, my Cylance install package (described above) works well, on units that have already been deployed. However, it is preventing newly imaged machines to hang at the "spinning wheel" during reboot or shutdown. Being forcibly shut down and restarted seems to alleviate any ongoing issues. The package is being installed after reboot along with a number of Adobe packages and the like.

Again, I'll post up what I find. If anyone else ahs experienced this I would love to know!

s_oconnor
New Contributor III

@Chris_Hafner We are currently moving from Sophos to Cylance as well. Right in time to move to Sierra too.

Question - Did you write in an uninstall script for Sophos to go with the install of Cylance? If so, would you mind sharing?

Being on Sierra, Sophos no longer wishes to play nice and we have had a heck of a time getting it to want to uninstall. Had to do a hands on terminal uninstall. Sigh

Much Thanks :)

Chris_Hafner
Valued Contributor II

@sabrina.oconnor I really just call the Sophos uninstaller after quitting the SophosUIServer

Include these lines in a script and they will accomplish the task. I'm sure there are better ways to do it, but this worked for me.

# This should quit Self-Service and the remaining Sophos Processes.
killall "SophosUIServer"      

# This should uninstall the Sophos Cloud instance (9.3 in specific)
/Library/Application Support/Sophos/saas/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

s_oconnor
New Contributor III

@Chris_Hafner

Thanks for that. I was drawing a blank on the InstallationDeployer name. We run enterprise, so had to do a bit of a rework but made it much easier.

I did mean to ask if anyone solved the issue of receiving the error regarding the installer saying it failed. Yet a few lines prior it says it installed. I've tested on numerous computers (all OSx Sierra) and can confirm Cylance is working. ddff8b31b4a74889a54578c72ffa9145

A complete uninstall and reinstall puts out the same message in the logs.

Chris_Hafner
Valued Contributor II

Interesting. I don't see those failures in my installs. That said, I am running the Cylance installer as a .pkg with the installer script running as part of the postflight. That might mask any errors...

s_oconnor
New Contributor III

@jonathanla

In one of your posts/comments you mentioned that you "cleared the logs" which specific logs did you clear to remove the error?

@Chris_Hafner

I noticed that if I drop the pkg onto a machine via Casper Remote no issue, if I then try to initiate the script via Casper Remote is when I get the error (again it does install Cylance).

Removed Cylance from the test machine, dropped the pkg back onto the test machine and this time on the test machine as Root, manually typed in the script via Terminal. No errors. Everything installed and is happy.

Removed Cylance again....dropped the pkg back onto the test machine (again) but this time on my main Mac ssh into the test machine via Terminal and manually typed in the script. The error popped up (Cylance does install). Ok, so it's not playing nice when having to ssh. All other packages/scripts we have been using are working.

Any ideas? Hopefully that was all clear :)

danshaw
Contributor II

Just wanted to chime in that I was getting the same error as @sabrina.oconnor above. I had done things a bit differently also.

Result of command:
installer: Package name is CylancePROTECT
installer: Upgrading at base path /
installer: The upgrade failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)

Instead of having a script that generated the key file, I just created the key file and included it in the folder. I then ran as a post process in Casper after install:

installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

Looking at the install.log in /var/log you will see a bunch of errors with the .postinstall script that the Cylance Installer runs. If you drag the original Cylance installer into Composer you can see that postinstall script in the scripts folder.

installer[69957]: install:didFailWithError:Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “CylancePROTECT.pkg”." UserInfo=0x7fb3b0458d20 {NSFilePath=./postinstall, NSURL=file://localhost/private/tmp/Cylance/CylancePROTECT.pkg#CylancePROTECT.pkg, PKInstallPackageIdentifier=com.cylance.agent, NSLocalizedDescription=An error occurred while running scripts from the package “CylancePROTECT.pkg”.}
Oct 17 12:08:04 MBP13.local installd[69941]: PackageKit: Removing client PKInstallDaemonClient pid=69957, uid=0 (/usr/sbin/installer)
Oct 17 12:08:04 MBP13.local installd[69941]: PackageKit: Running idle tasks
Oct 17 12:08:04 MBP13.local installd[69941]: PackageKit: Done with sandbox removals
Oct 17 12:08:05 MBP13.local installer[69957]: Install failed: The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.

Everything installed just fine this way, but I wanted to remove that error. So in the end I went back to following the steps that @Chris_Hafner outlined above. But I still have that error show up doing it that way also.

What is strange. Is that I do not get the error when I run a "sudo jamf policy" on the computer. It installs just fine.

installer: Package name is CylancePROTECT
installer: Upgrading at base path /
installer: The upgrade was successful.

Maybe I'll just live with the error if we can't figure this out. So far it looks good.

Chris_Hafner
Valued Contributor II

Watching the issues that you folks are having, I'm starting to suspect that there's a bit of 'funkiness' going on in the "execute command"portion of the process. Try building the install command into the actual .pkg as a postinstall script. Here's how it look on my production .pkg

83c3eb51271a4787832567c9fb4c88af

danshaw
Contributor II

Hey @Chris_Hafner - I tried your suggestion on a test machine before I head out the door for the day and it worked great. No errors this time. I will test a little more and let you know if I run into any issues, but thanks for the suggestion!

znilsson
Contributor II

Just wanted to add to this thread, I took @Chris_Hafner 's advice above, including adding the post install script in composer, and I got Cylance to install and run perfectly, first try. Thanks to everybody involved, you saved me endless amounts of annoyance. :)

mssaffan
New Contributor II

Hey @Chris_Hafner . I'm having the same problem as you, where machines imaged with cylance do not completely shut down on first shut down.

Have you been able to investigate this further?

Thanks!

Chris_Hafner
Valued Contributor II

@mikesols Yes, indeed! Using the latest installer (1.2.1400.524) has resolved this issue for us. There is still a small period in which the unit will not shut down, immediately after imaging but those times are now very short. Only a min or two. I haven't run logs on it yet so I'm assuming that the initial configuration (online) is causing that. What are you noticing?

mssaffan
New Contributor II

@Chris_Hafner Thanks! We are actually using an out of date installer as you said. I'll put the new one in to the image and see how that goes.

We were noticing word for word the exact same thing you were. I've been installing 1.2.1380.1541 on El Capitan.

kjohnston
New Contributor

@Chris_Hafner I would just like to chime in that I have tried following the steps on this post (specifically what you have done) and have not been able to get it to install.

Here is what I have done:

Created the Cylance folder in private/temp
copied it to composer
added the postinstall script
created a pkg

I tried running the .pkg on my machine and it "appears" to install because it says it completed successfully, but nothing happens. It is actually not installed.
I then took that same .pkg and put it into Casper and same thing (i had some hope that maybe the execute part would work)

All i did was add my token to the file and made sure the patch was correct.

I am not sure why it fails. When i look in the tmp folder i see that it created the folder Cylance along with the .sh and the cylancePROTECT.pkg, but it does not seem to do anything.

Is there a good way to troubleshoot this?

If i run the CylancePROTECT.pkg file it will ask me for the token, and everything works fine (obviously).

Thanks,

Kevin

Chris_Hafner
Valued Contributor II

Picking through what you've typed the first question I have is, are you putting the script that contains your token in the folder with Cylance (in /tmp). The script should contain at least the following with your token in the place indicated.

#!/bin/sh
#!/bin/bash

echo PLACE_TOKEN_HERE > /private/tmp/Cylance/cyagent_install_token 
sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

exit 0

If you've done this and it's still not working check permissions in Composer.

kjohnston
New Contributor

Hi @Chris_Hafner Yes my script looks like that.

So in the Cylance folder I created under /private/tmp/Cylance I have

CylancePROTECT.pkg
install_cylance_with_token.sh

In Composer I have the following permissions set:

Private folder - owner root (0) (R,W,X) Group - Wheel (0) (R,X) Everyone - R,X (mode 755)
tmp folder - owner root(0) (R,W,X) Group - Wheel (0) (R,W,X) Everyone - R,X (Mode: 775)
Cylance folder - owner root (0) (R,W,X) Group - Wheel (0) (R,X) Everyone - R,X (mode 755)
CylancePROTECT.pkg - owner root (0) (R,W,X) Group - Wheel (0) (R) Everyone - R (mode 744)
install_cylance_with_token.sh - owner root (0) (R,W) Group - Wheel (0) (R) Everyone - R (mode 644)

I should note that I have not really used Composer before... but maybe it is the permissions on the .sh that could be the issue?

B-35405
Contributor

@Chris_Hafner Thanks so much for the help with this. I was able to get the token installed at the same time as the package now. In the past, I had to enter the token in after Cylance was pushed. Now, it's done in one step. Thanks so much.

P.S. I had no issues with your steps. I think the check permissions part might throw some peeps off.

kjohnston
New Contributor

@B-35405 So what are your permissions set as?

kjohnston
New Contributor

@B-35405 @Chris_Hafner Are you guys able to help me out with the permissions used then? I still cannot get this to work properly.

thanks

Chris_Hafner
Valued Contributor II

Ahhh, sorry. I've been spacey on vacation. It's the first one I've had in 11 years! That said, can you run this manually? i.e. load the .pkg and install script into the tmp directory of a test machine and then run the script manually? That will tell us if we have anything funky with Composer/permissions.

kjohnston
New Contributor

hi @Chris_Hafner

I am a Windows guy, so please bare with me...

I created a Cylance folder under /private/tmp
When i do a Command+i, my user account does not have permissions (system= RW, wheel=RO, everyone=RO)

I have the 2 files in this folder: CylancePROTECT.pkg and my script install_cylance_with_token.sh

If i launch terminal and run /private/tmp/Cylance/install_cylance_with_token.sh i get a permission denied error (which seems to make sense)
I am a full admin on this machine as well.

I do have RW access to both of the files, just not the folder they are both in. I would have assumed if I created the folder I should have permissions to the folder.

So I was not thinking i am doing something wrong, I deleted that Rylance folder, created a new one and now i had RW permissions on the folder.
Copied the files into that folder again and ran /private/tmp/Cylance/install_cylance_with_token.sh in Terminal, and got Permission Denied again.

I know this is me doing something wrong, i just do not have enough Mac knowledge yet to figure it out :)

Kevin

Chris_Hafner
Valued Contributor II

Are you running the command with "sudo"?

If not, try

sudo /private/tmp/Cylance/install_cylance_with_token.sh

From terminal.

Also, did you use the "sudo" as part of the command in the postinstall script within Composer?

kjohnston
New Contributor

@Chris_Hafner I did not run the command on my test machine manually using sudo.
When i do that it asks for the password...

After i enter the password i see:

installer: Package name is CylancePROTECT
installer: Installing at base path /
installer: The install was successful.

After the install inside the tmp/Cylance folder i see:

cygnet_install_token
CylancePROTECT.pkg
install_cylance_with_token.sh

It is installed now and appears to be working

The post install script does have sudo... it is a basic copy of what you had.

Kevin

Chris_Hafner
Valued Contributor II

Sorry to take so long responding. I've figured out how to work 100+ hours a week now-a-days! So, it sounds like your policy is still not working (via policy or self-service). The "cygnet_install_token" is a security token for other purposes correct? Could you screen shot your composer setup with the post install script (Remove your token first!). Assuming that there's not a permissions issue on the units you're testing this on, there's likely something very simple in the way.

kjohnston
New Contributor

@Chris_Hafner No need to apologize, you are helping me and your busy.... I don't want to know how you cram 100+ hours in a week.... I just keep telling myself it is not possible :P

The cygnet_install_token is only for the chance install, as your script has this: echo PLACE_TOKEN_HERE > /private/tmp/Cylance/cyagent_install_token
I assume that is when it gets generated, but it is not used for anything else that i know of.

My postinstall does not have my token in it only the script that i have called install_cylance_with_token.sh

#!/bin/sh
#!/bin/bash

echo my token here > /private/tmp/Cylance/cyagent_install_token
sudo installer -pkg /private/tmp/Cylance/CylancePROTECT.pkg -target /

exit 0

33cc8ea3e87a4cc9bec846744cd21d24

All of the permissions set on the files in Composer are described in an above post:
So in the Cylance folder I created under /private/tmp/Cylance I have

CylancePROTECT.pkg
install_cylance_with_token.sh

In Composer I have the following permissions set:

Private folder - owner root (0) (R,W,X) Group - Wheel (0) (R,X) Everyone - R,X (mode 755)
tmp folder - owner root(0) (R,W,X) Group - Wheel (0) (R,W,X) Everyone - R,X (Mode: 775)
Cylance folder - owner root (0) (R,W,X) Group - Wheel (0) (R,X) Everyone - R,X (mode 755)
CylancePROTECT.pkg - owner root (0) (R,W,X) Group - Wheel (0) (R) Everyone - R (mode 744)
install_cylance_with_token.sh - owner root (0) (R,W) Group - Wheel (0) (R) Everyone - R (mode 644)

I should note that I have not really used Composer before... but maybe it is the permissions on the .sh that could be the issue?

Chris_Hafner
Valued Contributor II

Wow, I'm not sure why I didn't notice this before but your "isntall_cylance_with_token.sh" script doesn't seem to have execute permission. When dealing with the /private/tmp directory I find it easier to give everything in that folder the same permissions as the /tmp directory itself. Using composer this is VERY easy to do. In your composer window, Highlight your "Cylance" source, then select the /tmp/ directory. Then select the "gear" icon next to the permissions check boxes in the lower right-hand side of the window. Try selecting "Apply Permissions to Applications and All Enclosed Items.

Compile that as a .pkg and give it a shot!

P.S. Generally, you want to be very careful when applying permissions... However, if you choose the proper parent folder (in this case /private/tmp/) and simply apply permissions within that directory you're not likely to go wrong.

kjohnston
New Contributor

@Chris_Hafner Hi Chris,

Thanks for the information. So i made the change for permissions as you suggested.

The package for some reason woould not work. So i deleted everything i had created and started over again. And now it is working properly.

Thank you very much for all your help on this. Much appreciated!

Kevin

Chris_Hafner
Valued Contributor II

Great to hear!

Chris_Hafner
Valued Contributor II

Having just answered this question outside of JAMFNation, here's how I uninstall Cylance.

# Stop Cylance Service
launchctl unload /Library/launchdaemons/com.cylance.agent_service.plist

# Uninstall Cylance PROTECT
/Applications/Cylance/Uninstall CylancePROTECT.app/Contents/MacOS/Uninstall CylancePROTECT --noui

rosskivowitz
New Contributor

@Chris_Hafner I tried running your Stop and Uninstall commands but to no avail. We have a scenario/inssue with Cylance where we need to uninstall Cylance from a few dozen computers and then re-install it with a new token. I have the installer compiled and works perfectly but I'm running into an issue trying to compile an uninstaller due to the uninstall token that's required.

Any thoughts?

Chris_Hafner
Valued Contributor II

@rosskivowitz What's the issue you're running into, specifically? Oh, and why are you compiling an uninstaller? In theory, you should already have an uninstaller built into the client. This is what is called into play with the previously mentioned command:

# Uninstall Cylance PROTECT
/Applications/Cylance/Uninstall CylancePROTECT.app/Contents/MacOS/Uninstall CylancePROTECT --noui

rosskivowitz
New Contributor

@Chris_Hafner There's an option in Cylance to require an uninstall password. Due to the nature of our business, we have this enabled for all of our end users. So the command you just provided will yield an error because Cylance is expecting them/us to enter in that password. The command you provided is for a silent uninstall, which I'm not sure will work when the uninstall password is required.

We've been working on an unrelated issue (the one that caused this issue) with Cylance and they informed us that the best way to resolve this is actually to write a script/create a pkg that just pushes out the installation token, which is what I'm working on now. Thanks for your help and quick response but I think I've got it covered since chatting with Cylance.



**

Chris_Hafner
Valued Contributor II

I'm glad to hear it. I've also got to laugh a bit as it took me way TOO long to get back to this thread. What have you learned from Cylance?

rosskivowitz
New Contributor

@Chris_Hafner Well, we're still having tons of issues with them but it's more in regards to our PC deployment, not Mac. I was able to get everything working on the Mac side except for hiding the UI up in the status bar. Any chance you are aware of an easy way to integrate that into the policy? I like the workflow you laid out so modifying the .pkg would be difficult and I've yet to find a script that would modify the info.plist file to disable the UI for Cylance.

Anyone have any solutions on this?