Jamf Nation Community

jarednichols · ‎11-24-2008

Hi-

What's the best way to have a machine report its DAT anti-virus level? We use McAfee VirusScan 8.6.1, which stores its dats in /usr/local/vscanx/dats All I really need is an "ls" on that folder as the folders contained within "dats" are the dat levels, e.g. "5443" for the most recent. The resource kit has a nice script, but it's for Virex. VirusScan doesn't have the uvscan command that the script references (or at least not that I'm aware of)

Anyway...

At my old job I used Apple Remote Desktop and could just display the results of an LS command on my admin workstation. How do I get something similar with Casper?

I was thinking that I'd have a script do an LS on /usr/local/vscanx/dats and pipe that to a file that used a query to networksetup to name it the name of the computer. Then, I'd copy it to my CasperShare. Wrong way about it?

Thanks!!!

j
--
Jared Nichols
ISD Infrastructure and Operations - Desktop Engineering
MIT Lincoln Laboratory
244 Wood St.
Lexington, MA 02420-9108
(781) 981-5500

ernstcs · ‎11-24-2008

This sounds similar to some of the maintenance reporting we do.

To have everything a bit more central I might suggest a script that touches a website with that data for that computer and places it in a database. Then you can create a webpage to view the results of those machines. It's like making your own centralized virus management console. I'm too lazy to do that so I'd rather purchase a product that comes with it. =)

Pass the machine name (or whatever other data you want it to have there), and the result of your command.

I assume this is something you'd do on a regular basis. The perl example below is, and you can get the computername from the JAMF Binary, too. But we clean out profiles nightly, and this script is called when that process is done.

#Post Remote Log `/usr/bin/plutil -convert xml1 /Library/Preferences/SystemConfiguration/preferences.plist`; $xml =/bin/cat /Library/Preferences/SystemConfiguration/preferences.plist; $xml =substr($xml, (index $xml, '<key>ComputerName</key>'), -1); $xml =substr($xml, (index $xml, '<string>' )+8,-1); $computerName =substr($xml, 0, index ($xml, '</string>')); `/usr/bin/curl "www.server.com/log.asp?compName=$computerName"`;
}

Hopefully I'm not off the mark on what you're looking for.

Craig E

nick · ‎11-24-2008

Hi Jared,

It appears that VirusScan does not include the uvscan command anymore, but this information is now available in a plist located in /Library/Preferences/com.Mcafee.VirusScan.plist.

The virus DAT version can be scanned by running:

/usr/bin/defaults read /Library/Preferences/com.Mcafee.VirusScan Update_DATVersion

The script in the Resource Kit can be modified a bit to provide similar reporting as the Virex script by using this command in place of the uvscan command. Once modified, this script can be run via policy or a Casper Remote action to report the definitions to the JSS.

Hope this helps. Just a reminder to folks - if there are other questions related to items provided in the resource kit, or if you have ideas for future features of the Resource Kit, feel free to drop a line on the Resource Kit mailing list. We have created that list in an effort to separate traffic and ensure that the lists are specialized by product.

Thanks!

Nick Amundsen
JAMF Software
Resource Kit Team

ernstcs · ‎11-24-2008

For sure...don't write an entire new system like I suggested...how absurd...

http://www.jamfsoftware.com/jamf_nation/resourcekit.php

Craig E

jarednichols · ‎11-25-2008

Hi all-

I took the suggestion of scanning the plist and just backed out the scope a bit. I'll let the script speak for itself. Feel free to modify for your own use:
(attached as well)

#!/bin/sh

################################################################################################
##### Filename: vsinfo.sh #####
##### Author: Jared F. Nichols #####
##### Purpose: Report VirusScan information to central server in the form of a text file. #####
##### #####
##### This script requires the installation of the Jamf binary, though the 'mount' command #####
##### could be used for share mounting and networksetup for hostname. #####
################################################################################################

## Set a variable to call the file. In this case, the name that Jamf has for the computer.
## Use sed to remove the XML tags.

filename=jamf getComputerName | sed -e 's/<computer_name>//' -e 's/</computer_name>//'

## Use the Jamf binary to mount our file share. In our case, a guest write-only share on our JSS
jamf mount -server LLOSX1 -share DATlogs -type afp

## Now that we have a name we're giving the file and a place to put it, read our info from the
## McAfee plist file directly to the file share, overwriting anything already there.

defaults read /Library/Preferences/com.Mcafee.VirusScan > /Volumes/DATlogs/$filename

## Unmount our share forcibly. Forcibly because the file we need has been written and we
## don't want to throw any errors to the user.
umount -f /Volumes/DATlogs

exit 0

Report Inappropriate Content · ‎11-30-2008

Hi,
An alternative would be to use the reporting and policy enforcement tools from NAI called ePolicy. This is a separate install that allows an ePolicy server to get info on VirusScan versions, engines, DATs, scan settings and control it all for PC and Mac from one server. We use it university wide for all faculty, staff and students in our residences. Works great but it is not free like a shell script ran by Casper.

Bruce

jarednichols · ‎12-01-2008

Hi Bruce-

This is what we've been doing from ePolicy, but sometimes things don't work as advertised. McAfee's documentation is historically weak as well. Fortunately, a good number of the macs that connect to ePO are managed with Casper, so I can use this secondary solution as a backup.

Thanks
j

Report Inappropriate Content · ‎09-22-2011

Simple question. I want to start alerting entourage users of some migration plans. So I decided to alert users who were still using it. To find that I thought I could use this quick script. Unfortunately it doesn't work correctly since it returns 2 process numbers every time. However if I run these 2 commands from the command line, it doesn't return anything. What am I missing?

#!/bin/sh

entourageCheck=ps -ax |grep -i "entourage" |grep -v "grep" |awk '{print $1}'
echo "$entourageCheck"

exit 0

daworley · ‎09-22-2011

Put a space after each pipe symbol.

talkingmoose · ‎09-22-2011

Simple question. I want to start alerting entourage users of some migration plans. So I decided to alert users who were still using it. To find that I thought I could use this quick script.
On 9/22/11 6:09 PM, "Aaron" <a.robinson.lists at gmail.com<mailto:a.robinson.lists at gmail.com>> wrote:

Wouldn't it be easier to alert users where their machines have Entourage installed? Your script will only work if they have Entourage running.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

rockpapergoat · ‎09-22-2011

the spaces don't matter there.

like william just mentioned, this will only return anything if entourage is running.

wouldn't it be better to trigger your upgrades on login or startup or similar, when entourage isn't running?

nessts · ‎09-23-2011

Best one yet. :)
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

Report Inappropriate Content · ‎09-23-2011

entourageCheck=ps -ef | awk '//Entourage.app//{print $2}'

It works from both the command line and within the script.

Thanks!

On Sep 23, 2011, at 12:04 PM, Ness, Todd wrote:

Report Inappropriate Content · ‎09-23-2011

This is not exactly what your looking for, but still helpful. I worked on a little script to check to see if an application is running, then execute a manual trigger to execute another policy. I use this script in the 1st policy that runs on machines that are missing the update (smart group) via an every30 trigger. Then if the app(s) is not running, it will run a second policy that alerts the user, run the install, recon, then notify the user when complete. I use this in conjunction with login based policy that does the exact same thing as the manually triggered policy. This gets the deployment done a lot faster as a lot of users don't login fresh every day (of course they could leave the app running all the time too). This example is for iWork, but could be used for any app. 3 policies is kind of crazy, but once you set the first one up, you can use that indefinitely for future updates, you just need to change the smart group parameters. And the login policy is the same as the manual one, just copied and change the trigger.

#!/bin/sh

#Fill in the apps here, if you need to add additional apps (or reduce) just duplicate one of the if statements and add to end before the jamf trigger. The trigger must be manually set in another policy to actually run the installer.
app1="Pages"
app2="Keynote"
app3="Numbers"
trigger="iwork"

if ps -A -c | grep "$app1"; then exit 1
fi
if ps -A -c | grep "$app2"; then exit 1 fi
if ps -A -c | grep "$app3"; then exit 1 fi

jamf policy -trigger $trigger

Brendon Cunningham
Senior Technical Analyst
Desktop Engineering

508-390-5620
brendon_cunningham at tjx.com

jarednichols · ‎09-23-2011

How about you just email them?

</dumbquestion>
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Report Inappropriate Content · ‎09-23-2011

<SLAP IN FACE>
That is not the technical way of doing things!
</SLAP>

No user interaction, please! ;)

//P
23 sep 2011 kl. 14.13 skrev Nichols, Jared - 1170 - MITLL:

jarednichols · ‎09-23-2011

Heh. Truthfully, a migration like this we'd handle "out of band" from Casper with targeted email. But, that's just us.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Report Inappropriate Content · ‎09-23-2011

wouldn't it be better to trigger your upgrades on login or startup or similar, when entourage isn't running?

Thanks all for all the suggestions. Other than the spaces after the pipe (which I will try) I haven't seen any suggestions that relate to the script question. Here's some context so that you can see why I'd like to alert only when entourage is running...

Office 2011 has been installed. Migration instructions have been provided and the 30 day grace period before removing 2008 has almost expired (We didn't remove the office 2008 to give people some grace time to get used to the new version).

Some people refuse to give up on entourage, so this will be my nag-alert to those who refuse to migrate their e-mail and continue to use entourage.

Now, im still interested in why the script returns 2 processes every time when run from the script vs nothing returned when the same commands are run from a shell prompt. I should be able to figure it out, but thought someone here would have some ideas.

sean · ‎09-23-2011

What did you call your script? Does it have entourage in the name of the script per chance?

A running script is a process and will show when you do a 'ps'.

If you remove the awk, you will see what responses you are getting.

Sean

stevewood · ‎09-23-2011

The second 'grep' statement is killing your output. From the man page:
On Fri, Sep 23, 2011 at 8:41 AM, Aaron <a.robinson.lists at gmail.com> wrote:

-v, --invert-match Invert the sense of matching, to select non-matching lines.

Instead of using the -v switch, or for that matter a second 'grep', try
using a single 'grep' like this:

grep -im 1 "entourage"

That will return the first instance of "entourage", ignoring case. String
it together with your 'awk' statement and you get:

ps -ax | grep -im 1 "entourage" | awk { print $1 }

That should return the PID of the first instance of "entourage".

HTH

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

stevewood · ‎09-23-2011

I missed the ticks on the awk statement:

ps -ax | grep -im 1 "entourage" | awk '{ print $1 }'

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

Report Inappropriate Content · ‎09-23-2011

Yup, I just figured it out as well. After removing the awk statement, I was getting this...
12483 ?? 0:04.91 /Volumes/WD640/test/Desktop/Microsoft Office 2008/Microsoft Entourage.app/Contents/MacOS/Microsoft Entourage -psn_0_3785628
12794 ttys000 0:00.00 /bin/sh ./entourageAlert.sh
12795 ttys000 0:00.00 /bin/sh ./entourageAlert.sh

So I removed that from the results and now get the expected results. entourageCheck=ps -ax | grep -i "entourage" | grep -v "grep" | grep -v "/bin/sh ./entourageAlert" | awk '{print $1}'

Not sure that I understand why, but that's ok I guess.

Walter · ‎09-23-2011

The initial "grep -i entourage" does a case-insensitive search. Change that to "grep Entourage" and you will only get the capitalized instance. The "-i" option is for case-insensitive. Unix is a case sensitive operating system compared to Windows which historically is not.

entourageCheck=ps -ax | grep Entourage | grep -v grep | awk '{ print $1 }'

or to be more specific on the instance you want to find, look for Entourage.app as follows:

entourageCheck=ps -ax | grep Entourage.app | grep -v grep | awk '{ print $1 }'

Walter
--
Walter Rowe, 301-975-2885
Supervisor, System Hosting Services
Enterprise Systems Division
NIST, US Dept of Commerce

sean · ‎09-23-2011

Steve,

I disagree with your comment on the 2nd grep. It is doing exactly what he wants it to do.

When you ps with a pipe to a grep, the grep command will also show in the process list:

ps -ef | grep Finder 501 515 509 0 1:46.76 ?? 6:42.22 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder 501 15502 6169 0 0:00.00 ttys043 0:00.00 grep Finder

To tidy up and remove the unwanted grep line, use an inverse match

ps -ef | grep Finder | grep -v grep 501 515 509 0 1:46.76 ?? 6:42.22 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder

Sean

stevewood · ‎09-23-2011

You're right. I caught that as I was re-reading through Aaron's latest
On Fri, Sep 23, 2011 at 10:34 AM, Sean Holden <Sean.Holden at framestore.com>wrote:
response. I wasn't taking into account that he was searching for "grep" in
the second 'grep' statement. Reading too fast, or the coffee hasn't kicked
in yet. ;-)

Thanks for clearing that up.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

nessts · ‎09-23-2011

How about this:
ps –ef | awk '/Entourage.app/{print $1]'

Save yourself some pipes.
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

Report Inappropriate Content · ‎09-23-2011

I like it - always multiple ways to skin the cat. I'll test and will incorporate it if it works as expected.

Walter · ‎09-23-2011

Silly me. Why didn't I think of that! Best method of all. No grep required.
--
Walter Rowe, 301-975-2885
Supervisor, System Hosting Services
Enterprise Systems Division
NIST, US Dept of Commerce

Report Inappropriate Content · ‎09-23-2011

After some little changes it does shorten it down, although I still had to grep out the awk statement itself as it always finds itself. On Sep 23, 2011, at 8:38 AM, Ness, Todd wrote:

entourageCheck=ps -ef | grep -v awk | awk '/Entourage.app/{print $2}'

vs

entourageCheck=ps -ax | grep -i "entourage" | grep -v "grep" | grep -v "/bin/sh ./entourageAlert" | awk '{print $1}'

Both seem to work fine. Thanks for the help all. Now to go and annoy some procrastinators.

if [ "$entourageCheck" != "" ]; then #Annoy people
fi
exit 0

sean · ‎09-23-2011

You haven't mentioned how you are launching your script, but launchd may be a good overall option for what you are actually trying to achieve.

If the app launches post a message on screen.

Sean

Report Inappropriate Content · ‎09-23-2011

Essentially what I am doing except I'm using a JSS script policy, the "every 15" trigger and "once a day" for now. Later next week, I'll remove the "once a day" limit which will should motivate people even more.

-Aaron

Walter · ‎09-23-2011

entourageCheck=ps -ef | awk '//Entourage.app//{print $2}'

This will only find "/Entourage.app/" which doesn't match the "awk" command. I just tested this against Terminal.app (my terminal window).

wrowe:~ walter$ ps -ef | awk '/Terminal.app/ { print $0 }' 502 16047 249 0 2:45PM ?? 0:01.43 /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_352342 502 16229 16050 0 2:47PM ttys000 0:00.00 awk /Terminal.app/ { print $0 }

wrowe:~ walter$ ps -ef | awk '//Terminal.app// { print $0 }' 502 16047 249 0 2:45PM ?? 0:01.82 /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_352342

wrowe:~ walter$ ps -ef | awk '//Terminal.app// { print $1 }'
502

wrowe:~ walter$

--
Walter Rowe, 301-975-2885
Supervisor, System Hosting Services
Enterprise Systems Division
NIST, US Dept of Commerce

Jamf Nation Community

Script help