Symantec DLP Agent installation detection

brianmcbride99
Contributor II

I am looking for a solution for a smart computer group that will display the number of machines with the Symantec DLP agent installed.

From what I can tell this runs under the 'edpa' process, but I am not finding any inventory data for Symantec DLP or edpa.

I thought about maybe using the Application Bundle ID from the info.plist that is supposed to live in /Library/Manufacturer/Endpoint Agent/Resources/ but the info.plist file is not existent.

I realize I could do "packages installed by Casper" to pull a list for a SCG but this won't be accurate if the end user uninstalls the agent down the road.

Any suggestions?

4 REPLIES 4

smpotter
New Contributor III

The way I handled this was to create a EA with the following script which gives me the installed version if found. The you can create a Smart Group based off the EA.

#!/bin/bash

if [ -f "/Library/Manufacturer/Endpoint Agent/CUI.app/Contents/Info.plist" ]; then
        dlVersion=$( /usr/bin/defaults read "/Library/Manufacturer/Endpoint Agent/CUI.app/Contents/Info.plist" CFBundleVersion )
    else
        dlVersion="Not Installed"
fi

echo "<result>$dlVersion</result>"

brianmcbride99
Contributor II

Thanks @smpotter I will give this a go.

jhalvorson
Valued Contributor

With version 15.8mp1, the CUI isn't an app, now it's an executable within the Symantec.app.  The older Extension Attribute wasn't working properly to detect and report.  I've updated the EA to the following:

#!/bin/zsh

##############################################################################
# A script to collect the version of Symantec DLP currently installed.
# Depending on the version installed, the method to detect version number has changed with
# the release of 15.8mp1

RESULT="Not Installed"

if [[ -f "/Library/Manufacturer/Endpoint Agent/CUI.app/Contents/Info.plist" ]]; then
RESULT=$( defaults read "/Library/Manufacturer/Endpoint Agent/CUI.app/Contents/Info.plist" CFBundleVersion )
elif [[ -f "/Library/Manufacturer/Endpoint Agent/Symantec.app/Contents/Info.plist" ]]; then
RESULT=$( defaults read "/Library/Manufacturer/Endpoint Agent/Symantec.app/Contents/Info.plist" CFBundleVersion )
fi

echo "<result>$RESULT</result>"

This version of the EA script is correctly reporting version 15.0.0101.01002 through 15.8.00100.01075 on our Macs.

markdmatthews
New Contributor III

could also just look for the process...

#!/bin/bash

# check for process
PROCESS=$( pgrep edpa )

#see if process is running
if [[ -z "$PROCESS" ]]; then
RESULT="False"
else
RESULT="True"
fi

#report results
echo "<result>${RESULT}</result>"