The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

query for other IT tools

Description: Query for other IT tools

What The Data Shows: Whether your endpoints have any conflicting security tools installed that may cause interoperability issues.

SQL: Please see comments section.

Hello team

Wondering if anyone has used A&R to query whether their endpoints have any conflicting security tools installed that may cause interoperability issues?

For example, how would you craft a query to ask your endpoints what machines have vendor A installed (thinking about AVs, for example)? Is this something we can potentially do?

Frequent Contributor

osquery has a windows_security_products schema you can query, to query the installed security products on Windows (those registered in the Windows Security Center).

Should be as simple as:

SELECT * FROM windows_security_products;

New Contributor II

thanks @YoanSchinck , that's very helpful. 


I also tried to do a simple file search (assuming that we know the exact filename) . I am going to put "file #1" and "file#2" for privacy reasons, but this can be easily adaptable

SELECT * FROM file WHERE filename = "file#1.exe" and "file#2.exe"

It returned me several "error" and "unsupported" messages. 

Do you know if generic files are supported?


Frequent Contributor

Per experience, the first query won't work.


It's too board. osquery will tell you to be more specific. If you actually ran that query, you would be asking osquery to return you the million of files that are on the system. So you need to be more specific by using at least one other parameter, such as path. For instance:

SELECT * FROM file WHERE path LIKE "C:\ProgramData\%%" AND filename = "security.exe";

For the second query, I think the syntax is wrong. You're using the wrong operator, it shouldn't be AND but OR. Otherwise, you're basically asking osquery to return you an entry that has 2 filename property. And you also can't query directly the filename directly, you need to use another attribute.

For instance, this works:

SELECT * FROM file WHERE path LIKE "C:\Temp\%%" AND (filename = "file1.exe" OR filename = "file2.exe");

What's important to remember here is to use the path property when you query the file table, and also to use OR if you want to query multiple values for a property.


New Contributor II

thanks a lot @YoanSchinck  that's incredibly helpful. I just tried the query and it returns much better results. Really appreciate your help!

Contributor II

This is very useful, thank you.

Carbon Black Employee
Status changed to: Approved