logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

query for other IT tools

Status: Approved Submitted by on ‎08-11-2021 01:15 AM

Description: Query for other IT tools

What The Data Shows: Whether your endpoints have any conflicting security tools installed that may cause interoperability issues.

SQL: Please see comments section.

Hello team

Wondering if anyone has used A&R to query whether their endpoints have any conflicting security tools installed that may cause interoperability issues?

For example, how would you craft a query to ask your endpoints what machines have vendor A installed (thinking about AVs, for example)? Is this something we can potentially do?

Comment
6 Comments
YoanSchinck
Frequent Contributor
‎08-11-2021 07:05 AM
‎08-11-2021 07:05 AM

osquery has a windows_security_products schema you can query, to query the installed security products on Windows (those registered in the Windows Security Center).

Should be as simple as:

SELECT * FROM windows_security_products;

https://osquery.io/schema/4.9.0/#windows_security_products

vbianconi
New Contributor II
‎08-11-2021 07:49 AM
‎08-11-2021 07:49 AM

thanks @YoanSchinck , that's very helpful. 

 

I also tried to do a simple file search (assuming that we know the exact filename) . I am going to put "file #1" and "file#2" for privacy reasons, but this can be easily adaptable

SELECT * FROM file;
SELECT * FROM file WHERE filename = "file#1.exe" and "file#2.exe"

It returned me several "error" and "unsupported" messages. 

Do you know if generic files are supported?

 

YoanSchinck
Frequent Contributor
‎08-11-2021 08:21 AM
‎08-11-2021 08:21 AM

Per experience, the first query won't work.

SELECT * FROM file;

It's too board. osquery will tell you to be more specific. If you actually ran that query, you would be asking osquery to return you the million of files that are on the system. So you need to be more specific by using at least one other parameter, such as path. For instance:

SELECT * FROM file WHERE path LIKE "C:\ProgramData\%%" AND filename = "security.exe";

For the second query, I think the syntax is wrong. You're using the wrong operator, it shouldn't be AND but OR. Otherwise, you're basically asking osquery to return you an entry that has 2 filename property. And you also can't query directly the filename directly, you need to use another attribute.

For instance, this works:

SELECT * FROM file WHERE path LIKE "C:\Temp\%%" AND (filename = "file1.exe" OR filename = "file2.exe");

What's important to remember here is to use the path property when you query the file table, and also to use OR if you want to query multiple values for a property.

 

vbianconi
New Contributor II
‎08-11-2021 10:27 AM
‎08-11-2021 10:27 AM

thanks a lot @YoanSchinck  that's incredibly helpful. I just tried the query and it returns much better results. Really appreciate your help!

jetskibaby
Contributor II
‎08-11-2021 10:40 AM
‎08-11-2021 10:40 AM

This is very useful, thank you.

jnelson
Carbon Black Employee
‎08-20-2021 02:32 PM
‎08-20-2021 02:32 PM
Status changed to: Approved
 
logo