fix: Add Cortex XDR antivirus support

glpi-project · Jun 24, 2024 · 167b5c7 · 167b5c7
1 parent 71a2afd
commit 167b5c7
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 0 deletions.
diff --git a/Changes b/Changes
@@ -7,6 +7,9 @@ core:
 
 inventory:
 * fix #680: Enhanced disk storage serialnumber support on Windows (one more case)
+* fix #565: Add support for Cortex XDR Antivirus on windows.
+  This is also an attempt to start antivirus support on Windows Server based on
+  service detection.
 
 esx:
 * fix #691: Fix perl error while checking esx configuration template

diff --git a/lib/GLPI/Agent/Task/Inventory/Win32/AntiVirus.pm b/lib/GLPI/Agent/Task/Inventory/Win32/AntiVirus.pm
@@ -22,6 +22,7 @@ sub doInventory {
     my $inventory = $params{inventory};
     my $logger    = $params{logger};
     my $seen;
+    my $found_enabled = 0;
 
     # Doesn't works on Win2003 Server
     # On Win7, we need to use SecurityCenter2
@@ -56,6 +57,7 @@ sub doInventory {
                 if (defined($enabled) && defined($uptodate)) {
                     $antivirus->{ENABLED}  =  $enabled =~ /^1.$/ ? 1 : 0;
                     $antivirus->{UPTODATE} = $uptodate =~ /^00$/ ? 1 : 0;
+                    $found_enabled++ if $antivirus->{ENABLED};
                 }
             } else {
                 $logger->debug("Found $antivirus->{NAME}")
@@ -84,6 +86,7 @@ sub doInventory {
                     $antivirus->{BASE_VERSION} = $defender->{AntivirusSignatureVersion}
                         if $defender->{AntivirusSignatureVersion};
                 }
+                $found_enabled++ if $antivirus->{ENABLED};
                 $antivirus->{COMPANY} = "Microsoft Corporation";
                 # Finally try registry for base version
                 if (!$antivirus->{BASE_VERSION}) {
@@ -133,6 +136,8 @@ sub doInventory {
                 _setNortonInfos($antivirus);
             } elsif ($antivirus->{NAME} =~ /Trend Micro Security Agent/i) {
                 _setTrendMicroSecurityAgentInfos($antivirus);
+            } elsif ($antivirus->{NAME} =~ /Cortex XDR/i) {
+                _setCortexInfos($antivirus, $logger, "C:\\Program Files\\Palo Alto Networks\\Traps\\cytool.exe");
             }
 
             $inventory->addEntry(
@@ -144,6 +149,43 @@ sub doInventory {
                 if $logger;
         }
     }
+
+    # Try to add AV support on Windows server where no active AV is detected via WMI
+    unless ($found_enabled) {
+
+        # AV must be set as a service
+        my $services = getServices(logger  => $logger);
+
+        foreach my $support ({
+            # Cortex XDR support
+            name    => "Cortex XDR",
+            service => "cyserver",
+            command => "C:\\Program Files\\Palo Alto Networks\\Traps\\cytool.exe",
+            func    => \&_setCortexInfos,
+        }) {
+            my $antivirus;
+            my $service = $services->{$support->{service}}
+                or next;
+
+            $antivirus->{NAME} = $service->{NAME} || $support->{name};
+            $antivirus->{ENABLED} = $service->{STATUS} =~ /running/i ? 1 : 0;
+
+            if (my $cmd = $support->{command}) {
+                &{$support->{func}}($antivirus, $logger, $cmd) if canRun($cmd);
+            }
+
+            # avoid duplicates
+            next if $seen->{$antivirus->{NAME}}->{$antivirus->{VERSION}||'_undef_'}++;
+
+            $inventory->addEntry(
+                section => 'ANTIVIRUS',
+                entry   => $antivirus
+            );
+
+            $logger->debug2("Added $antivirus->{NAME}".($antivirus->{VERSION}? " v$antivirus->{VERSION}":""))
+                if $logger;
+        }
+    }
 }
 
 sub _getAntivirusUninstall {
@@ -480,6 +522,30 @@ sub _setTrendMicroSecurityAgentInfos {
     }
 }
 
+sub _setCortexInfos {
+    my ($antivirus, $logger, $command) = @_;
+
+    $antivirus = {
+        NAME    => "Cortex XDRT Advanced Endpoint Protection",
+    } unless $antivirus;
+
+    $antivirus->{COMPANY} = "Palo Alto Networks";
+
+    my $version = getFirstMatch(
+        command => "$command info",
+        pattern => /^Cortex XDR .* ([0-9.]+)$/,
+        logger  => $logger
+    );
+    $antivirus->{VERSION} = $version if $version;
+
+    my $base_version = getFirstMatch(
+        command => "$command info query",
+        pattern => /^Content Version:\s+(\S+)$/i,
+        logger  => $logger
+    );
+    $antivirus->{BASE_VERSION} = $base_version if $base_version;
+}
+
 sub _getSoftwareRegistryKeys {
     my ($base, $values, $callback) = @_;
 

diff --git a/lib/GLPI/Agent/Tools/Win32.pm b/lib/GLPI/Agent/Tools/Win32.pm
@@ -72,6 +72,7 @@ our @EXPORT = qw(
     getFormatedWMIDateTime
     loadUserHive
     cleanupPrivileges
+    getServices
 );
 
 my $_is64bits = undef;
@@ -698,6 +699,31 @@ sub getInterfaces {
     return @interfaces;
 }
 
+sub getServices {
+    my (%params) = @_;
+
+    my $services = {};
+
+    foreach my $object (getWMIObjects(
+        class      => 'Win32_Service',
+        properties => [ qw/
+            Name DisplayName Description State
+            /
+        ],
+        %params
+    )) {
+        next unless $object->{Name} && $object->{DisplayName};
+
+        $services->{$object->{Name}} = {
+            NAME        => $object->{DisplayName},
+            DESCRIPTION => $object->{Description} // "",
+            STATUS      => $object->{State}       // "n/a",
+        };
+    }
+
+    return $services;
+}
+
 sub FileTimeToSystemTime {
     # Inspired by Win32::FileTime module
     my $time = shift;