search cancel

How to find Agents that have the driver loaded or not, and with the IPS policy pending flag?

book

Article ID: 163547

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

All windows Agents will alway be listed as prevention enabled even if you select disable IPS at the time you ran the install.

The prevention disable state only stops the driver from loading at system boot up does not change the feature state listed in the IPS side Agent.ini.

Because of this you can have an agent with out the driver loaded in a policy pending state as seen in the console if it has had a policy assigned to in in the console, If the agent has never been in a group with an IPS policy applied to it or had an IPS policy directly applied to it then it would not reach this state and you would not expect to see the policy pending flag.

To help sort this out we have provided two queries below that show more detail then the console so you can sort out system that you need to track down that are in a policy pending state and those that are in a fase state of policy pending as you have diable prevention on these systems by preventing the driver to load at boot time.

Resolution

Below query returns ALL non-affected Agents (i.e. IPS NOT supported or IPS feature Disabled and Prevention policy flag pending, This is by design)

SELECT Hostname,CaptionName,IPAddress, *
  FROM ASSET
 WHERE AgentState LIKE '%e%'
   AND PolicyStatus LIKE '%P%';

Below query return ALL affected Agents (i.e. IPS supported and IPS feature is enabled but prevention policy flag is pending)

SELECT Hostname,CaptionName,IPAddress, *
  FROM ASSET 
 WHERE AgentState LIKE '%E%'
   AND (PolicyStatus LIKE '%P%';

Here are some additionnal information related to the Asset table fields:

AgentState field in Asset table:

  • ‘e’ – Prevention Feature is not active (i.e., IPS Driver is not installed)
  • ‘E’ – Prevention Feature is active (i.e., IPS Driver is installed)
  • ‘r’ – Reboot has not been done
  • ‘R’ – Reboot has been done
  • ‘p’ – Prevention disabled (using prevention policy)
  • ‘P’ – Prevention enabled (using prevention policy)

PolicyState field in Asset table:

  • policyStatus = P           -->     "prevention policy pending"
  • policyStatus = D           -->     "detection policy pending"
  • policyStatus = E           -->     "prevention policy error"
  • policyStatus = e           -->     "detection policy error"
  • policyStatus = blank     -->     "all good"
  • policyStatus = NULL     -->     "n/a, must be mgmt server"