Introduction to Inventory Solution (Windows) in Notification Server 7.0 – Detailed File Inventory and Blacklisting

Blacklisting is a feature of Inventory Solution that resides in the Application Management Component (formerly known as Application Management Solution). Now fully integrated into Inventory Solution, this feature allows an administrator to enforce blocks of software that is banned for use on company-owned/operated assets. Using the Blacklisting feature, discovered software can be easily marked as blacklisted, denying users to launch any software that has been thus blacklisted.

Introduction

Once Inventory has captured Software from a system, there are three steps that are required before a piece of Discovered Software can be blacklisted. The first is for the Detailed File Inventory Task to run. The second is for another Software or Full Inventory to run out in the environment. The third is to use the Software Catalog to mark a discovered application as Blacklisted. The first two steps will be an on-going process that will be automated, though if you want current information you may have to manual initiate the steps. The last step is easy for any recognized software in the Software Catalog.

*Please note that the Blacklist feature is not available until post Beta III of Inventory Solution 7.0*

Detailed File Inventory

Why use a Detailed File Inventory Task? In Inventory Solution 6.1, all details, including header information, for all files audited on a client PC. This meant a lot of information was sent up to the server from each and every target system Inventory ran on. As such, much of the file details were duplicated many times over within the Altiris database. In 7.0, only the basic file details are sent up for every computer. The Details information is then collected as needed, on a limited, once per file basis.

Detailed File Inventory Task

What is the Details File Inventory Task? Opposed to what you may assume, this Task is a Server-side Task that runs on the Notification Server against the Symantec CMDB. The basic file details that were sent by all computers is compiled, and an algorithm is used to determine what files are out there, and what machines have most if not all of these files. For example if two systems out in the environment have all files reported by every computer, those two systems are selected to be the ones to send in detailed file inventory. In other words it finds the least amount of systems that collectively will send all detailed file inventory.

Note that this Task is considered a background or server-side reoccurring process. Each time the task runs, the algorithm is used again to determine what systems should be flagged to send this information in. Note that it is recommended to run a Full inventory before scheduling and running this Task.

Use the following steps to view and run the Detailed File Inventory Task:

1. In the Symantec Management Console, browse to Manage > Jobs and Tasks > browse in the left-pane tree through System Jobs and Tasks > Discovery and Inventory > Inventory > Details File Inventory Task Type (see the following screenshot)
   
   

   Click to view.

2. Click the New Schedule to bring up the scheduler, including the option to run it 'Now'. By default it's scheduled to run on Tuesdays at 12:30 AM. Incidentally it's scheduled at this time to follow the Full Inventory scheduled to run at 6:00 PM Monday.
3. Done!

Once run, the next time the Full Inventory Task is scheduled to be completed those machines selected by the algorithm will send in the File Details.

Details File Inventory Purging

As a last point of reference, by default the Detailed File Inventory Task details are purged on a Monthly basis (meaning data from any Task run over a month ago will be purged). While there isn't a UI element to allow you to change this, if you do need to adjust this, it can be done by editing the stored procedure: sp_Inv_GetDetailedFileInvClientTasksForPurge. The default schedule is listed therein.

Despite the above warning, this may be necessary should the systems selected for providing the Full File Details be removed from the network. For example of a laptop that often travels is selected, it may be some time before this data is provided up to the Notification Server.

Rerun Inventory Task

If you were to make no adjustments to how Inventory Solution is configured out of the box, it takes over a week to get the detailed file inventory. The sequence requires Software Inventory to run, which out of box is part of the Full Inventory scheduled at Monday at 6:00 PM. The next day at 12:30 AM the Detailed File Inventory Task runs on the Notification Server and produces which systems are to capture and send in the full details on the files captured by the Software Audit. When the Full Inventory Task runs again, the following Monday, the full details will come in.

If you need to speed the process up, after the initial Full Inventory has been sent in, run the Details File Inventory Task. Once complete, follow these steps to expedite the process:

1. In the Symantec Management Console, browse to Manage > Jobs and Tasks > browse in the left-pane tree through System Jobs and Tasks > Discovery and Inventory > Inventory > and select Collect Full Inventory Task (this may be different if you've made your own or chosen a different Inventory for the default).
2. Click on the 'New Schedule' button.
3. Provide a schedule or choose 'Now' to expedite the running of this Inventory, as shown in the following screenshot:
   
   

   Click to view.

4. This will take time to complete depending on what Task Servers and what workstations are available. If the systems that were chosen as the targets for the details file inventory are online and available, the information should return in the time it takes for the task to run, perhaps 15 to 45 minutes.

Blacklisting

First, the full file details should be captured before using the blacklist feature so that we properly have all the file details when moving the EXE to the blacklisted applications list.

Now that Application Metering is part of Inventory Solution, the Blacklist feature is available through Inventory. This feature will deny the execution of chosen EXEs (through the Software Catalog) that have been added to the Blacklist. Within a Software Release, which may have more than one EXE, each EXE can be selectively allowed (default) or blacklisted.

Blacklist Feature

How does this feature work? After an executable has been added to the Blacklist, The Altiris Agent, via the Application Metering Agent, will disallow any execution of that software on managed systems. When users try to execute the EXE via a shortcut or direct execution, the Application Metering agent will step in and disallow the execution, making users unable to run the software.

To add an executable to the Blacklist, follow these instructions:

1. Within the Symantec Management Console browse from Manage > Software > browse down through Software > and click on Software Catalog.
2. The list of all available Software Components will load in the right-hand pane. This list is huge and unwieldy, but items can be found by using the search feature in the upper right-hand of the right-hand pane.
3. Right-click to bring up the action menu on the desired software component, that is an EXE, usually of the Type Software Release > and go to Actions > and click on Blacklist Application, as shown in the below screenshot:
   
   

   Click to view.

4. If the action is successful, you will receive a message dialog indicating: "The following software has been successfully marked as blacklisted.
5. If the action as unsuccessful, usually caused by selecting a Software Release that is not associated with an EXE, you will receive the message dialog indicating: "The following software cannot be blacklisted because it is not associated with any executable files".
6. To review the list of Blacklisted Applications, continue with the steps. Otherwise the process is done!
   
   NOTE: The new Application Metering policy will be sent to the managed systems the next time they request their client configuration policies.
7. In the Symantec Management Console browse through Manage > select Policies > browse through Software > Application Metering > Blacklisted Applications.
8. You can use this location to edit any entry so desired, for example if you wanted to remove an application from the list to allow users to use the EXE, this would be the location to do it.

The blacklist feature enables administrators to control what software can be run within the environment. Being able to programmatically enforce software usage rules can take the headache out of trying to monitor that type of disallowed activity.

Conclusion

Combining Inventory Solution and Application Metering functionality provides a more complete, versatile picture for Application Management. Since both products plug into the Software Management Framework, this completes the picture and allows all the required components to work seamlessly together.