Logging EXE Files Using Inventory Solution Software Audit

By default Software Inventory does not capture all EXEs on a system. This is for a variety of reasons, but understanding the why and how will help you know how to revise the scan to capture those EXE files desired.

The questions addressed in this article are:

1. Why are only certain EXE files captured during a software audit?
2. What excludes an EXE from being reported if present?
3. How do I capture most executable files on client systems? I'm not capturing a lot of the EXE files I want to with Inventory Solution. How can I capture virtually all EXE files?

Introduction

The following categories will answer the above questions:

• File Exclusions and Inclusions
• Unknown EXEs
• Package and File scan modes
• Sample Configuration

Most changes will be made using the Altiris AuditPlus Editor found at \Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\ named AeXAPEdit.exe. Simply launch the executable to bring up the audit editor console.

File Exclusions and Inclusions

The default audit scan only looks for EXEs that have valid Header information. This includes most Production software, however many EXEs do not conform to a standard product executable, or conform to an older technology not typically used for mainstream applications. The following list shows executable types that are NOT captured by default:

• DOS
• WIN16
• VXD
• OS/2
• WIN32
• Invalid -- including all data files

Note that these items are check-boxes under the Include Unknown tab.

Click to view.

To include files of a type listed under the tap, simply check the corresponding box next to the type. We do not report these by default since generally the types of software found here are not part of current software deployments. But since this is a generality and may not be true for all, these can be captured by checking the appropriate option.

Be aware of the impact of each option checked, especially the Invalid -- including all data files option. We will report more data with each box, and potentially enlarge the database cause reporting to be painfully slow.

Unknown EXEs

The 'Invalid -- including all data files' option is for any files that does not contain any valid executable type header information. Check this option if you want to capture any file that is not a valid EXE, whether named .exe or any other type. Viruses generally confirm to this type, or other covert software types.

As a side note, this option also allows other file types to be captured. The File Masks tab can be modified to include other extensions, such as DLL, MSI, INI, or any other file type you may wish to capture. While filling out the File Masks tab will include a search for that file type, without the 'Invalid -- including all data files' option checked none of them will be included in the reported Inventory.

Package and File Scan Modes

Unless you've installed Inventory Solution 6.1 SP2 fresh, the scan mode utilized by the Software Audit is Package Mode. This means that if a group of EXEs make up a product, we will only report one of the EXEs to represent that that 'product' is installed. This will exclude potentially many EXEs that you may want to directly run reports against. Changing the mode is relatively simple, and is covered by the command-line that executes the Software Audit scan. The command line should include the /file command line parameter to force the scan into File mode. In File Mode we will capture and report every EXE that matches the other criteria described in this article.

Sample Command Line:

AeXAuditPls.exe /file /hidden /output xml

The following section will include steps of where this command-line can be edited.

Sample Configuration

The attached files and provided details are a common configuration to capture virtually all executable files on client systems. Please note the following before implementing:

• Implementing these files and items will significantly increase the size of the auditpls.nsi file (and subsequently the NSE posted to the Notification Server). This can affect both Server performance when Inventory is scheduled to run and subsequently be sent to the Notification Server, and can affect the sheer size of the database.
• The sizes of both the Cmn_SW_Common and Inv_AeX_SW_Audit_Software_spt tables will increase significantly.
• If your Inventory database has not been Normalized, the table in question is Inv_AeX_SW_Audit_Software alone, thus the problem is 25% greater.

Reports based off of Audit data will take considerably more time to run as they are based off these larger tables that inherently will take longer to query.

The following files are attached to this article. Note that these files were taken from an Inventory Solution 6.1 SP2 (build 1075) install.

• auditpls.ini
• AeXInvSolnAdm2.ini

The above files have been created using the following process. For fast implementation, replace your existing files with the above names with the attached at the location: \Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\Inventory Solution\. This process is provided so that any version of Inventory Solution can be configured to capture most executable files.

1. On the Notification Server, browse to install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86.
2. Locate and execute the file AeXAPEdit.exe (this is a stand-alone edit utility that edits a specific Software Audit INI file. While the INI file can be directly edited, the utility makes it much easier).
3. Click File > Open, and browse to the file auditpls.ini located at \Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\Inventory Solution\.
4. Click the Include Unknown tab.
5. Check all the options DOS, WIN16, VXD, OS/2, WIN32, and 'Invalid - including all data files'.
6. Click the Directory tab. Note the directories that are excluded under the exclude section. If files exist in these directories that you wish to capture, remove them from the exclusion list. For the attached auditpls.ini file, no changes were made to this tab.
   
   

   Click to view.

7. Click on the Exclusion Filters tab. Files matching the provided criteria will not be captured in the scan. Make any adjustments necessary based off of your need. The attached auditpls.ini file had no changes made to this tab.
   
   

   Click to view.

8. Click on the File Masks tab. Add any other extension type you wish to capture (that is, .MSI). No additions were made to the attach file on this tab, leaving only .EXE as the captured file extension, however you can add other extensions and specific file names as shown here:
   
   

   Click to view.

9. Click File and then Save.
10. On the Notification Server, browse to \Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\Inventory Solution\ and open the file AeXInvSolnadm2.ini in Notepad.
11. Below shows the modified line for AeXAuditpls.exe to change the Audit scan from Package to File mode. Edit the line to include the /file switch:
    

    aexauditpls.exe /hidden /file /output xml
    aexmachinv.exe /norbin
    aexcustinv.exe /in .\AVDefinition.xml /out AVDefinition.nsi
    aexsnplus.exe /ChkModel /output xml
    aexnsinvcollector.exe /hidden /nsctransport /v default /useguid
    
    

12. Save the file once you've adjusted the command line parameters.
13. The Distribution Point for the Inventory Package must be updated. This occurs regularly every 10 minutes by default, but if you want to expedite the changes, open the Inventory Agent Package located in the Altiris Console at the Resources tab, under Resources > Defaults > Packages. Bring up Resource Manager for the package and click the button Update Distribution Point.

Note the following issues/circumstances that may still cause a file to be missed when collected into the database:

• Currently, we cannot capture more than one instance of the same file in multiple locations. The cause is that File Path is not a key column, which means if we have captured a file multiple times the first row for that file to insert into the database will be the only inclusion of that file. Subsequent instances of the file will be discarded since a row already exists containing the exact details that are key items.
• Exclusion Filters may exclude a file you wish to capture. In these cases you can use the Overrides to change the Header attribute that is causing the exclusion to something not excluded.
• Overrides can be used to manipulate any of the file header information we capture from a file. The criteria is on the left side. The more information and fields is provided here, the more focused or specific the 'match' criteria becomes. For example if you only provide the filename on the left, any file we capture with that filename, regardless of the differences in the other data, will replace whatever values you have specified on the right. In reverse the same is true. Only files matching ALL the criteria on the left will only replace the single value you've 'over-ridden' on the right side. See this screenshot for an example:
  
  

  Click to view.