Monitoring for new Software install or uninstalls

Options
pmitpaul
pmitpaul Member Posts: 13
edited December 2023 in Scripts

I tried out the preset 'Software Installed/Uninstalled' settings for the threshold but seems they still suffer from the false alerts as described here: https://www.reddit.com/r/atera/comments/uw171s/atera_again_misleading/ .

I agree that those presets are not useful with all the false alerts, so I am trying to script it.

I used mostly the script generator to create this so looking for any suggestions or concerns with doing something like this:

#Set variables for file paths
$currentSoftware = "c:\pcadmin\currentsoftware.txt"
$previousSoftware = "c:\pcadmin\previoussoftware.txt"
$softwareChanges = "c:\pcadmin\softwarechanges.txt" #Generate list of installed software and save to currentsoftware.txt Get-Package * | Out-File $currentSoftware #Check if previoussoftware.txt exists if(!(Test-Path $previousSoftware)) {
# If it doesn't exist, create it with the text "NONE"
"NONE" | Out-File $previousSoftware
} #Check if softwarechanges.txt exists if(!(Test-Path $softwareChanges)) {
# If it doesn't exist, create it with the text ""
"" | Out-File $softwareChanges
} #Compare currentsoftware.txt with previoussoftware.txt and append changes to softwarechanges.txt Compare-Object -ReferenceObject (Get-Content $previousSoftware) -DifferenceObject (Get-Content $currentSoftware) | Add-Content $softwareChanges #Remove previoussoftware.txt Remove-Item $previousSoftware #Rename currentsoftware.txt to previoussoftware.txt Rename-Item $currentSoftware $previousSoftware #Output contents of softwarechanges.txt Get-Content $softwareChanges

This will output a list of currently installed software, then compare that list to the previously generated list and append it to a text file.

The threshold then checks to see if that text file is blank, and if not alerts with the programs added or removed.

I then created a second script to clear the softwarechanges.txt file which will clear the alert after some time.

#Set the path to the file
$filePath = "c:\PCadmin\softwarechanges.txt"
#Set the content to be replaced
$content = ""
#Replace the contents of the file with the new content
Set-Content -Path $filePath -Value $content

One concern I had is if this will impact performance with how often the thresholds are checked.

I thought about breaking the script into two parts, with the first part scanning the software under an automation profile every hour and generating the text file, while the second part just checking the text file contents under the threshold profile.


Edited code to fix a few things.

Tagged:

Comments

  • frank.pietersma
    frank.pietersma Member Posts: 78 ✭✭✭
    Options

    Hee thats strange. In the reddit post you linked from 1 year ago @nina said the following.

    Nina_from_Atera · 1 yr. agoSocial & Community Lead

    I spoke with our Product Team and I understand that the issue was fixed
    and will be set into production and released in the near future. Keep
    your eyes peeled!

    After a year of waiting we may expect this to be fixed, I Hope @nina will respond to this.
    Maybe we have missed something.

  • pmitpaul
    pmitpaul Member Posts: 13
    Options

    I am not expecting it to be fixed and suggested in chat today that they remove it entirely. IMO, a new person who is trialing the software and enables that is going to be highly disappointed with the amount of spam they receive from the false alerts.

    The script I posted seems to be working well but I'm sure it can be improved or a better solution implemented. I'm still testing it a bit before rolling it out but did share to the library pending approval.

    It does suffer from an issue that all thresholds alerts seem to have in that if an alert is generated, it will not update the alert with the updated values. So if software is installed, alert generated but not cleared or resolved and more software is installed/removed after that, it will not show those new items.

    It would be nice if threshold alerts would show the current values rather than the value of when the alert was triggered. Atera is already running the checks consistently to see if the alert is cleared, so they already have those values.

  • frank.pietersma
    frank.pietersma Member Posts: 78 ✭✭✭
    Options

    The script is nice but. How much nicer it would be if we could just set it in the threshold and really get the installs and uninstalls as an alert. IMO this should be part of standard monitoring

  • email
    email Member Posts: 51 ✭✭
    edited August 2023
    Options

    Why are messages having to be approved? @nina It won't let me post an answer.

    Had a big post but it won't allow it to be posted.

    Been trying to post for days - it keeps on saying it needs to be approved… no idea why.

    Yes @pmitpaul it's incredible that this issue is so long standing.

    So much so I created a completely new email/alert system to fix it and it's awesome!

    The ULTIMATE Software Installation/Removal Alert system
    Look in - summer-contest-win-a-nintendo-switch-meta-quest-vr-glasses-and-more#latest
    ***** Read about it above - if others want the scripts I'll release them.

    You can fix it yourself right now by making a new custom threshold item. This would work the way you are wanting it to. They already have the tools built-it to fix it! So it's crazy the problem still exists.

    Atera is slowly getting better which is good.

    MsiInstaller&11707,Application/MsiInstaller&1033 and MsiInstaller&11724,MsiInstaller&1034

  • email
    email Member Posts: 51 ✭✭
    Options

    Why the hell can't I post here. I'll @franciscoreboredo @pmitpaul msg you guys privately - it's blocking me every time I post here.

  • sarah+success
    sarah+success Administrator Posts: 70 admin
    Options

    Hi @DP , we can see your posts. Its possible that something is being flagged as spam.

  • email
    email Member Posts: 51 ✭✭
    Options

    Hi @Sarah_from_Atera - I was prompted with "your message will appear after it's approved by the mod". Small sentences work, but not full posts.

  • email
    email Member Posts: 51 ✭✭
    Options

    Yes @pmitpaul it's incredible that this issue is so long standing.

    So much so I created a completely new email/alert system to fix it and it's awesome!

    The ULTIMATE Software Installation/Removal Alert system
    https://community.atera.com/discussion/74/summer-contest-win-a-nintendo-switch-meta-quest-vr-glasses-and-more#latest

    Read about it above - if others want the scripts I'll release them.

    You can fix it yourself right now by making a new custom threshold item. This would work the way you are wanting it to. They already have the tools built-it to fix it! So it's crazy the problem still exists.

  • bahlquist
    bahlquist Member Posts: 17 ✭✭
    Options

    lol…looks like your posts have been approved @DP 😂😂😂

  • pmitpaul
    pmitpaul Member Posts: 13
    edited August 2023
    Options

    looks like they fixed your posting issues :)

    btw, I agree your fix is way better and a much better solution. (they need to fix their solution to do what you are doing under the hood…seems like a simple change that should have been done a while ago)

    I wish I would have read the note where it says you can use the & operator.

  • gdarino
    gdarino Member Posts: 4
    Options

    @DP Would appreciate if you would share the script.

  • frank.pietersma
    frank.pietersma Member Posts: 78 ✭✭✭
    edited August 2023
    Options

    Here are all the events you need to monitor to get alerted for all the installs and uninstalls on computers and servers. It works for successful and failed installs:

    Event ID 11707 - Software Installed Successfully
    Create information alert for Application/11707 event source

    Event ID 11708 - Software Installation Failed
    Create information alert for Application/11708 event source

    Event ID 11724 - Software Removed succesfully
    Create information alert for Application/11724 event source

    Event ID 11725 - Software Removal Failed
    Create information alert for Application/11725 event source

    Event ID 11707/1033 - Software Installed Successfully
    Create information alert for Application/MsiInstaller&11707,MsiInstaller&1033 event source

    Event ID 11724/1034 - Software Removed Successfully
    Create information alert for Application/MsiInstaller&11724,MsiInstaller&1034 event source

  • sarah+success
    sarah+success Administrator Posts: 70 admin
    Options
  • kim
    kim Member Posts: 113 ✭✭✭
    Options

    Hi Frank!!!

    The script looks great! Could you also submit it to the Shared Script Library (https://app.atera.com/new/admin/scripts)? I know there are a lot of us that could use it and sometimes Atera runs promotions or giveaways for popular scripts that are used (or cloned). This would be an easy one to submit. Thank you for sharing it with us!!!

    Sincerely,

    Kim

  • nina
    nina Administrator Posts: 428 admin
    Options

    I've opened a ticket to track this issue and see what we can do to make it work accordingly.

    I encourage everyone on this thread to open a ticket so that we can resolve this matter as quickly as possible. Thank you!

  • pmitpaul
    pmitpaul Member Posts: 13
    Options

    frank has the best solution here and should be what Atera is doing behind the scenes when you set up their default configuration IMO.

  • dyoder
    dyoder Member Posts: 52 ✭✭✭
    Options

    The problem originally was because Atera's thresholds didn't let you specify an event source, only an event ID. The problem is that multiple event sources can share the same event ID - this is what led to false positives.

    The problem now is that the events regarding installed/uninstalled software will be generated every time an application is updated, installed, or removed. So it's not generating false positives, but it is very noisy.

    I think the best solution to this is to monitor the list of installed software like @pmitpaul originally suggested. This is the only way to get the most complete record of software on an endpoint (not all installers will write to the event log).

  • nina
    nina Administrator Posts: 428 admin
    Options

    Hi! To anyone that does not yet have an open ticket, please open a ticket with our Support Team, support@atera.com, so that we can troubleshoot this issue! Thank you.

  • nina
    nina Administrator Posts: 428 admin
    Options

    Regarding the "false alerts" inquiry - they are due to Microsoft putting two actions under the same event, and Atera cannot filter them as it recognizes the event alone. This functionality is included in the definition of the event 1033 by Microsoft, and, it being in Atera a preset threshold item, cannot be filtered or modified apart from the event.

    Also, there is an option to create a custom threshold with the category Event by Source and choose Source Folder: Application. This will provide more accurate data on what concerns the action "software installed" logged by the Windows events 11707 and 1033.

    Hope this helps!

  • pmitpaul
    pmitpaul Member Posts: 13
    Options

    This response is very similar to the one I received in email, and is very confusing for us users as it doesn't make sense.

    You say that with the built in Atera software monitoring checks, they can't be edited to filter out the 'false alert' events (the ones about policy exclusions that have nothing to do with installs). This is true for us as we can't edit the default settings as we are end users (expected), but surely this is not the case for Atera developers.

    The fact that end users CAN set up an alternative solution and filter appropriately as a separate different check (as frank mentioned) shows that Atera's codebase has this capability, so why doesn't Atera fix their built in check rather than leaving the feature that is not working as expected, and most likely disappointing for any new user that is trying out the software and enables it.

    The following alerts are not appropriate to be receiving when you are trying to monitor software installations.

    These policies are being excluded since they are only defined with override-only
    attribute. Policy Names=(Security-SPP-Reserved-EnableNotificationMode) App
    Id=55c92734-d682-4d71-983e-d6ecxxxxxxxx Sku Id=4de7cb65-cdf1-4de9-8ae8-xxxxxxxx
    [Machine Name: XXX]

    And

    Duplicate definition of policy found. Policy name=AAD-BlockAADWorkplaceJoin-
    Default Priority=100 [Machine Name: XXX]

  • email
    email Member Posts: 51 ✭✭
    Options

    @pmitpaul @nina

    As we are saying Nina, this filter fixes it. Why not set this to the default? Everyone starting to use Atera is left scratching their head why this feature doesn't work. A real opportunity is being missed here.

    I'll be posting my script soon, just have to check a few things, that will alert via email only filtered events. But users that are just beginning with Atera have to do a LOT of research to fix it out of the box. You'll be loosing a lot of users simply based on this.

  • nina
    nina Administrator Posts: 428 admin
    Options

    Thank you! I have shared this with our Product Team. Much appreciated!

  • nina
    nina Administrator Posts: 428 admin
    edited September 2023
    Options

    Hi Guys -

    Have you seen this KB article? Is this helpful?

    Nina

  • pmitpaul
    pmitpaul Member Posts: 13
    Options

    it is useful….that is how frank set up the checks to get something that works and what is suggested as the current workaround.

    But it feels like you don't understand what we are saying. Atera's built in checks for the software installs are doing this same thing but not filtering properly.

    The solution is for Atera to fix the built in check, Not for Atera to ask customers to use a separate work around and leave the broken built in checks active.

  • yasminproduct16
    yasminproduct16 Internal Posts: 16
    Options

    Hey guys, thank you for bringing this to our attention. The team is working on a fix to the preset- should be deployed soon.

  • nina
    nina Administrator Posts: 428 admin
    Options