CA Client Automation

Hi

We have a ITCM 12.5 environment with around 6000 agent.

The heuristic and signature software detection are active on all computer.

We're trying to understand a weird behavior when we're looking in te detected software:

even if all the computer have been installed the same way, with the same package,

on 4000 computers we'll find somthing like:

   Adobe Shockwave Player 12.3  

   Adobe Shockwave - CU 

   Adobe Shockwave Player 12.3.1.201

but on the other 2000 we only find:

   Adobe Shockwave - CU

   Adobe Shockwave Player 12.3

This is only one example but we have many software that show similar behavior when detected.

Is there an easy explnation or a way to uniformize the detection?

Thank

Remy

The first thing you should do is, on the computers with apparent missing items, force a full collect. Perhaps some inventory went missing at some point (a scalability server crashed and was rebuilt perhaps).

Next, since you said you have both signature and heuristic scans running, it would be helpful to know which scan found the software items in your examples below.

Next, grab the ‘amapp.dat’ and ‘amsoft.xml’ files from a ‘good’ example and the same files from a ‘bad’ example. These files are in ‘C:\Program Files (x86)\CA\DSM\Agent\units\00000001\uam\BAK’ assuming you used the default locations to install the agent, and the computers are 64-bit. These files are actually quite easy to read and show what inventory is actually being collected by the Agent. The .dat file is the heuristic scan data, and the xml is the signature scan. Validate that the inventory in the files matches what is shown in the console.

Last, find a couple of computers you can actually look at, and validate the inventory collected against what is actually shown in the ‘Add and Remove Programs’  or ‘uninstall a program’ control panel app.

It’s possible, especially for software like the examples you provided (shockwave) that in some cases the users allowed auto-update and some users did not. Programs like shockwave, flash, etc. will attempt to update themselves to the latest version.

Steve McCormick, ITIL

CA Technologies

Principal Services Consultant

Stephen.McCormick@ca.com

<mailto:Stephen.McCormick@ca.com>

In both amapp.dat

I find:

Adobe Shockwave - CU|Ver=1.0.0|Pub=MERN 1 (Atr)|Method=msi|GUID={D5DA5009-A293-4A6D-AEAD-00945D6DB4BF}
Adobe Shockwave Player 12.3|Ver=12.3.1.201|Pub=Adobe Systems, Inc|Method=msi|GUID={175D1C2E-CEF4-4909-901D-52AF3CD8ECD2}|Path=C:\windows\SysWOW64\Adobe\

but I can't seem to find where the line  Adobe Shockwave Player 12.3.1.201     come from,

It seem to be this command that is detected : "C:\Windows\SysWOW64\Adobe\Shockwave 12\SwInit.exe"

When we go in the detail of the discovered software, it's indicated "CA Provided."

Is it possible that when sealing a package the SW Definition might be in cause...

Where are those definition kep in mdb?

Hi Remy,

It seems the missing signature "Adobe Shockwave Player 12.3.1.201" is a CA Provided signature which should be detected with Signature Scan.

This signature has been created in November 2017 and here is its definition :

<technology id ="117C636F-9298-49E9-B40D-52BCE7939D09" descr= "Adobe Shockwave Player 12.3.1.201" swtype ="3">
<group type="and">
<package name="Adobe Shockwave Player 12.3" version="12.3.1.201" />
<file name="SwInit.exe" minversion="12.3.1.201" maxversion="12.3.1.201" path="*" />
</group>
</technology>

Maybe the version of file W00*.XML located under C:\Program Files (x86)\CA\DSM\Agent\units\00000001 on machines with problem is old.

This file is downloaded from the Scalability Server from directory C:\Program Files (x86)\CA\DSM\ServerDB\SECTOR\SSFW

Maybe the Scalability has not the latest version of file W00*.ZML ?

In this case the problem could be in transfer of this file from DOMAIN to Scalability Server.

This transfer is done by Engine when the SS Collect job is executed.

Do you see some errors during execution of SS Collect job ?

Thanks.

Regards,

Jean-Yves

Thanks Jean-Yves,

I've been on a webex with a client all day, just got back to this. You are absolutely correct. Looks like there is a breakdown in the signatures file for some computers. Perhaps the versions are out of sync.

To verify, first make sure the W00*.XML file on 'good' computers and 'bad' computers has the same number. If they are on the same Domain the number should be the same.

Next, open the XML file (in notepad or your editor of choice, not in IE which is the default for XML files) from a BAD machine, and search for 'Adobe Shockwave Player 12.3.1.201'. If it is not found, you have missing signatures and may need to delete the XML file from all 'bad' machines to ensure it gets re-created.

Before doing that, try to determine if the bad systems are all on one or more scalability servers since the problem may exist on the SS. If the problem is at the SS we can regenerate the sectors on the affected servers.

If the SS' are OK, you can create an AM job to delete the file on the computers. Set the job to run once only on all 'bad' machines and you will get all the signatures rebuilt.

Steve McCormick

CA Services Principal Consultant

Ok

I looked on a bad and a good computer in C:\Program Files (x86)\CA\DSM\Agent\units\00000001, and I'm kind of flabergasted...

Bad Computer:

Good computer:

So I looked on another bad and good computer and there's no xml ...

So I've broaden my search to all directory in C:\Program Files (x86)\CA\DSM  and still no xml...

I suggest you open a support issue and someone in your region will pick it up and work with you.

Richard Lechner

Principal Engineering Services Architect

CA Technologies

Mobile: +1 703 655 7161 | Richard.Lechner@ca.com

<mailto:Richard.Lechner@ca.com>[CA]<http://www.ca.com/us/default.aspx>[Twitter]<http://twitter.com/CAInc>[Slideshare]<http://www.slideshare.net/cainc>[Facebook]<https://www.facebook.com/CATechnologies>[YouTube]<http://www.youtube.com/user/catechnologies>[LinkedIn]<http://www.linkedin.com/company/1372?goback=.cps_1244823420724_1>[Google]<https://plus.google.com/CATechnologies>[Google+]<http://www.ca.com/us/rss.aspx?intcmp=footernav>

Hi 

The problem only gotten worse with time...

On the SS the ZML is up to date:

Now if we look in the installed Package :

Vs the discovered software:

...

It worked on march 27 but it doesn't work on april 24...

I think the problem seems to be between SS and Agent ... since I don't have any W0*.XML one my computers...

In WinOffLine in Scalability Summary I see no signature files and one pretty old from the MDB:

maybe the problem come from there???

P.S.

I'm unable to open case at the moment and we're working hard to get everything in order ASAP...

In the WinOffline "Scalability Server Summary",  the "Signature File Date" column comes from inventory reported by the AM agent on the SS.  To be clear, WinOffline doesn't actually open/map a share to the SS and directly check the signature file timestamp.  The AM agent, by default, actually inventories the signature file details and reports as part of the normal agent inventory.  WinOffline just looks for this in the database and reflects this info in the scalability server summary.

The fact that the Signature File Data is "Null" means WinOffline did not find it in the AM agent inventory for that SS.  Since your other screenshot indicates the SS has a signature file, this likely means the AM agent inventory on the SS is corrupt, out of sync with the manager, or there is some problem with the collect task, with keeping up with incoming volume.  Or perhaps somewhere along the ways you deleted the ServerDB folder, and this inventory was lost when the agent reported it.

That being said-- are the collect tasks for these scalability servers functional and completing?  I ask because WinOffline shows there are 2000+ agents registered to each, which is too many.  In general, you want to have about 1000 agents maximum per scalability server.  It's when this amount is exceeded we start having communication issues that manifest in various types of unexpected results or product functionality.

I have no error on the default task,  it just doesn't seem to do anything, is there a way to trace what's going on...