[SOLVED] Trend Micro Apex One Security Agent update 6 package (build 11564)

[olaplanche]

Updated 08/03/2023 New version of the package, new use of the msi package created with the ClientPackagersource)

The MSI file is generated using the Apex One server's ClientPackager

The package code:

Code: Select all

# -*- coding: utf-8 -*-
from setuphelpers import *

r"""
Usable WAPT package functions: install(), uninstall(), session_setup(), audit(), update_package()

"""

# Declaring global variables - Warnings: 1) WAPT context is only available in package functions; 2) Global variables are not persistent between calls
bin_name = "TrendMicroSecurityAgent.msi"
properties = {
    'MyServer':'"myserver:8080|4343"',
    'MyDomain':'"Workgroup\Subdomain"',
    }

def install():
    # Initializing variables
    package_version = control.get_software_version()

    # Installing the package
    for to_update in installed_softwares('Trend Micro Apex One Security Agent'):
        if Version(to_update["version"]) < Version(package_version) or force:
            print(r"Upgrading: %s (%s)" % (bin_name, package_version))
            run(r'msiexec /fov "%s"' % bin_name) # If Agent already installed, upgrade.
    else:
        install_msi_if_needed(bin_name,properties=properties) # If Agent not installed, install.

For the uninstallation to work, simply disable the uninstallation password from the server console.

[dcardon]

Thank you for sharing

[gly]

Thanks so much! One question though: how do you handle the fact that the Trend Micro agents update themselves automatically, and then when you update your WAPT package, it tries to update on the workstations as well?
I've tested it, and the problem is that the WAPT packages report errors because they're already up to date.

[olaplanche]

I do not update the agent program via the Apex One server (configurable in the server, agent management, privileges and other settings).
When a new version of the agent program is released, a new MSI package must be generated using the server's ClientPackager, and the WAPT package must be updated

EDIT: If the agent updates itself, and you update your package later, upon deploying the new package it will detect that the same version is already installed and will not reinstall it without error in the WAPT console

installing wapt-trend-micro-apex-one-security-agent
MSI TrendMicroSecurityAgent.msi already installed. Skipping msiexec

[gly]

EDIT: If the agent updates itself, and you update your package later, upon deploying the new package it will detect that the same version is already installed and will not reinstall it without error in the WAPT console

Are you sure about that? I remember making mistakes myself

[gly]

Indeed, it doesn't reinstall if it's already installed.

However, I can't find your setting regarding the registry keys. Is it because the password needs to be disabled during uninstallation? Or is it a difference in console version? I'm on build 10064.

Thanks.

[olaplanche]

Hello,

No, it's not necessary to disable the password during uninstallation in the server console.
I'm on an older build (9167), and haven't had time to update it yet...

The option is located in this menu:



EDIT: Link to the official documentation: https://docs.trendmicro.com/en-us/enter ... l_002.aspx

[olaplanche]

OK, I updated the server to build 10101 and the agent's self-protection options have indeed disappeared.
This is a deliberate choice by Trend Micro... source

Security Agent self-protection


Self-protection settings are automatically enabled and not configurable. Previous dependencies for the self-protection features have been removed to allow all Security Agents to be protected at all times.

Back to square one

[olaplanche]

Firstly, in order for the installation and update of the agent to work when an uninstallation password is configured, you must not use the msi package (installation OK, update KO, the agent protection password is requested...).

An installation executable package must be created from the server that will work for installation and updates without requiring a password:


The adapted wapt package code:

Code: Select all

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = ['{1841AFE1-4BA7-44D4-8700-6ACF860A8ED1}']

def install():
    # Initializing variables
    package_version = control.get_software_version()

    # Vérification de la version pour gestion d'erreur
    for to_install in installed_softwares('Trend Micro Apex One Security Agent'):
        if Version(to_install["version"]) < Version(package_version) or force:
            print ('installing %s' % control.package)
            install_exe_if_needed('TrendMicroSecurityAgent.exe')
        else:
            print ('%s already installed' % control.package)
    uninstallkey.remove('{1841AFE1-4BA7-44D4-8700-6ACF860A8ED1}')

For uninstallation, I suggest two solutions that I have tested:

Solution 1:

Disabling the uninstall password from the server console will set the "Allow Uninstall" registry key to 1 on the agents. Uninstallation is possible with the following code:

Code: Select all

def uninstall():
    print ('uninstalling %s' % control.package)
    run(r'"msiexec.exe" /x {1841AFE1-4BA7-44D4-8700-6ACF860A8ED1} /qn')

Solution 2:

Uninstallation is possible with the following code without disabling the password in the admin console (the password will be in plain text in the package):

Code: Select all

def uninstall():
    print ('uninstalling %s' % control.package)
    run(r'"%s\Trend Micro\Security Agent\pccntmon.exe" -m <uninstall_password>' % programfiles32)

source

Some leads that did not pan out:

Creating the executable package from the packager client relies on the ofcscan.ini configuration file on the server; editing this file allows you to find the agent's self-protection options:

[INI_CLIENT_SECTION]
SP_EnableFileProtection = 1
SP_EnableRegistryKeyProtection = 1
SP_EnableProcessProtection = 1

Unfortunately, setting them to 0 doesn't seem to work...

However, in the registry of the following agent, the keys for the self-protection options are indeed found:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS

By setting the "SP_EnableRegistryKeyProtection" key to 0, registry protection is indeed disabled, so the "Allow Uninstall" key can be modified again from within a WAPT package without disabling the agent's password. The problem is that it's not possible to modify the "SP_EnableRegistryKeyProtection" key while the agent is running... You first have to close the agent, which then prompts for the password... in short, I don't see how to fully automate the uninstallation within a WAPT package.

[olaplanche]

Good morning,

New version of the package on the front page.

I'm adding here the code for a package I needed to migrate an agent from one server to another during a migration (source).

Code: Select all

# -*- coding: utf-8 -*-
from setuphelpers import *

r"""
Usable WAPT package functions: install(), uninstall(), session_setup(), audit(), update_package()

"""

# Declaring global variables - Warnings: 1) WAPT context is only available in package functions; 2) Global variables are not persistent between calls
server_name = "myserver.contoso.local"
client_port = "25840"
agent_password = "uninstall_password"

def install():
    # Initializing variables

    # Installing the package
    print("Moving Apex One Security Agent to server : %s" % server_name)
    run(r'"IpXfer\IpXfer_x64.exe" -s %s -p 8080 -sp 4343 -c %s -e "IpXfer\OfcNTCer.dat" -pwd %s' % (server_name,client_port,agent_password))