ChristophTUVSUD asked a question.
Why does Microsoft 365 Defender not recognize that the Snow Inventory Agent for Windows hat been updated?
I updated the Snow Inventory Agent for Windows to Version 7.0.0 shortly after the version was released. I use the "Agent Updates" feature in Snow Inventory to automate the update. However, when I check the Microsoft 365 Defender Portal, I still get the message that I need to update all agents to fix vulnerabilites like CVE-2024-1149, although the Release Notes of Versio 7.0.0 state that this vulnerability has been fixed.
Any idea what to do? It seems that the version and install date is not updated in the Windows Control Panel under "Programs and Features", maybe this makes MS Defender believe that no update has been installed.
Hi,
Probably because all 3rd party monitoring tools look at the version which is located in registry or device control panel.
With agent update that information does not update. Agent update only updates the snowagent.exe file in %:\Program Files\Snow Software\Inventory\Agent
So if you would like to also monitor with 3rd party tools agent versions, then you`ll need to re-deploy the agent on all devices.
Two suggestions:
1) Double check that the previous version is actually completely uninstalled. I've seen different variants (either registry values remains - as Vladimir suggests above, or actually a whole older Snow agent is still installed). If that is the case, reach out to your hosting/deployment team (so they can tweak their deployment tool).
2) Try to find out how Windows Defender works - what is triggering it? And can you suppress the alert from Windows Defender? I have seen similar behaviour from Rapid7, where in the end we just ignored it.
Thanks for the suggestions.
After some tests I finally decided to update Snow Inventory Agent using a scripted task in our monitoring system "System Center Operations Manager" (SCOM). This meant a lot of extra work because using this method the configuration files were not preserved (we have individual settings on some of our Oracle DB servers).
I not sure who is to "blame": Snow, because the version number is not updated when updating the agent using the update mechanism built into the "Snow Inventory Server Admin Console". Or Microsoft, whose Defender seems to rely on version numbers instead of inspecting files when searching for vulnerabilites.
There was a discussion a while ago in regard to "not updating the information in Add / Remove programs".
The explanation was, that for some technical resons, this can't be done through Snow's agent update mechanism, but that they will modify the agent update anyway.
Does not help for the moment though.
Beside that, I'd recomment to use a proper software deployment tool 😊
Agreed - a proper deployment tool (for example Ansible) would have been much easier. Some servers (e.g. Oracle db/mw servers, or DMZ, or domain controllers, or ...) have exceptions - and those can be handled through Ansible scripting.
Thanks to axell and Jonas for the explanation and mentioning a proper deployment tool. Our company focuses on Microsoft tools, i.e. SCCM for updates / patch management, but it is good to learn about other and probably better tools.
SCCM in fact IS a software deployment tool, while SCOM ist not.
If it comes to agend configuration, you could have opened a case with Snow Support to get the most current agent including your configuration.
As an alternative, creating a software deployment in SCCM, also including your configuration and, if needed, additional PS1 files, will work as well.
Things are always a bit more complicated at my company, so we cannot automate everything. For example I am not allowed to use my preferred Java Runtime Engine (JRE) all Oracle servers, and there are reasons why I do not put the path to the JRE in the PATH environment variable. So the path to the JRE must be stored in the Config file, but the path depends on which JRE is being used and whether it has already been updated to the latest version or not.
I did open a case to get the most current agent, and I was able to deploy it more or less automatically of 1.000+ servers. Only the few Oracle machines needed to be updated automatically.
SCCM is operated by a different team, who were under time pressure due to holidays and an out-of-band Microsoft patch, so I decided to use a SCOM task instead.
Snow Inventory Server deployment tool doesn't have the capability to modify registry value / Control Panel Application Names. Snow console it will show updated successfully but other tools will capture the old data from endpoints.
Snow should bring some solution for Agent upgrade seamlessly
They are working on it, as they mentioned lately.
The entire update mechanism is to be changed.