This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Unauthorized software install

cfrench over 2 years ago

We recently had an audit and one of the recommendations was to monitor the network for unauthorized software install. We have several Solarwinds products and I'm hoping one of these will fit the bill.

We have:

SAM

NPM

SEM

UDT

If there is anyone that would have a suggestion. The only document I could find on THWACK was an old document for the SEM when it was still called LEM and this document specified it could only monitor for software that was installed with windows installer and made registry changes. Items like PUTTY would not be picked up by the monitoring..

Top Replies

0 marlief22 over 2 years ago

Hi there,

With the modules you have, you should be able to take the advantage of the SAM Asset Inventory monitoring: https://documentation.solarwinds.com/en/success_center/sam/content/sam-asset-inventory-sw1159.htm

This is essentially mirroring what is listed in the 'Programs and Features' section of a Windows Server so a good way to monitor installed programs. I would then personally create a report that lists all the asset inventory software, and you can then filter out any of the 'Authorized Software' from the report.

There's an existing report called 'Software Inventory Report' that is a good starting point, but I would probably do a query on the Orion.AssetInventory.Software table myself - it depends on your level of SWQL knowledge.

Server Configuration Monitor (SCM) would also be a good addition to your line up, as you can better compare asset inventories over time, rather than simply the 'current' status of the installed software:

If this helps answer your question please mark my answer as confirmed to help other users, thank you!

Marlie Fancourt | SolarWinds Pre-Sales Manager

Prosperon Networks | SolarWinds Partner since 2006
Cancel
Vote Up +1 Vote Down

Cancel
0 cfrench over 2 years ago in reply to marlief22

would this be a manual process? I am looking for an alert at the time of install.
Cancel
Vote Up 0 Vote Down

Cancel
0 jm_sysadmin over 2 years ago in reply to cfrench

Then maybe SEM can watch the logs for install events.
Cancel
Vote Up 0 Vote Down

Cancel
0 cfrench over 2 years ago in reply to jm_sysadmin

That was where I started. But, it will only notify you of software installed with windows installer and if registry changes are made. If someone was to install PUTTy this would not alert.
Cancel
Vote Up 0 Vote Down

Cancel
0 marlief22 over 2 years ago in reply to cfrench

It would be a manual process to set-up the alerts originally but, after that, the alerts would fire automatically whenever a new piece of software is installed. This is the same as how it works with the rules in SEM.

SCM actually includes an out of the box alert for when the baseline changes, so you'd only need to create a baseline set of software and the alert will just give you a heads up when it changes:

documentation.solarwinds.com/.../scm-define-a-baseline.htm
Cancel
Vote Up +1 Vote Down

Cancel