Duplicated entries in "Computer - Antiviruses"

[MarcSamD]

Code of Conduct

• I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• I have searched the existing issues

Version

10.0.16

Bug description

Computer antiviruses page is displaying outdated entries (old antivirus version).

For example:

Despite running the command glpi-inventory --partial antivirus --debug --debug will only return the latest antivirus version (see log below), and despite only the latest antivirus version is displayed in "Software")

Relevant log output

debug] Running GLPI::Agent::Task::Inventory::Win32::AntiVirus
[debug] Found Sentinel Agent (state=0x41000)
[debug2] Added Sentinel Agent v23.4.223
[debug] Found Windows Defender (state=0x61100)
[debug2] Added Windows Defender v4.18.24060.7
[debug] Running GLPI::Agent::Task::Inventory::Win32::Chassis
{
   "action": "inventory",
   "content": {
      "antivirus": [
         {
            "company": "SentinelOne, Inc.",
            "enabled": true,
            "guid": "{id-id-id-id}",
            "name": "Sentinel Agent",
            "uptodate": true,
            "version": "23.4.223"
         },
         {
            "base_version": "1.415.326.0",
            "company": "Microsoft Corporation",
            "enabled": true,
            "guid": "{id-id-id-id}",
            "name": "Windows Defender",
            "uptodate": true,
            "version": "4.18.24060.7"
         }
      ],
      "bios": {
         redacted
      },
      "hardware": {
         redacted
      },
      "versionclient": "GLPI-Inventory_v1.10"
   },
   "deviceid": "computername-2024-07-26-11-40-18",
   "itemtype": "Computer",
   "partial": true
}
[info] Inventory dumped on standard output

Page URL

No response

Steps To reproduce

No response

Your GLPI setup information

GLPI Agent 1.10

Anything else?

No response

[trasher]

Issue probably comes from "partial" stuff. Could you confirm all is OK with a "full" inventory?

[MarcSamD]

No, the "partial" inventory is only for debugging. But this issue exists for all our computers with the daily standard (full) inventory.

Edit: And I also confirm that a full inventory glpi-inventory --debug --debug is not reporting at all (neither in antivirus neither in software) the old versions of the antiviruses so it must be an issue on server side (not removing/updating the old antivirus versions).

[trasher]

I do not reproduce (also, this case is tested in GLPI test suite). I've tested on current 10./bugfixes branch, but test is present for a while.

First import of a computer with 2 AV:

One removed; new import:

The only problem comes when there is no "antivirus" node at all in the inventory file; but that's not what you're complaining about.
As said, partial may not be handled properly and can cause other issues.

Finally, as far as I remember, there were a change on agent that now enable "partial" per default (no idea which version).

[MarcSamD]

I still don't understand why you think that "partial" inventory is causing this issue knowing that the partial inventory is also only reporting the latest version. I don't see in the agents logs any traces of old antiviruses versions beeing reported.

@g-bougard Maybe you have a better way to help me troubleshooting if it is an issue caused by the agent ?

[g-bougard]

Hi @MarcSamD

@trasher is speaking about this recent glpi-agent new feature: glpi-project/glpi-agent#592

By default, glpi-agent 1.10 won't always send a full inventory: it starts by one full and after it will send 14 partial ones, than one full, etc... The number can be configured and you can also disable the feature.

[MarcSamD]

Thank you for the explanation.
Indeed, I confirm that my computer is using partial inventory (full-inventory-postpone at 14 in the registry).
The number of antiviruses is back to normal this morning, the old versions have been deleted, so I cannot confirm that forcing a full inventory will solve this issue. But I will try to monitor when a new antivirus version is installed to run the test.

However I can confirm that until April 11, the update of the antiviruses were simultaneous:

2783949 2024-04-11 15:10 inventory Antivirus Add an item: Antivirus (Windows Defender (3234))
2783948 2024-04-11 15:10 inventory Antivirus Delete an item: Antivirus (Windows Defender (3152))

But since May 20th, I always first have a "Add an item: Antivirus" followed 7~9 days later by a "Delete an item: Antivirus".
I cannot remember when exactly I started to migrate to GLPI-Agent 1.9 and 1.10 but indeed it seems to coincide.

@g-bougard Does it makes sense with your new partial inventory logic ? I still find it surprising since if there is a new antivirus version, then the digest for this category (whatever it is antivirus or software) should be different and then the agent should send the result of this category. How comes only the "add" could be sent without "delete" being done ?

[g-bougard]

Hi @MarcSamD

to make a try you can simulate a submission very easily. Just open an administrative console, go into the glpi-agent installation folder and run the following:

1. First a full inventory with:

glpi-agent --logger=stderr --force --full

Check the result in GLPI.

2. Then next without the --full option, this should submit a partial as the output should saw you:

glpi-agent --logger=stderr --force

And check what happened in GLPI

3. Then you can force again a full as in point 1

[trasher]

I guess that test won't really help, since there will be no change between both runs.

Anyways, problem is partial inventory probably does not remove old antiviruses; while full inventory does. We're back to my first comment.

[g-bougard]

@MarcSamD

as pointed out @trasher between tests you'll have to make the av inventory changes. For example, if you can disable/enable an AV.

[MarcSamD]

@g-bougard I did another full run of tests but I can only confirm what @trasher said:

Anyways, problem is partial inventory probably does not remove old antiviruses; while full inventory does. We're back to my first comment.

Maybe this ticket should be moved to GLPI-Agent, tests result below:

2024-08-08 09:29 : auto inventory => no changes.
2024-08-09 09:47 : auto inventory => Add new antivirus Windows Defender 4.18.24070.5 in addition of existing Windows Defender 4.18.24060.7. Meanwhile also successfully update some software version and add/delete Network card component.
2024-08-09 14:31 : manual partial inventory => add/delete software items and add/delete Soundcard component. No Change on antivirus.
2024-08-09 14:40 : manual partial inventory => no changes.
2024-08-09 14:43 : manual full inventory => Delete the old antivirus version. Add/delete software items and add/delete Network card component. Update Alternate username.
2024-08-09 14:48 : manual full inventory => no changes.
2024-08-09 14:52 : manual partial inventory => Update Alternate username.

[trasher]

Maybe this ticket should be moved to GLPI-Agent, tests result below:

No, it's a GLPI inventory issue; will be fixed.

[trasher]

Please test #17665 (ignore tests files when applying patch).

[MarcSamD]

It seems that it didn't work.

1. Edit src/Inventory/Asset/Antivirus.php and src/Inventory/Inventory.php
2. systemctl restart apache2
3. Force Inventory via GLPI Agent on a computer that has duplicated antiviruses
4. One software version is updated but no changes for the antiviruses

[trasher]

Please provide inventory file.

[MarcSamD]

1. Do you mean glpi-inventory --json > inventory.json or glpi-agent --logger=stderr --force or else ?
2. Can you provide a private way of sharing the file to you (email or other) ?

[trasher]

I'm a bit surprised that does not work, you also may have made a mistake editing source files; please double check.

1- no idea. What I need the partial inventory file you used to reproduce the fail on my side. All test I made were OK, and new added tests validates that work - it's still possible you have a "specific" case.
2- there is no private way using community support. You can clean files of any sensitive data before sending them.

[MarcSamD]

I already provided the partial inventory in my initial post and it is not going to help knowing there are only the new antiviruses versions in it but not the old versions (that are just not removed).

Anyway, maybe I'm on a specific case indeed as no one else seem concerned by this issue.
So please feel free to close this issue ; since I have no need for partial inventory, I will just disable this new feature.