Using NinjaOne to check your managed endpoint devices for Coro Agent

This guide describes how to configure NinjaOne Remote Monitoring and Management (RMM) to check your managed endpoint devices for the presence of the Coro Agent. The automation configured through this process can test endpoint devices and return details of:

Whether the Coro Agent is installed on a device
Whether the Coro Agent is running
Whether the Coro Agent is up-to-date, and the last update time

Prerequisites

Before you begin this guide, make sure you have:

An active Coro subscription
Endpoint devices running Coro Agent version 2.5.60.1 (3.1) or later

Coro's NinjaOne RMM PowerShell script, copied to your clipboard or saved to a file on your local workstation:

Expand for script contents

Copy

Copied

#Setting the environment

$env:NINJARMMCLI = "C:\ProgramData\NinjaRMMAgent\ninjarmm-cli.exe"

#Setting variables

$softwareName = "*Coro"

$uninstallPath32 = "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
$registryResult32 = Get-ItemProperty -Path $uninstallPath32 | Where-Object { $_.DisplayName -like $softwareName }

$uninstallPath64 = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*"
$registryResult64 = Get-ItemProperty -Path $uninstallPath64 | Where-Object { $_.DisplayName -like $softwareName }

$valueReg64 = $registryResult64.UninstallString

$match = [regex]::Match($valueReg64, '\{[^}]+\}')

if ($match.Success) {

    $uninstallStringReg64 = $match.Value

} else { }

try {

    $packageResult = Get-Package | Where-Object { $_.Name -like $softwareName }

	} catch {
}
   
try {

    $wmiResult = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like $softwareName }

    if ($wmiResult -ne $null) {

		$wmiIdentifyingNumber = $wmiResult.IdentifyingNumber
        $wmiValue = $true

    } else {

	}
	
	} catch {
	
}

#Check if Coro is installed

function Check-Installed {

	$installed = $false	

    if ($registryResult32 -or $registryResult64 -or $packageResult -or $wmiResult) {

		$installed = $true

        & $env:NINJARMMCLI set coroInstalled 1

    } elseif (Test-Path "C:\Program Files\Coro Cyber Security Ltd\Coro\user\Coro.exe") {

		$installed = $true

	    & $env:NINJARMMCLI set coroInstalled 1
	
	} else {

        & $env:NINJARMMCLI set coroInstalled 0

		$installed = $false
    }

return $installed

}

$installed = Check-Installed


#Check if Coro is running

if ($installed -eq "true") {

	$logFile = "C:\ProgramData\CoroAgent1SRV\p\status\antivirus.json"

	$json = Get-Content $logFile
 
	if($json -match '"running":(true|false)') {

	$runningStatus = $Matches[1]

  if($runningStatus -eq "true") {
  
	& $env:NINJARMMCLI set coroRunning 1 
  
	} else {
    
	& $env:NINJARMMCLI set coroRunning 0 
		}
	
	} 

	} else {

	& $env:NINJARMMCLI set coroRunning 0

}

#Check update status

if ($installed -eq "true") {

	$logFileNew = "C:\ProgramData\CoroAgent1SRV\p\status\antivirus.json"

	$fileContent = Get-Content $logFileNew

	if($fileContent -match '"upToDate":(true|false)') {

	$runningStatusNew = $Matches[1]

	if($runningStatusNew -eq "true") {
    
	& $env:NINJARMMCLI set coroUpToDate 1  
  } 
  else {
    
	& $env:NINJARMMCLI set coroUpToDate 0
  }  

} } else {

  & $env:NINJARMMCLI set coroUpToDate 0

}

#Check last update time

$filePath = "C:\ProgramData\CoroAgent1SRV\p\status\malware_db_update_time.log"

if (($installed -eq "true") -and (Test-Path $filePath)) {

	$timestamp = Get-Content $filePath

	$date = [DateTimeOffset]::FromUnixTimeSeconds($timestamp)

	$formattedDate = $date.ToString("dd/MM/yyyy")

	& $env:NINJARMMCLI set lastUpdateTime $formattedDate

} elseif ($installed -ne "true")  {

    & $env:NINJARMMCLI set lastUpdateTime N/A

} else {

	& $env:NINJARMMCLI set lastUpdateTime Will be shown once virus definition files update
}

#Check Coro version number

if ($installed -eq "true") {

	$registryPath = "HKLM:\SOFTWARE\Coro Cyber Security Ltd\Coro"
	$valueName = "Version"
	$value = Get-ItemProperty -Path $registryPath -Name $valueName | Select-Object -ExpandProperty $valueName


	& $env:NINJARMMCLI set coroVersionNumber $value

} else {

    & $env:NINJARMMCLI set coroVersionNumber N/A
}

An active NinjaOne RMM subscription and access to the console
Your NinjaOne environment is populated with enrolled Windows-based endpoint devices

Setting up an automation in NinjaOne

Coro provides a PowerShell script through which NinjaOne can interrogate endpoint devices for the presence of the Coro Agent. This script references and populates variables matching the names of Global custom fields that you must add through the NinjaOne console.

The procedure described in this section covers adding Global Custom Fields and then adding the automation within which the script resides.

Adding Global Custom Fields

The following table lists fields required by the Coro Agent PowerShell script. For each entry, add a matching Global Custom Field using the procedure defined below.

Important

As you add these fields, it is essential to make sure the label and name match precisely those specified. Make sure you also add the correct field type as shown.

Label	Name	Type	Purpose
Coro installed	coroInstalled	Checkbox	Identifies if the Coro Agent is installed on a device.
Coro running	coroRunning	Checkbox	Identifies if the Coro Agent is running on a device.
Coro up to date	coroUpToDate	Checkbox	Identifies if the Coro Agent is up to date.
Coro version number	coroVersionNumber	Text	Displays the installed Coro Agent version number.
Last update time	lastUpdateTime	Text	Declares when the Coro Agent was last updated.

Perform the following steps:

Log into the NinjaOne console.
From the navigation pane, select Administration :
Select Devices > Global Custom Fields :
Select Add > Field :

The Create Field dialog appears:
Enter the Label for your required field. For example, "Coro installed".
NinjaOne auto-populates the Name field. For example, "coroInstalled" appears automatically.
For Select Field Type , choose the corresponding type from the drop-down list. For example, select "Checkbox".
Your Create Field dialog should match the following example:
Select Create .
A settings dialog appears:
Enter the following details:
- Technician : Select Editable .
- Automations : Select Read/Write .
- API : Select Read/Write .
- Definition Scope : Select Device , Location , and Organization .
- Label : Pre-populated from the previous step.
- Description : (Optional) Enter a short description.
- Tooltip Text : (Optional) Enter a tooltip for the field.
- Footer Text : (Optional) Enter help text to appear in the footer.
- Required : Not required.
Select Save to save your changes.
Repeat these steps to add each of the remaining fields.

note

Global custom fields apply automatically to all endpoint devices in NinjaOne. If you wish for fields to apply only to certain devices, create new fields instead in Role custom fields and assign them to the required individual devices.

Adding the automation

Follow this procedure to add a NinjaOne automation which, when run against one or more of your enrolled endpoint devices, returns the Coro Agent installation status in the global custom fields for the device.

To add the automation:

Log into the NinjaOne console.
From the navigation pane, select Administration :
Select Library > Automation :
Select Add > New script :

The Create Script dialog appears:
Paste the Coro PowerShell script provided earlier into the left editor pane of the Create Script dialog. Alternatively, drag and drop the saved script file into the editor pane to automatically load and populate the script contents.
Enter the following details in the right pane:
- Name : Enter a name for this automation. For example, "Detect_Coro".
- Description : (Optional) Enter a suitable short description, if required. This automation is designed to run a Windows PowerShell script to identify if the Coro Agent is present on an endpoint device. The results are placed in the global custom fields defined earlier.
- Categories : Select one or more categories that meet your organization's requirements.
- Language : Select PowerShell .
- Operating System : Select Windows .
- Architecture : Select 64-bit .
- Script Variables : Leave as default.
- Parameters : Leave as default.
Select Save to save your changes.

This completes the configuration process.

Running the automation against your endpoint devices

note

Make sure you have one or more Windows-based endpoint devices enrolled in NinjaOne before running the automation.

To check an endpoint device, perform the following steps:

Log into the NinjaOne console.
From the navigation pane, select Devices :
From the Devices page, select the checkbox adjacent to each device against which you want to run the automation script (or select all devices through the checkbox at the top of the list):
Select Run > Run Automation > Script :
From the Automation Library dialog, select your previously created Detect _ Coro automation:

A dialog appears enabling you to confirm how to run the script:
Leave all options as their default values, then select Run to start the automation. Select Yes to confirm.
To check the progress of the automation, select a device, then select Activities > All :
In the activities log, locate the applicable Start Requested entry:
When the script has completed, an activity entry is added marked as Completed , with a SUCCESS result indicator.
After a short wait, the results of the automation are presented in the Custom Fields tab: