Under Review
7 months ago

Live Discover Query to see the versions of any software installed on macOS

Hello Sophos Team,

I wanted a live discovery query that would retrieve the version of any software installed on macOS machines in my environment, as well as the hostname / IP of the machines.

The purpose of this query is to verify and patch all programs to the latest version and make sure there are no vulnerabilities affecting them.

Then, a result like Name, IP, version of the consulted software.

I appreciate the help you can give me.

JAIRO VALERIO ALFARO
  • 7 months ago in reply to RaviSoni

    Hi RaviSoni,
    Thank you very much for the quick answer.

    Really thank you very much for the help, this is excellent was what I was looking for.

    Thanks

  • 7 months ago in reply to RaviSoni

    You can search for any program with this query.

  • 7 months ago in reply to JAIRO VALERIO ALFARO

    Yes, this is correct. A better way is usage of wildcard '%'  to match the program name would be much easier in this case. You can put a condition for name, bundle_executable or bundle_name as well.

    For example,

    WHERE
    name LIKE '%Chrome%'
OR bundle_executable LIKE '%Chrome%'
OR bundle_name LIKE '%Chrome%'

    Here is the complete query ready to use.

    /* DEFINE VARIABLE IN CENTRAL */
-- VARIABLE    programName    STRING

SELECT 
   name,
   path,
   bundle_executable,
   bundle_identifier,
   bundle_name,
   bundle_short_version,
   bundle_version,
   display_name
FROM
   apps
WHERE 
   name LIKE '%$$programName$$%'
OR bundle_executable LIKE '%$$programName$$%'
OR bundle_name LIKE '%$$programName$$%'

  • 7 months ago in reply to RaviSoni

    Hi RaviSoni,


    Thank you very much for the quick answer.

    Query and if I wanted to validate the specific version of some software, how could the query be structured?

    I tried it this way with the Google Chrome example:

    SELECT
            name,
            path,
            bundle_executable,
            bundle_short_version
    FROM
           apps
    WHERE
           bundle_executable LIKE 'Google Chrome'

    I don't know if it's the right way to do it.

    Thanks.

  • 7 months ago

    Hi Jairo,

    You can run the below query and get the desired details of the installed app in macOS.

    SELECT 
   name,
   path,
   bundle_executable,
   bundle_identifier,
   bundle_name,
   bundle_short_version,
   bundle_version,
   display_name
FROM
   apps



    To get the machine IP details.

    SELECT
   friendly_name,
   interface,
   address,
   mask,
   broadcast,
   point_to_point,
   type
FROM 
    interface_addresses
WHERE 
    address LIKE '%.%.%.%' 
AND address <> '127.0.0.1'

Unfiltered HTML