Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite

ChrisG
Community Manager Community Manager
Community Manager
18 37 9,559

All of us who work in the world of IT have been madly scrambling this week to assess where we stand in relation to the recently disclosed CVE-2021-44228 vulnerability in Apache Log4j 2 (widely referred to as Log4Shell). One key question everybody is asking is: how can we detect and identify systems that are potentially vulnerable?

There are many tactics being followed to help answer this question. I’d like to share some suggestions for one tactic that organizations who are using FlexNet Manager Suite On Premises with inventory gathered by the FlexNet inventory agent might consider. This involves:

  1. Configuring agents to gather details of files with specific names that are of interest.
  2. Extracting/reporting on gathered details.

I hope these suggestions are useful. What tactics are you using to identify where you might be exposed to Log4Shell? Post ideas in the comments below.

Configuring agents to gather details of files with a specified name

The FlexNet inventory agent’s IncludeFile preference can be configured to specify names of files whose details should be included when gathering inventory. For example, setting this preference to the value log4j-core-*.jar will include details of files found on the filesystem that match the specified pattern.

Some possible approaches to configure the value of the IncludeFile preference are:

  1. Arrange to set the value in the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ManageSoft Corp\ManageSoft\Tracker\CurrentVersion\IncludeFile registry entry on each computer running a Windows operating system.

  2. Arrange to set the value in the /var/opt/managesoft/etc/mgsconfig.ini configuration file on each computer running a UNIX-like operating system. For example, the following shell commands will do this:
    cat >/tmp/tempconfig.ini <<EOF
    [ManageSoft\Tracker\CurrentVersion]
    IncludeFile=log4j-core-*.jar
    EOF
    
    /opt/managesoft/bin/mgsconfig -i /tmp/tempconfig.ini
    
    rm /tmp/tempconfig.ini​
  3. Set the value through agent policy settings. There is no UI to configure this directly, but it can be done with direct manipulation of some details in the compliance database with a SQL script like the following:
    -- The value of @TargetName should be set to one 'Target__windows',
    -- 'Target__osx' or 'Target__unix' to set policy settings for computers
    -- running the identified type of operating system.
    --
    -- To target multiple types of operating systems, change the value and
    -- re-run this script multiple times.
    
    DECLARE @TargetName NVARCHAR(100)
    SET @TargetName = 'Target__windows' -- or 'Target__osx' or 'Target__unix'
    
    -- Ensure the built-in target exists
    EXEC dbo.BeaconTargetPutByNameInternal
        @Name = @TargetName,
        @Internal = 1,
        @Description = NULL,
        @Visible = 0
    
    -- Get the ID of the target to have settings applied
    DECLARE @btid INT
    
    SELECT @btid = BeaconTargetID
    FROM dbo.BeaconTarget
    WHERE Name = @TargetName
    
    -- Add setting to agent policy for computers covered by the above target
    EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
        @KeyName = 'CTrackerIncludeFile',
        @BeaconTargetID = @btid,
        @Value = 'log4j-core-*.jar'
    
    -- Force beacons to update to get latest settings containing the above changes
    EXEC dbo.BeaconPolicyUpdateRevision​
  4. If the ndtrack inventory gathering process is invoked directly, specify a value for the preference on the command line. For example:
    ndtrack -t Machine -o IncludeFile=log4j-core-*.jar​

Agent settings to scan for file details must be enabled for the IncludeFile preference to be effective. These settings are commonly configured through the Included file evidence configuration settings on the Discovery & Inventory > Settings page in the FlexNet Manager Suite web UI.

Once agent preferences are configured appropriately, details of files will appear in inventory .ndi files similarly to the following:

 

<Content MD5="NO_MD5" Size="5427604">
     <Instance Path="C:\Path\log4j-core-2.16.0.jar" DateTime="20211212T233542"/>
</Content>

 

Reporting on gathered details

Once inventory gathered by agents has been uploaded and imported, appropriately crafted SQL queries can be run against the inventory database to extract and report on details.

For example, the following query will retrieve a list of computer names along with details of files that have been found on them:

SELECT ComputerName = c.ComputerCN
    , FileName = sfn.Name, sp.Path, sf.Size, Timestamp = sf.DateTime
    , InventoryDate = ir.SWDate
FROM dbo.SoftwareFileName sfn
    JOIN dbo.SoftwareFile sf ON sf.SoftwareFileNameID = sfn.SoftwareFileNameID
    JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
    JOIN dbo.Computer c ON c.ComputerID = sf.ComputerID
    JOIN dbo.InventoryReport ir ON ir.ComputerID = sf.ComputerID
WHERE sfn.Name LIKE 'log4j-core-%.jar'

Limitations of relying on file details for security assessments

While knowing which computers files are found on can be useful to gain insight into possible exposure to a vulnerability like Log4Shell, it is far from bulletproof:

  • Having a file with a particular name installed does not guarantee that a system is exposed or vulnerable.
  • Conversely, failing to find a file with a particular name installed does not guarantee that a system is not exposed or vulnerable.

A tactic of looking for files with particular names like this should be just one of many tactics that an organization uses.

Possible extensions

Ideas for possible additional extensions to the above approach which you might consider are:

  • Import additional file details as file evidence into Flexnet Manager Suite

    By default, FlexNet Manager Suite’s inventory import procedures only import details of files that end with one of the following extensions: .sys, sys2, wtag, dtag, ptag, .sig, .exe, and .lax

    Advanced FlexNet Manager Suite administrators could explore modifying the inventory import procedures to import details of files with additional extensions of interest.
  • Reporting interface

    Rather than extracting data from the inventory database with a direct query, consider using reporting tools that can provide this data through an appropriate user interface.

Other links

If you’re interested in this topic, here are some other links that may be useful:

Acknowledgements

Thanks to the following Flexera Community users for sharing questions, ideas and discussion that have helped to inspire this post: @Frank07@bmaudlin@adrian_ritz1@dennis_reinhardt@akuntze@WStephans@caipingcba@raghuvaran_ram@Resnofendri 

 

37 Comments
mkieselbach
Level 2

Very nice summary! Is there any reason for the specification of "log4j-core-%.jar" instead of "log4j%.jar" or was that just an example?

Because I scanned just for the jar extention and the results, after filtering on both options differ both in the quantity of files and in the number of devices on which something was found. Looking at the CVE article I think "-core" was just used as an example.

caipingcba
Level 3

"log4j-core-%.jar" is just an example. I used 'log4j*.jar' with solution 1 and it worked and collected all log4*.jar files. 

caipingcba
Level 3

I have a question about roll back. 

What is the roll back procedure for point 3. Set the value through agent policy settings?  

caipingcba
Level 3

I assume the rollback step is just to remove new rows in DB table dbo.BeaconTargetPropertyValue 

mkieselbach
Level 2

@caipingcba 
Even tho not available in the WebUI you can configure "custom parameters" withing the database. This information is then published in the BeaconConfig.xml. With the configuration update the agents then retrieve this information.

In the case of the example a a registry key (windows) will be written as 

"CTrackerIncludeFile"  with the Value "log4j-core-*.jar" 

This will lead to the same result as all the other options. It just has little manual effort, since the agents update themself with the new config.

This also works for UX based agents. The information is just stored in the config file, since there is no registry.

ChrisG
Community Manager Community Manager
Community Manager

@mkieselbach - the techniques described here can certainly be applied to different filename patterns. I chose log4j-core-*.jar as the example as that will match common filenames that contain the CVE-2021-44228 vulnerability. You will find many more files match the more general pattern log4j*.jar, but most of them are not going to be related to the vulnerability.

FWIW, some information about the specific JAR file impacted by the vulnerability appears on the page at https://logging.apache.org/log4j/2.x/security.html which states:

"Note that only the log4j-core JAR file is impacted by this vulnerability."

With all of that said, and to elaborate on an important comment made in this post: the vulnerability may exist in files with different names, including files that have no obvious relationship to log4j. For example, the log4j-core JAR file could easily be embedded in a file named HappyDays.war, which a simple scan of the filesystem for files named log4j-core-*.jar won't find.

ChrisG
Community Manager Community Manager
Community Manager

@caipingcba - to rollback changes that were made to the agent policy settings using the SQL script described in this post:

  1. Either delete unwanted rows from the dbo.BeaconTargetPropertyValue view, or update their values to '' (empty string). For example (picking the delete approach):
    DELETE FROM dbo.BeaconTargetPropertyValue
    WHERE KeyName = 'CTrackerIncludeFile'​
  2. Execute the following stored procedure to notify the system that there is a change that should be propagated to agents:
    EXEC dbo.BeaconPolicyUpdateRevision​
raghuvaran_ram
Level 6

@ChrisG  I followed step 3 and the only changes I made in the query was the target name (created target name under discovery and inventory rules and selected the servers) when executed our DB showed successful results as 3 rows were affected. I waited for the full reconciliation and one day for the agents to collect the new inventory  and then ran the query you mentioned under this topic "Reporting on gathered details"

when I executed that query it did not provide any output. please help me to understand what I'm doing wrong.

 

I want to scan all my servers to find the files and path anything in this name  'log4j-core-%.jar'

 

also when I exected this command in the compliance DB

selects FROM dbo.BeaconTargetPropertyValue
WHERE KeyName = 'CTrackerIncludeFile'​

 

it showed 3 results as I created 3 targets each for Windows, Linux & Unix.

ChrisG
Community Manager Community Manager
Community Manager

@raghuvaran_ram - there are a lot of moving parts between the start and end of the process you've described here, so it is hard to guess what may have been missed. Here are some ideas of places to look to see if you can spot where things may have broken down.

Select a problematic client computer for troubleshooting. A good starting point on that computer is then to check the ndtrack component's log file to ensure it shows file details being gathered as part of inventory.  This file is at C:\Windows\Temp\ManageSoft\tracker.log on Windows, or /var/opt/managesoft/log/tracker.log UNIX-like operating systems.

Key messages to look for in the log file are:

  1. Log message identifying which directories the agent is configured to gather file details from:
    [15/12/2021 2:37:31 PM (G, 0)] {19208} File tracking looking for files in directories 'C:\'​
  2. Log message identifying file names the agent is to configured to gather details about:
    [15/12/2021 2:37:31 PM (G, 0)] {19208} File tracking looking for files with names 'log4j-core-*.jar'​
  3. Log messages showing the generated inventory NDI file being successfully uploaded:
    [15/12/2021 2:38:42 (G, 0)] {19208} Uploading file 'system on ws101 at 20211215T143720 (Full).ndi.gz' to 'https://beacon.acme.corp/ManageSoftRL/Inventories'
    [15/12/2021 2:38:42 (G, 0)] {19208} File 'system on ws101 at 20211215T143720 (Full).ndi.gz' removed from upload directory​

If you don't find all of these messages in the file it suggests that the agent's preference settings were not set appropriately to gather the data you're looking for at the time inventory was last gathered. For example, maybe policy has not been applied since the settings were updated on the server, or maybe the policy settings to enable gathering of file details were not configured as you expected.

Some other files to check on the client computer are:

  • Look in the ndlaunch agent log to check a policy update operation has been successfully completed. This will normally happen once a day. This log file is at C:\Windows\Temp\ManageSoft\installation.log on Windows, or /var/opt/managesoft/log/installation.log UNIX-like operating systems. The log file will contain a URL of showing the "client settings" package that has been applied as part of policy - you could use this URL in a browser to download a copy of that package .ndc file yourself and check that it contains the IncludeFile setting you have configured.

  • A copy of the most recently generated NDI inventory file will be stored under C:\ProgramData\ManageSoft Corp\ManageSoft\Tracker\Inventories  on Windows or /var/opt/managesoft/tracker/inventories on UNIX-like operating systems. Search in there for "<Content>" elements like described in this post to see if file details have been included.

Note that the approach described in this article does not depend on the reconciliation process having run. Data will be returned by the final "SELECT" SQL query executed against the inventory database as soon as inventory NDI files are uploaded and imported into the inventory database.

chirag_sharma2
Level 7

Thanks for shring the details @ChrisG, We are using FNMS Cloud not on premises so is it still a concern because we are capturing invnetory through Inventory agent? 

ChrisG
Community Manager Community Manager
Community Manager

@chirag_sharma2 - while it would be possible to configure the IncludeFile inventory agent preference on your client computers so they include the corresponding file details in inventory, there is no way for Flexera One ITAM (previously known as FlexNet Manager Suite Cloud) to make use of that data in a way that you would be able to access. So unfortunately the approach described here won't be helpful for you.

adrian_ritz1
Level 9

Update on step 4, if you decide to go with the step 4, this is valid till next inventory generation by the agent.

Basically what's happening is:

Let's say at 14:00 you generate the inventory and include all jar files, the .ndi is uploaded, and every thing is fine.

At 16:00 the agent is generating normal inventory, and the data get uploaded, without .jar files, the original data with .jar files get overwritten and the data are gone, so you need to take into consideration the time when the inventory is generated and when they are uploaded.  

raghuvaran_ram
Level 6

@ChrisG  thanks for your response earlier today.

I have followed all the steps you shared and did not find any evidence which means the changes I made in the DB doesn't reach the beacon at all.

In my previous target, I had multiple devices so I have created a new target with one VM and tried executing step 3 but still no luck.

in the affected machine when I manually created a registry entry under tracking >Current version as included file the agent collects the .jar files and I'm able to vire the details in DB, I want to have this validated in 1000+ servers so I cannot do it manually and wanted to do it from the DB as per your suggestion. 

After running step 3 how do I confirm that the targets I set reach the beacon?  as per my understanding from the beacon, this is been sent to agents when they check for the updated policy next time, in this case I doubt the changes we make and force in the DB is not reaching the beacons. Please advise on what is the next step I need to follow.

ChrisG
Community Manager Community Manager
Community Manager

@raghuvaran_ram - I think the target and associated policy settings can be seen on the beacon once they have arrived there in the file C:\ProgramData\Flexera Software\Beacon\BeaconPolicy.xml. I expect you'll find a policy "revision" number somewhere within the file. That can be compared against the latest revision number as shown in the dbo.BeaconPolicy view in the compliance database to check if there is any discrepancy:

SELECT RevisionNumber, LastChangedOn FROM dbo.BeaconPolicy

Look in the C:\ProgramData\Flexera Software\Compliance\Logging\BeaconEngine\BeaconEngine.log file on the beacon for logging related to updating the policy information cached on the beacon.

adrian_ritz1
Level 9

If you want to create a WebUI report, you can create something like this:

 

Use FNMSCompliance -- use the FNMP Compliance database name
GO

IF OBJECT_ID ('dbo.ar_Log4j_Report', 'P') IS NOT NULL
DROP PROCEDURE dbo.ar_Log4j_Report -- drop Stored Procedure if it exists
GO
CREATE PROCEDURE dbo.ar_Log4j_Report AS

SELECT ComputerName = c.ComputerCN
, FileName = sfn.Name, sp.Path, sf.Size, Timestamp = sf.DateTime
, InventoryDate = ir.SWDate
FROM fnmsinventory.dbo.SoftwareFileName sfn
JOIN fnmsinventory.dbo.SoftwareFile sf ON sf.SoftwareFileNameID = sfn.SoftwareFileNameID
JOIN fnmsinventory.dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
JOIN fnmsinventory.dbo.Computer c ON c.ComputerID = sf.ComputerID
JOIN fnmsinventory.dbo.InventoryReport ir ON ir.ComputerID = sf.ComputerID
WHERE sfn.Name LIKE '%.jar'

GO

DECLARE @ViewName nvarchar(64), @tenant int
SET @ViewName = 'Log4j report' -- Unique Name you want to display for object
SET @tenant = 1 -- Tenant for which this view applies

EXEC ComplianceCustomViewRegister
@TenantID = 1,
@ComplianceSavedSearchSystemID = NULL,
@SearchName = @ViewName,
@SearchNameResourceName = NULL,
@Description = 'This view shows all *.jar files found into environment ',
@DescriptionResourceName = NULL,
@SearchGridLayout = NULL,
@SearchXML = NULL,
@SearchSQL = 'EXEC dbo.ar_Log4j_Report',
@SearchSQLConnection = 'Live',
@SearchMapping = NULL,
@ComplianceSearchType = 'Custom',
@ComplianceSearchFolderSystemID = -17,
@CanDelete = 1,
@CanChangeMasterObject = 0

 

ChrisG
Community Manager Community Manager
Community Manager

Awesome - thanks for putting that together and sharing @adrian_ritz1. What a champion!

raghuvaran_ram
Level 6

@ChrisG  all these BeaconPolicy.xml & BeaconEngine.log & the DB shows the same version of the policy, but even when I clearly targeted one beacon by deleting the files in the registry managesoft>download settings> leaving bootstrap server 1, it downloads all the details of all the beacons but not updating the tracking >Current version with the entry file includes.

I'm spending more time in sorting this out, please can you assist

ChrisG
Community Manager Community Manager
Community Manager

@raghuvaran_ram do you see of the desired IncludeFile preference value appearing in the BeaconPolicy.xml file? If the value doesn't appear there it suggests the changes in the compliance database to configure this value haven't worked. If the value does appear there then it suggests when the agent downloads its policy the IP address or hostname details the agent provides in the policy down URL may not be getting matched up to the configuration specified in the target.

raghuvaran_ram
Level 6

@ChrisG  I can see the IncludeFile mentioned in all our beacons "beaconpolicy.xml file, so the agent should reach any one of the beacons to download the policy, I also validated the log files in the agent VM by manually triggering the command mgspolicy and the log shows the latest timestamp and exited successfully. However, the IncludeFile entry is not created in the registry

ChrisG
Community Manager Community Manager
Community Manager

@raghuvaran_ram - so that sounds like the beacon may be failing to associate the client computer with the target configuration details that you have set up. Some troubleshooting steps to check that would be to look in the installation.log file on the client computer and consider the following points.

Look in the .log file to find the URL that the agent is using to download its policy (.npl) file. Relevant logging showing the URL will look something like:

[Fri 23 Jul 2021 12:36:29 PM PDT (N, 0)] {3616} Downloading "https://beacon.acme.corp/ManageSoftDL/Policies/Merged/acme.corp_domain/Machine/ws101.npl?machinename=ws101&ipaddress=10.16.202.145" to "/var/tmp/NDL965608012.npl"

The values specified for the "machinename" and "ipaddress" parameters in this URL are what the beacon will use to try to match the device to the target you have configured. If they don't match the target configuration, settings configured for the target won't be applied on the client computer.

Also look in the log for the URL that the agent is using to download the "Device Configuration.osd" package. Relevant logging will look similar to:

[Fri 23 Jul 2021 12:36:36 PM PDT (N, 0)] {3616} Downloading "https://beacon.acme.corp/ManageSoftDL/ClientConfiguration/Device Configuration 59D7EE562EF059341FA252AC88547EEC/Device Configuration.osd" to "/var/tmp/NDL546291850.osd"

Take the URL you find there, change the ".osd" at the end to ".ndc", and use your browser to download that file. If it is all matching up, you should see the IncludeFile preference value appearing within the downloaded .ndc file.

raghuvaran_ram
Level 6

@ChrisG 

1. The target IP in the .npl matches with the target I set in the UI

2. I have validated the beacon URL displayed in the .npl. beacon policy is showing the updated version and the IncludeFile parameters.

3. when manually downloaded the .ndc file I do not see the IncludeFile parameters

I have already raised a case for this #02521354, I would be of great help if you ask someone from support to fix this over a call. 

AnttiMustonen
Level 5

Hi, after appyling the log4j file scan some agents seem to stuck: 

{6524} Scanning directory 'C:\' for files

...Then not proceeding at all, next scehduled scan results in the same outcome and the .ndi files are not generated.

I also applied "ExcludeExtension" registry setting to prevent "exe" file scanning afterwards.

However, on another setup the scanning works fine.

It's weekend so it's hard to reach server admins so I cannot estimate why this is happening? Perhaps a security/anti-virus agent blocking the scans? There have not been any notifications of high CPU or disk usage though from monitoring.

For log4j search folders cannot feasibly be narrowed down as they could be practically anywhere.

BR, Antti

ChrisG
Community Manager Community Manager
Community Manager

@AnttiMustonen - not seeing any further logging appearing after that "Scanning directory 'C:\' for files" message sounds like the scanning process (ndtrack.exe) has terminated for some reason. That would be unusual and unexpected, but not impossible. Check in the Application event log for any indication of an error recorded there around or shortly after the timestamps appearing in the logging.

If the ndtrack.exe process is crashing, you will likely need some assistance from Flexera Support to troubleshoot and investigate why that is happening.

AnttiMustonen
Level 5

Hi, @ChrisG I just managed to get access to one server and checked the Application log. ndtrack.exe version 20.0.0.1 and mgscmn.dll version 20.0.0.1 reported application error at start of the scan. Policy download & installation process was not affected however and rolling back/disabling the scan settings was successful.

EDIT: found this, probably is related:

Solved: Re: NDI file not updating - Community (flexera.com)

EDIT2: DLL and NDTRACK.exe seem to match to 2019 R2 version. So there is no disparency.

Will make a ticket, thanks!

BR, Antti

AnttiMustonen
Level 5

Hi, I apparently found the reason for the mgscmn.dll crash.

"IncludeFile" registry key in 2019 R2 agent registry cannot include double wildcard: *log4j*
In 2021 R1 agent this works, but 2019 R2 agent causes mgscmn.dll/ndtrack.exe to fail.

BR, Antti

nrousseau1
Level 7 Flexeran
Level 7 Flexeran

Hello,

Performing some testing related to log4J... but also the recognition of products like JBOSS or TIBCO products that have .jar files, I realized the FileEvidences.xml reader in C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\ManageSoft has a hard coded filtering on imported file extensions, that does not include JAR files.

To avoid the high volume of additional file evidences, you may use the IncludeFile parameter that Chris shared... then, to have the inventoried JAR files imported into the ImportedFileEvidences and FileEvidence tables, you need to create a custom inventory reader step, that will extend the Windows files collected from the Inventory Manager tables to ".jar" files.

There are 3 instances where this happens (For FNMS 2021R1: step 145, 181 and 220).

You need to create a FileEvidence.xml in C:\ProgramData\Flexera Software\Compliance\ImportProcedures\CustomInventory\Reader\ManageSoft that will contain only the 3 modified sections (please comment your modifications to help the consultant in charge of the next FNMS upgrade). Don't forget to place the reader.config file.

As you can see in screenshot below, the jar file evidences will appear in the evidence tab of your devices... and you will be able to use them for recognition.

For instance:

...
WHERE RIGHT(RTRIM(sfn.Name), 4) IN ('.exe', '.sys', 'sys2', 'wtag', 'ptag', '.lax', 'dtag', '.sig')

to

...
WHERE RIGHT(RTRIM(sfn.Name), 4) IN ('.exe', '.sys', 'sys2', 'wtag', 'ptag', '.lax', 'dtag', '.sig', '.jar').

 

Hope it helps,

Nicolas

Jar Files In Evidence.png

raghuvaran_ram
Level 6

@adrian_ritz1  thanks for the query, Can you also please help to include the affected version as a separate column.

@ChrisA  Many of the file evidence shows only "log4j.jar"  what version should that be considered

 

ChrisG
Community Manager Community Manager
Community Manager

@raghuvaran_ram - I'm not familiar with all the different file names that log4j uses, but information about the specific JAR file impacted by the CVE-2021-44228 vulnerability appears on the page at https://logging.apache.org/log4j/2.x/security.html which may be helpful to you. This page states:

"Note that only the log4j-core JAR file is impacted by this vulnerability."

And just to be clear (I know I'm repeating myself, but I don't think this can be said enough! 😀😞 while finding files of particular names may be one useful tactic for identifying potential exposure to CVE-2021-44228, it by no means a foolproof method for finding all potential exposures.

raghuvaran_ram
Level 6

@ChrisG  thanks for your quick response, what is your thought on the file evidence with only this naming conversion "log4j-core"  without any specific versions mentioned in the file name should this be considered as the base version.

ChrisG
Community Manager Community Manager
Community Manager

@raghuvaran_ram - I'm not sure what a "log4j-core" file that doesn't include a version number in the filename might correspond to. You might consider contacting the developer/publisher of the software that includes the file that you've found to see if they can provide any insight.

gsc_mysam_sggl
Level 3

Hi,

If we choose includefileevidence for a specific path in the inventory settings will it not scan any other folder in that server and generate a report with evidences found only in the specified path? Which eventually lead to unlink the Applications which were part of that inventory device previously? If yes, is there a way to target a specific path along with the complete server scan thinking that folder is not being scanned as expected?

Regards,

Srikanth Mallampati 

ChrisG
Community Manager Community Manager
Community Manager

@gsc_mysam_sggl - when you configure paths to be scanned, only directories under those paths will be scanned. The agent won't scan for files in directories that you don't specify. You can specify specific (deep) or general (shallow) paths to be scanned, depending on your need - so if you have a specific path you want to ensure is scanned, simply add it to the list of paths.

gsc_mysam_sggl
Level 3

@ChrisG , thanks for the clarification. May I know how does Flexera pick the evidence from the specific path mentioned in includefileevidence section of Inventory settings when the scan complete system doesnt pick the evidence from that path? The second option in the includefileevidence module is to collect file evidence from all folders right, in that case it should collect evidence from the specified path too right? I have seen scenarios when the third option ,collect file evidence from specified folder is selected and provided with a specific path, it has collected some evidence which we did not get when opted for second option. How is this possible? And also, is there a possibility to target only few devices instead of the entire farm which is reporting over FNMS Agent? Where can we change the setting to enable the agent to scan for more extension than the existing scan for some extensions? last and final question is, if we need to change the configuration of FNMS Agent on all the servers how can we modify it?

Thanks in Advance,

Srikanth Mallampati

flexeranoob
Level 7

Do we have the hotfix for Log4j vulnerability for FNMS/FNMEA?

ChrisG
Community Manager Community Manager
Community Manager

@flexeranoob - check out the following page for the current status of Log4j vulnerability potential exposures, along with links to articles that discuss fixes and mitigation strategies where appropriate: Flexera’s response to Apache Log4j vulnerabilities CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44228.

ymhadjou
Level 4

Hello,

I want to customize this in order to detect log4j and spring for the same OS. Is it possible to do that ?

EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
    @KeyName = 'CTrackerIncludeFile',
    @BeaconTargetID = @btid,
    @Value = 'log4j-core-*.jar'

 Thanks you for help.

Yasmina

ChrisG
Community Manager Community Manager
Community Manager

@ymhadjou - apologies for the delay, I had missed this question earlier.

You can specify a comma-separated set of filename patterns in the CTrackerIncludeFile preference. For example:

EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
    @KeyName = 'CTrackerIncludeFile',
    @BeaconTargetID = @btid,
    @Value = 'log4j-core-*.jar,another-file-of-interest.jar'

 

Melbourne, Australia
Latest Articles