FlexNet agent updates integrity


I am trying to determine the potential impact of a beacon server on the security of a managed device.

More specifically, in https://helpnet.flexerasoftware.com/fnms/EN/WebHelp/PDF%20Documents/Cloud/GatheringFlexNetInventory....it is said that an agent can download an update .osd package following the information contained in an .npl file.

I would like to confirm a couple of items:

- Are these files (.npl and .osd) protected from tampering and if Yes, how ?

- Where the packages containing agent updates are generated?


More generally, in the case a FlexNet server is compromised, could it  be used as a stepping stone to compromise a managed device, for example, by making available a forged update package with a backdoor?



Best regards

0 Kudos
2 Replies
Intrepid explorer

Re: FlexNet agent updates integrity

I beleive that these files aren't protected from tempering.
if your beacon engine is installed in the C drive then go to this location to find out the latest package file

C:\ProgramData\Flexera Software\Staging\Common\Packages\Flexera\Upgrade
0 Kudos
Rising star

Re: FlexNet agent updates integrity

While I believe, there is no technical measure to "magically" prevent tampering, you can still take your own measures. That would usually include managing access to the servers (web, file shares, RDP), maybe IAM, logging, monitoring, etc.

Softline Group is Europe's leading independent expert in Software Asset Management.
0 Kudos