Summary Information regarding editing an uninstall package in the Flexera Software Package System. Synopsis The script below is generated in instances where we do not have a built-in uninstaller available for the product in question. The example provided is for Adobe Air, but this method will work for any application that stores uninstaller information in the following registry locations on client machines:  HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall  or HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall There will be a folder in one of these locations that is named after the product, ultimately that's what the script will be hunting for in order to get the uninstall information. Discussion The full uninstall script example is below, but the two variables you need to worry about adjusting are arrays named ProductRegExps and silentParams. var ProductRegExps = ['product name here'];  This array needs to contain the name from the registry folder mentioned above. The way the script is written you can also put multiple product names here (you'll need to separate them with commas). An example of that would look like this: var ProductRegExps = ['product name here', 'other product name here' ]; As a matter of practice, you'll likely want to keep it to one product per uninstall the package, however, some products might have different versions available for uninstalling with different folders in the registry. var silentParams = ['/S' ]; In the example here you'll see that I've used the '/S' flag which is fairly commonly used for uninstalling executables. This is used to set the mode for the uninstall to be silent, so if the product in question uses a different flag for this you'll need to adjust accordingly. One thing that's incredibly important about this variable is that it must have the same number of arguments as the ProductRegExps array. The order is also critical as the for loop that extracts these values uses the same integer value for the index for both variables when matching them up. The actual script can be found by checking the 'edit package content' checkbox in the first step of the SPS wizard.   Full Script Example var Title = "Uninstall Adobe AIR 17.x, version 19.x"; var GUID = "3ecc9774-202b-4af2-9ca0-f0320b616f09"; var ProductRegExps = ['Adobe AIR']; var silentParams = ['/S']; var optionalParams = ""; // The following three variables have been embedded by the CSI at the // start of this script // var GUID = ""; // var Title = ""; // var ProductRegExps = []; // var silentParams = []; // var optionalParams = ""; // Define some of our constants for registry keys and paths we will need var rootKeys = [ 0x80000001, // HKEY_CURRENT_USER 0x80000002 // HKEY_LOCAL_MACHINE ]; var regPaths = [ "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" // For 32bit programs installed on a 64bit machine ]; function main() { try { if ( !GUID ) { server.logMessage( "No GUID supplied for package " + Title ); return 1; } server.logMessage( "Running package " + Title + " [Uninstall]" ); server.logMessage( "NOTE: This package will uninstall all instances found on this machine for the specified package" ); if ( ProductRegExps.length > silentParams.length ) { server.logMessage( "Insufficient silent params provided for products." ); return 1; } // For each product call our uninstall function with its respective // silent parameters var productRegExp, params; for ( var i = 0; i < ProductRegExps.length; i++ ) { productRegExp = ProductRegExps; params = silentParams; server.logMessage( "Uninstalling product # " + (i+1) + ", regexp: \"" + productRegExp + "\"" ); uninstallAllInstances( productRegExp, params ); } } catch ( ex ) { server.logMessage( "Error: (" + ex.number + ") in main(), description: " + ex.description ); return 1; } server.logMessage( "Finished running package " + Title ); return 0; } // Function to uninstall a given product based on it regular expression // and the passed in parameters function uninstallAllInstances ( productRegExp, params ) { var rootKey, regPath; for ( var i = 0; i < rootKeys.length; i++ ) { rootKey = rootKeys; for ( var j = 0; j < regPaths.length; j++ ) { regPath = regPaths; server.logMessage( "Searching [ RootKey: " + rootKey.toString( 16 ) + " , Path: " + regPath + " ]" ); uninstall( productRegExp, rootKey, regPath, params ); } } } function uninstall ( productRegExp, rootKey, regPath, params ) { try { var productNames = findProductNames( productRegExp, rootKey, regPath ); var command =""; var productName; if ( productNames.length > 0 ) { for ( var i = 0; i < productNames.length; i++ ) { productName = productNames; command = getUninstallCommand( productName, rootKey, regPath ); if ( command !== "" ) { runUninstallCommand( command, params ); } else { server.logMessage( " No uninstall command for [ RootKey: " + rootKey.toString( 16 ) + " , Path: " + regPath + ", ProductName:"+ productName + " ]" ); } } } } catch ( ex ) { server.logMessage( "Error in uninstall(), description: " + ex.description ); } } function runUninstallCommand ( command, params ) { try { if ( command && params ) { command += " " + params; } command += " " + optionalParams; server.logMessage( "Executing: " + command ); // Executing var shell = new ActiveXObject( "WScript.Shell" ); var exec = shell.Exec( command ); var maxTime = 1 * 3600 * 1000; // 1 hour var start = (new Date()).valueOf(); // Check in every second until we return with success or an hour is up. while ( exec.Status == 0 && (new Date()).valueOf()-start < maxTime ) { server.sleep( 1000 ); } if ( exec.Status == 0 ) { server.logMessage( "Executed: " + command + ", Did not finish within 1 hour." ); } else { server.logMessage( "Executed: " + command + ", exit code: " + exec.ExitCode ); shell.RegWrite( "HKLM\\Software\\Secunia\\Updates\\Installed\\" + GUID + "\\", Title ); } } catch ( ex ) { server.logMessage( "Error: (" + ex.number + ") in runUninstallCommand(), command: \"" + command + "\", description: " + ex.description ); } } function findProductNames( productRegExp, rootKey, regPath ) { var productList = getInstalledSoftware( rootKey, regPath ); // return an array of all product names that match the regexp var res = []; if ( productList.length > 0 ) { for ( var i = 0; i < productList.length; i++ ) { if ( productList.match( productRegExp ) ) { server.logMessage( "Found Product Name:'"+ productList +"' " ); if ( res !== "" ) { res.push( productList ); } } } } else { server.logMessage( "Did not find installed software using:[ RootKey: " + rootKey.toString( 16 ) + " , Path: " + regPath + " ]" ); } return res; } function getInstalledSoftware ( rootKey, regPath ) { try{ var oCtx = new ActiveXObject("WbemScripting.SWbemNamedValueSet"); oCtx.Add("__ProviderArchitecture", 64); oCtx.Add("__RequiredArchitecture", true); var locator = new ActiveXObject("WbemScripting.SWbemLocator"); var services = locator.ConnectServer(null, "root\\default",null,null,null,null,null,oCtx); var registry = services.Get("StdRegProv"); var Method = registry.Methods_.Item("EnumKey"); var params = Method.InParameters.SpawnInstance_(); params.hDefKey = rootKey; params.sSubKeyName = regPath; var output = registry.ExecMethod_(Method.Name, params); try { return output.sNames.toArray(); } catch ( ex ) { return []; } } catch( ex ) { server.logMessage( "Error: (" + ex.number + ") in getInstalledSoftware(), description: " + ex.description ); return []; } } function getUninstallCommand ( software, rootKey, regPath ) { try{ var oCtx = new ActiveXObject("WbemScripting.SWbemNamedValueSet"); oCtx.Add("__ProviderArchitecture", 64); oCtx.Add("__RequiredArchitecture", true); server.logMessage( "Obtaining uninstall command for "+ software ); var locator = new ActiveXObject("WbemScripting.SWbemLocator"); var services = locator.ConnectServer(null, "root\\default",null,null,null,null,null,oCtx); var registry = services.Get("StdRegProv"); var Method = registry.Methods_.Item("GetStringValue"); var params = Method.InParameters.SpawnInstance_(); params.hDefKey = rootKey; params.sSubKeyName = regPath + software; params.sValueName = "UninstallString"; var output = registry.ExecMethod_(Method.Name, params); if ( output.sValue ) { server.logMessage( "Found uninstall command ["+ regPath + software + "] = '" + output.sValue + "'"); return output.sValue; } else { server.logMessage( "Found empty uninstall command ["+ regPath + software + "]"); return ""; } } catch( ex ) { server.logMessage( "Error: (" + ex.number + ") in getUninstallCommand(), description: " + ex.description ); return ""; } } // Execute the script server.setExitCode( main() ); server.logMessage( "Returning " + server.getExitCode() ); ... View more

Summary Windows Server 2012 requires the publishing user to be a local administrator which causes a failure to sign error on users without this privilege. This article provides alternative methods to solve this problem. Symptoms You may find that some users are able to publish packages to WSUS and others aren't even if those users are publishing from the same machine. In this case, both users have proper disk permissions on WSUS and are members of the WSUS Administrators group. Cause Windows Server 2012 requires a user to be a local admin in order to publish packages to WSUS in addition to being a WSUS administrator. Resolution There are two paths to resolution. The first would be to make the user in question a local administrator on your WSUS Server. If this isn't an option, then you'll need to take the second path which is a workaround. Workaround The workaround: Change the ownership of HKEY_CLASSES_ROOT\AppID\{8F5D3447-9CCE-455C-BAEF-55D42420143B} to Administrators. Change the permission on that key. Make sure Administrators and System have full control on that() 1. Launch Dcomcnfg.exe in elevated mode. 2. Select Component Services / Computers / My Computer / Dcom Config / WSusCertServer 3. Press Right Click and select Properties. 4. WSusCertServer Properties dialog will show up, and click on the Security tab. 5. Set Launch and Activation Permissions and Access Permissions like the following examples:  ---------------------------------------------------- 6. Restart WSusCertServer service (net stop/net start) ... View more

Summary This article provides a handy checklist of items that need to be completed while updating a Software Vulnerability Manager On-Prem server environment to a newer version. Discussion The following action items need to be completed for a successful upgrade of SVM On-Prem server: 1. You need to download the latest version of the RPM from https://ca.secunia.com/download Please open a support ticket with Flexera Support if you need credentials to be issued for you.  Flexera allows one account per organization. You should plan internally how access will be managed and who should be authorized.  2. Run the executable file to update application files. rpm -Uvh csi_rpm_file.rpm 3. Run setup script to validate configuration and update data to fit the new version. sh /usr/local/Secunia/csi/install/installationProcess.sh 4. Update Internet Explorer plugin for the Software Vulnerability Manager. Completed by accessing the Software Vulnerability Manager On-Prem interface through Internet Explorer. You will be prompted with a red link at the bottom of the page to install the SVM Plugin.  5. Update the Software Vulnerability Manager Daemon (if used) Download it internally from:  http(s)://<server-hostname>/daemon 6. Update the SVM UI Plugin for SCCM if you use that as well. Download it from:  http(s)://hostname/sc2012 (x86) http(s)://hostname/sc2012/x64 (x64) 7. Publish to WSUS and deploy updated Software Vulnerability Manager Agent too (if used). To accomplish the update we'll need access to the following information and accounts: 1. Root access on the Linux server(s). 2. Password for the root user on your database management software (Mysql or MariaDB). 3. Administrative access to Windows machines hosting the CSI supporting applications listed before. 4. Password for the service account used for the current installation of the CSI Daemon (if present). 5. Password for the 'default' Software Vulnerability Manager user account. ... View more

Summary This guide is a simple how-to on giving remote access to the database root user to a specific host or all hosts. The scope covered in this article is specifically the creation of the user-host record in the mysql.user table, which governs logins to a MySQL or MariaDB instance.  Synopsis If you have decided to set up your Software Vulnerability Manager (SVM) On-Premises servers in dual-mode configuration with one server housing Apache, PHP and the SVM configuration, and the other server hosting the SVM database, then you have to assign your database user appropriate privileges to allow it remote access to the database from the SVM server. A common configuration makes use of the database root account. By default accounts on the database will not be enabled for remote login. Procedure Enter the MySQL database on the database server using the existing configured account (e.g. "root"): mysql -u root -p Once logged in, run this query to grant permissions to your user: grant all privileges on *.* to 'root'@'remotehost' identified by password 'secrets' with grant option; Replace remotehost with the hostname or IP address of the SVM application server. Replace secrets with the password for your MariaDB root account. When you specify the remote host as the application server like in this example, you may need to have a record of the fully qualified hostname as well as the unqualified (shortened) version. It's also possible to set up this query to allow logins from all remote locations using the following database command example: grant all privileges on *.* to 'root'@'%' identified by password 'secrets' with grant option; The key difference here is that we've replaced the remote host value with a % character. The reason we do this is that the % character represents a wildcard character in MariaDB and MySQL which in this case is used as an expression to match all possible host names and IPs.  As per the mysql documentation (which in this case also applies to MariaDB) any time you apply a grant statement with the 'grant option' (among others) it should automatically reload the privileges table in memory and as a result, the permission you set in the previous step should take effect. That being said, all things are imperfect, so if your access does not seem to be working it is wise to run the following statement as a first step before attempting to troubleshoot further. flush privileges; Example Example hostname: csi7server.network.local grant all privileges on *.* to 'csi'@'csi7server.network.local' identified by password 'Sekret1' with grant option; Example IP address: 10.0.0.127 grant all privileges on *.* to 'csi'@'10.0.0.127' identified by password 'Sekret1' with grant option; Executing the grant twice, once for host name, once for IP, will allow the application server to connect if it's being recognized by either host name or IP. ... View more

Summary How can you recover from a lost MySQL or MariaDB root password? Synopsis If you run into the situation where you've lost the root password for your MySQL instance the account can be recovered so long as you still have root access to the server itself. Discussion The recovery occurs over a couple of steps. First, we need to stop the existing service, then we need to stop the mysql service, then we need to start it in a special mode, then we need to change the root password, stop the service again, and then start it back up. Once these steps are complete we will have a service up and running with a root account that has the password you have set. 1. Stop mysql #RHEL 6 service mysqld stop #RHEL 7 systemctl stop mysqld 2. Start mysql while skipping the grants table mysqld_safe --skip-grant-tables & 3. Log into mysql and change the root password #From command line mysql -u root mysql #Once in mysql > UPDATE user SET password=PASSWORD("passwordhere") WHERE user="root"; > FLUSH PRIVILEGES; > exit 4. Stop mysqld #From command line /etc/init.d/mysql stop 5. Start mysqld #RHEL 6 service mysqld start #RHEL 7 systemctl start mysqld Once this is complete you should be able to log into mysql with the new root password you set in the previous steps. ... View more

Summary You are getting a message 'your account is currently being upgraded.' when logging-in to your account Symptoms This usually happens with the 'private database' of the server (the user database) has not been populated with all tables needed to run the Software Vulnerability Manager software. In a lot of cases what one will find when they explore the database is that there are no tables present. The 'private database' is the one named with the following formatting: ca_<customer_id> where the value in the <> is the customer identification number assigned to your server. Cause The problem may be is caused by missing permissions that are necessary for the initial schema creation process. This part is completed when one runs through the installationProcess.sh script located in the /usr/local/Secunia/csi/install/ directory of the application server. It can also happen when an upgrade attempt fails and leaves the SVM in a "still upgrading" locked state. Resolution Make sure you have set up access for your database user correctly, especially if you are setting up remote access. It's usually easiest to utilize the 'root' user for MySQL/MariaDB as for a local install this does not require any permissions changes and for a two server install you simply need to create a record allowing remote access. Here is an example of enabling root for proper access (to MySQL/MariaDB): > grant all privileges on *.* to 'root'@'hostname' identified by password 'password' with grant option; > flush privileges; You may need to create records for both the short name and fully qualified name in some cases. Additionally, you can also grant remote access to all hosts by using a wild card. Though depending on your organization this may not be seen as a best practice for security reasons. > grant all privileges on *.* to 'root'@'%' identified by password 'password' with grant option; > flush privileges; If it's not a permissions issue, check the 'ca' database: select '*' from ca.csi_pdb_info; Check the patch level. If the patch level is not current, then you will need to run the upgrade manually. Once the version is on the current patch level, you can make sure that the DB is now unlocked. When it is not, then you will see the cust_id and if the account has the "Locked" value set to 1. This means that the Software Vulnerability Manager server is still in upgrade mode: > update ca.csi_pdb_info set locked = '0' where locked = '1'; This will unlock CSI. Now, reset the MySQL (or mariadb) service and you should be able to log in. Additional Information https://support.rackspace.com/how-to/mysql-connect-to-your-database-remotely/ https://mariadb.com/kb/en/mariadb/configuring-mariadb-for-remote-client-access/ ... View more

Summary We're frequently asked about how one might manage SVM On-Prem backup and log files. This article lays out one possible option. Question How should an on-premises CSI customer manage their backup and log files? Answer One option would be to utilize a utility called LogRotate. This tool comes packaged by default in many Linux distributions including Red Hat Enterprise. This tool operates as a scheduled task and when provided the appropriate information can automatically 'rotate' files. This gives some much-needed automation to a process that can be somewhat arduous. How does it work? Generally speaking, the utility runs as part of a task set in crond. That would typically be located in /etc/cron.daily/logrotate. Configuration of the utility is found in its configuration file located in /etc/logrotate.conf. A user can place their configuration options there or alternatively one can place application specific (in this case CSI) files in /etc/logrotate.d (you'll find this statement in /etc/logorate.conf indicating this: 'include /etc/logrotate.d'). An Example Configuration /usr/local/Secunia/csi/log/*.log { rotate 7 daily compress } /usr/local/Secunia/csi/backup/* { rotate 2 daily compress } Bear in mind this is a simple example, it's not meant to demonstrate a recommended solution. Log and backup rotation should be put into place in a manner that fits with your organization's policies and standards. You may also wish to control log files for Apache and Mysql/MariaDB. For those, I would refer you to the outside resource links in the additional information section. Additional Information Outside Resource Links Log Rotate https://support.rackspace.com/how-to/understanding-logrotate-utility/ https://linux.die.net/man/8/logrotate Apache Rotation http://www.thegeekstuff.com/2011/07/rotate-apache-logs/ <- this example's file paths will not match the ones on your machine to the logs. A default Apache install on Red Hat puts its logs in /etc/httpd/logs/. MySQL/MariaDB Rotation https://administratosphere.wordpress.com/2011/12/02/log-rotation-for-mysql/ ... View more

Summary This article provides useful steps to install the code-signing certificate required by the Software Vulnerability Manager at WSUS to enable publishing integration between SVM and all WSUS APIs. We also listed more useful tips around certificate handling with Powershell as it is very handy to leverage PowerShell for WSUS-related certificate operations.  Synopsis 1. Open up Powershell as Administrator on your WSUS server, or Software Update Point of SCCM.  2. Run the following to set the WSUS server and its configuration to an object. [Reflection.Assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") $updateServer = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer() $config = $updateServer.GetConfiguration() 3. Next, run this snippet to set the new code signing certificate.  $config.SetSigningCertificate("<Path to pfxFile>", "<PFX file password>") Bear in mind, this will be a file with both the public and private keys (pfx usually). You'll need to replace the path and private key password within the placeholder values in quotes. 4. Now save the changes.  $config.Save() Cert:\ The Powershell PSProvider "Certificate" gives the shell direct access to certificate stores of the system or the user depending on where you want to go. To get a quick glimpse of that, use this command: Get-PSProvider You can go about the Cert PSProvider as you do basic filesystem browsing using dir (Get-ChildItem😞 In PowerShell ISE you can get the path prediction to display your options next effortlessly.  That makes it very easy to predict all of the member properties of the certificates you can use as a filter.  For example, let's say you're interested to get all certificates and filter them through a where clause that outputs only those that have a private key at your WSUS stores. You can make use the HasPrivateKey property, as per the below example, to get all certificates that have a private key in them: The example output of this sample query looks similar to the following in one of my test labs:   ... View more

Summary Sometimes smart groups may get stuck and need manual intervention at the database to clear the queue and re-run the smart group generation afterward. This article teaches you to manually clear the queue that the SVM On-Prem Server uses to track smart group generation status.  The symptoms that should lead to using this article are as follows: The Smart Groups are not compiling correctly as seen in the SVM web interface.  Smart Groups look like compiling, but these never complete and never updates their timestamps. Smart Groups status remains "Queued for compilation" and never changes to "Completed" Cause The root cause of that problem is that the One-Prem server's sgdaemon (service) has encountered problems during the compilation and has therefore set a database flag that prevents other compilations from running, in order to prevent data loss. Verify the problem Within the "ca.csi_smartgroup_generation" table of the MySQL server installed on either Red Hat Enterprise Linux, or CentOS VA server,  the "in_progress" field displays "1" where it should normally be "0".  Perform the following actions to verify that exact problem: 1. Stop the smart group daemon service first service sgdaemon stop [rhel6] #or systemctl stop sgdaemon [rhel7+] 2. Check the status of the current smart group generations at the MySQL database mysql -u root -e "SELECT * from ca.csi_smartgroup_generation;" 3. If "in_progress" column in the table is set to "1", you have encountered this same problem.  Resolution You have to clear out the queue that governs the process. Below you'll find a basic set of steps that can be taken to complete this action manually. 1. On the database server, log into your MySQL or MariaDB instance: mysql -u root -p #<type the password for "root" or simply press Enter if no password is set> In the queries below, the "123456" number in the database name refers to your customer id. If you need to figure out what this is you can run the following in our MySQL/MariaDB shell: show databases; 2. Next, run the two queries that will clear out the queue and will release the generation to occur.  use ca_123456; UPDATE csi_smartgroups SET in_progress=0, generate_asap=1 WHERE in_progress=1; use ca; UPDATE csi_smartgroup_generation SET in_progress=0, generate_asap=1 WHERE in_progress=1; 5. You simply need to start the sgdaemon service back up and wait for compilation of SGs to complete: service sgdaemon start [rhel6] #or systemctl start sgdaemon [rhel7+]  If the compilation hasn't completed or hasn't started on its own, try re-running it via the web interface: If that didn't help, try running the generation manually on the application server using the cronjob: cd /usr/local/Secunia/csi/cronjobs/ # Run this to compile all Smart Groups on all partitions: php generate_smartgroups.php --cli --customer-id  12345678 # Or, you can run this for only a specific partition: php generate_smartgroups.php --cli --customer-id 12345678 --partition-id  1 ... View more

Summary The SVM VA server will generate a self-signed SSL certificate when you choose to use SSL. These instructions will explain how to swap it for your certificate and key pair. Synopsis Once you've run through the SVM Virtual Appliance (VA) setup wizard and have selected to use SSL you'll find that the server is set up with a self-signed SSL certificate. In some environments that isn't an ideal solution as the act of propagating the public key from this certificate to all endpoints can be daunting.  Below you'll find step by step instructions on how to replace the generated certificate with your own. 1. Obtain and transfer your public and private keys to your SVM VA. Once you have access to the file(s) this can be easily transferred to your server with a tool like WinSCP. 2. If your certificate is packaged together in a PFX file you can do the following to prepare your public and private key files.  Extract the private key: openssl pkcs12 -in cert_name.pfx -nocerts -out csi.key Remove the password from your key, so httpd will start without prompting for it: mv csi.key csi.key.secure openssl rsa -in csi.key.secure -out csi.key Generate the public certificate: openssl pkcs12 -in cert_name.pfx -clcerts -nokeys -out csi.crt If you have a PEM file that has the two keys instead of a pfx you'll want to change the pkcs12 to x509 to match the format of the certificate. If you have another certificate format you'll need to adjust accordingly. Please refer to the openssl manual page for further details 3. Next, we need to replace the existing self-signed certificate files with the ones we now have on hand.   <VirtualHost *:8443> DocumentRoot /usr/share/csi/public_html/ DirectoryIndex index.php index.html ServerName CSI-SSL <Directory /usr/share/csi/public_html/> Require all granted </Directory> SSLEngine on SSLCertificateFile /etc/csi/ssl/csi.crt SSLCertificateKeyFile /etc/csi/ssl/csi.key </VirtualHost> We can find the location for the existing key pair in the virtual host definition for Apache which is found in /etc/apache2/sites-enabled/csi-ssl.conf. Here is what the virtual host looks like in that file:\   The important lines from the virtual host are the SSLCertificateFile and SSLCertificateKeyFile directives. These tell Apache which public and private key to use for the SSL connection and this lets us know what files we need to replace. 4. Remove the existing certificate key pair and replace it with yours. Begin with deleting the old public key: rm /etc/csi/ssl/csi.crt Delete the old private key: rm /etc/csi/ssl/csi.key Copy new public key cp csi.crt /etc/csi/ssl/ Copy new private key cp csi.key /etc/csi/ssl 5. Restart Apache service apache2 restart After restarting Apache you are all set. Your connections to the SVM Server will occur using the newly implemented certificate. ... View more

Summary One or more specific smart groups fail to compile. When logging level is increased  on the Software Vulnerability Manager On-Prem Linux server, the following error is seen in the /var/log/messages log: '"temp_smartgroup_product" table is full' Cause If the MySQL server instance isn't properly fine-tuned as per best-practices and engineering recommendations, that can lead to some temporary tables being generated, that can overwhelm the database instance quickly and consume more space than it is available. There are a number of different tuning settings that can effect this including innodb_file_per_table, max_heap_table_size, and tmp_table_size among others. These settings are configured on the Linux server hosting the MySQL database as stored in the database configuration file /etc/my.cnf. Resolution To resolve this issue, the best bet it to reach out to Flexera Support and request the best recommended fine-tuning settings your concrete MySQL implementation. Each server generally requires different settings based on the amount of hosts it manages, the hardware configuration, and other variables.  On the Application server (where Apache is installed): 1. Stop the Software Vulnerability Manager On-Prem daemons: systemctl stop sgdaemon systemctl stop scandaemon 2) Flush the server memory: sync; echo 3 > /proc/sys/vm/drop_caches On the DB server, increase the values in the /etc/my.cnf file:   # These two values should always match max_heap_table_size tmp_table_size You can also Increase max_allowed_packet Also, do ensure that innodb_file_per_table = 1 Exit the configuration file by saving the settings (ESC --> :wq!) and restart MySQL: systemctl restart mysqld   ... View more