3 Replies Latest reply on Aug 8, 2017 3:49 PM by rth67

    Remote File Tail / Copy from SIEM Receiver


      Apparently there is a new security feature that is part of the 9.6.1 MR1 and 10.0.2 releases that does not allow the use of hidden shares when tailing / copying files, this was not disclosed in the Release Notes.


      According to the original feedback I received, somebody setup a File Copy to the C$ share and checked the box to "Delete processed files" and wiped out a Server.


      According to Tier3 / Engineering there is a Vulnerability in Linux that would allow an attacker full access to the remote hidden share, as Linux treats the $ differently than Microsoft does. We have requested a bug report and formal documentation.


      File Tailing does not have an option to delete files, please restore the functionality to remote tail files using a hidden share, we don't want to advertise "HERE ARE THE LOGS" by creating shares.


      I would hope you make the requirement for not using a hidden share only if you are doing a File Copy and you check the box to "Delete processed files"


      File Tail / Copy from the SIEM Receiver was introduced in version 9.6.0, previously you had to use a SIEM Collector Agent, guess I will be going back to a local agent if this does not get resolved.