1 Reply Latest reply on Jan 19, 2017 10:06 AM by catdaddy

    Useful MAR Documentation Required

    xendel

      I am looking for some documentation or help that describes how to create a collector that is compatible with how the active response search feature works. The problem is when I want to find a file version I place a simple script of PS and when I run the command in active search I get no results. This is not a propriatary or seacret squirrel act that I am trying to work with, this can be found in many different forums, so here is the PS script:

       

      Get-ChildItem -Recurse C:\Windows\* | %{ $_.VersionInfo } | Format-Table -HideTableHeaders -Property FileVersion

      (This command is asking for the file version of every file under the C:\Windows\ directory)

       

      This runs fine in powershell on the desktop but returns all file versions because it is recursive. However, it does not correctly return a file version for any file in Active Response Search. If I use the ps script from above and I run the following search command in Active Response I get no file version:

       

      Files name and File version where HostInfo hostname equals "device1" and Files name equals "notepad.exe"

       

      I want to be able to see a single file version when I run the command in Active Response Search. So I placed the following PS script in the collector to test and see if it would return a specific file version for notepad:

       

      Get-ChildItem C:\Windows\notepad.exe | %{ $_.VersionInfo } | Format-Table -HideTableHeaders -Property FileVersion

      (This command is asking for the file version of notepad.exe under the C:\Windows\ directory)

       

      Then I ran this command in Active Response Search and it worked to get the version for notepad:

      Files name and File version where HostInfo hostname equals "device1"

      This is interesting because I get not file name but I get a file version. So I will try something a little different, I will add Notepad.exe to the Active Response search string:

       

      I tried this search:

      Files name and File version where HostInfo hostname equals "device1" and Files name equals "notepad.exe"

       

      Now it shows me the name and the version of Notepad.exe

       

      BUT WAIt THERES MORE!!! WE'LL DOUBLE THE OFFER!!!

       

      Now I run this search string in Active Response Search:

      Files name and File version where HostInfo hostname equals "device1" and Files name equals  "explorer.exe"

      Remember  the PS script is built to find only the version for Notepad.exe and nothing else:

       

      Get-ChildItem C:\Windows\notepad.exe | %{ $_.VersionInfo } | Format-Table -HideTableHeaders -Property FileVersion

      (This command is asking for the file version of notepad.exe under the C:\Windows\ directory)

       

      What is interesting and confusing is that I placed C:\Windows\notepad.exe in the PS script but the Active Response Search still gives me the "explorer.exe" version and it works.

       

      What is going on in this scenario, and where is the documentation describing how the search Active Response Search digests a PS command and executes it on the endpoints via the McAfee Client?