What is your use case for searching the system for a file?
In general this is a bad idea. If used, it should either have an extremely narrow scope (search only 1 folder) if used in relevance. If it is used in ActionScript, it can be a bit more broad because you can make it only happen once, but even then it isn’t a great idea.
###Partial answer to Part 1:
You can use both relevance and commands in an Action to do queries of the system, but you can only run relevance (which is read only) on a system outside of an Action or through relevance substitution.
Use Case ; Yes, you are right; I do want to leverage this in certain folders only. I want to search for certain malicious exes or their SHAs in certain folders where i know for sure that they get stored.
As for running a relevance within an action, i have been testing them 1st in the Fixlet Debugger. And it always fails when i try to run a relevance within the action tab. Is this an issue only with the debugger?
This actually shouldn’t work. We don’t redirect standard out in these calls to the OS. If you did that in a batch/shell file then you can do that of course as the shell will do it for you.
Your issue is that your trying to put the results of relevance in a file. That requires a different method.
If you are doing a command, you can redirect it to a file:
wait cmd find files "blah" > text.txt
but for relevance substitution, you have to put the results of that relevance into the file in the first place using either the Create File command, or Append File.
createfile until END_OF_FILE
{ (find file "test.txt" of folder ....) }
END_OF_FILE
Remember, relevance substitution is not a command, it is a query that usually results in text output, but unless that output is a file path, it won’t do anything if you try to run it using wait, and if you are finding a malware and then putting that path into a wait statement, that would mean your running the malware as root/SYSTEM, which is definitely not what you are trying to do.
Excellent point abt running the malware as system. I appreciate the advise. Yes, my goal will be to find the file path and sha values if anything. I guess in the past 1 hour i learnt more than i did in 1 month because of this generous and interactive forum. I will update this section after some more tests
Found a better solution than what i had: Analysis. - I apologize if i slightly deviated from topic, but was super excited
Running the Relevance as an analysis’ PROPERTY will give me its complete details within the computers properties without having to store/read/download files.
Once i know that the analysis is done, i can shut it down globally too. Do you guys perceive any issues with running Analysis for every single relevance which i may want to see the results for? Specially when i am trying to store or view the results.
An analysis is fine for getting specific results of specific files, or if you run a command and output the results to a log, then read that log with the analysis. It is a bad idea to actually perform the find files function using relevance in an analysis property because it will run multiple times on a client and potentially stall the client while it is running and timeout.
You can tell an analysis property to only run once every 30 days or something similar, and that will help lower the impact.
I use analyses and analysis properties for lots and lots of things, but this is one I would recommend being careful with.
You don’t need to use only relevance to search for the file if you are doing it through an action/fixlet/task. In that case you can use a dos command, or a script, or a program.
Using something other than relevance will help prevent the error you mention here:
@TimRice
Thank you for this. My searching skills were not good enough to go through this
Will test and update the thread; I personally prefer direct cmd line function calls rather than depending on find files. @jgstew and @jmaple have also helped me with executing multiple commands in cmd in other threads. Will leverage those thoughts into my final task.
@TimRice one quick question; Did some more tests - did you guys ever face issues with Fixlet debugger?
i wrote a simple set of commands; file gets created; move to test.cmd works perfectly;
Now when i execute it, 80% of times i get exit code 1 and then results.txt DOESN’T gets created (throwing dir output to results.txt)
If i evaluate the same actions several times, it does get created sometimes. Or if i go to test.cmd and manually run it, Boom! results.txt gets created in a sec.