Accessing files

(imported topic written by Badaz0691)

Sorry for the intrusion, not a bigfix user but am supporting a bigfix customer. We have an A/V product installed with which we can setup and monitor files being accessed. In this particular instance, we’ve set the file up to block any execute or write action, although read and access is permitted. It seems during the scans, the particular file is being not just viewed, but that the exe is being opened, which is the same as an execution, so the A/V is kicking off an alert. (using Filemon we saw this)

Is this something particular to the way the customer has the scan setup within BigFix, or is it SOP? Any idea on where I can get some literature if need be, so I can dig deeper down into this?



(imported comment written by BenKus)

Hi Badaz06,

Can you post the relevance expression that is being used? Without the expression it is really hard to answer your question.

In general, I believe that a file “version” information (and other file header info) is stored inside the file. To get this info, we do a call to the standard call to the OS, which then opens and gets the version. Perhaps the AV software is getting confused by this activity.

Can you also let us know the AV vendor and version?