@MaxAdmin The other respondents are correct, this is not an efficient use of IEM/BigFix, but it can be done with minimal pain. What follows is basically what @aram suggested. I’m assuming there won’t be too many instances of “system.ini” on each endpoint and they won’t be very large, so generating the Hash won’t take much computational effort, just some disk I/O.
You’re going to need to use a combination of a Task and an Analysis and an external utility to perform this. If you could use the SHA1 hash, you wouldn’t need the external utility.
You need a utility to generate the MD5 hash values. If you don’t already have one I recommend the FCIV.exe utility. It should fit the bill nicely. You can extract the .EXE file from the file available from the URL below and place it where you can download it during the Task (I have an IIS server where I host internal utilities that I might need, but your environment is different).
http://download.microsoft.com/download/c/f/4/cf454ae0-a4bb-4123-8333-a1b6737712f7/Windows-KB841290-x86-ENU.exe
Let’s look at the Task first. The first priority is to minimize the number of files that you will be generating the Hash value for. You have the file name you are looking for (system.ini), just not a file path, so let’s create a list of all the files on the system with that file name … (I am assuming C:\TEMP exists, adjust it as needed, or you can keep this all inside the BES Client folder). Once we have the list of system.ini locations, we need to hash them, then make the hash values available to an Analysis.
The Relevance for this task should be something similar to …
(Windows of Operating System)
The Action script would be …
// We need to get the FCIV.exe utility, I’m leaving that code out but assuming it is placed in the C:\TEMP
// folder to keep this simple.
// We’re going to create a .cmd to generate what we need.
delete __createfile
delete C:\TEMP\FileList.txt
// If we don’t delete the Hash database, FCIV will put duplicate entries in it on the second scan.
delete C:\TEMP\Hash.xml
delete C:\TEMP\HashList.txt
createfile until END
@ECHO OFF
REM I’m assuming C:\TEMP exists, adjust to your environment, or it can be tweaked to use the
REM BES Client folder paths, the resulting hashfile.txt needs to persist for the Analysis to evaluate
REM later.
REM Step 1 - To minimize the number of files we need to generate a Hash for. This might be possible
REM with FCIV directly using different command line switches, but I couldn’t get it to only hash the target
REM file, just by file extension types.
C:
CD
DIR /B /S system.ini > C:\TEMP\FileList.txt
REM Step 2 - Generate the hash values by iterating through the resulting list of found files.
for /F “tokens=*” %%A in (C:\TEMP\filelist.txt) do C:\TEMP\FCIV.EXE -add “%%A” -md5 -xml c:\temp\hash.xml
REM Step 3 - Export the Hash values to a text file where an Analysis can evaluate them.
C:\TEMP\FCIV.EXE -list -xml c:\temp\hash.xml > c:\temp\HashList.txt> END
move __createfile FindStuff.cmd
// Run the cmd file
waithidden FindStuff.cmd
= Overview =
- This script will result in a file that contains one line per instance of a any file named SYSTEM.INI on the C: drive. It may take a few moments to run, but no longer than most software installs. A 2-3 minutes, max in testing on my desktop. If you need to scan multiple drives, include multiple DIR lines and use the >> redirection option for each DIR command after the first. We want a single file “FileList.txt” with all the resulting entries.
- FCIV is used to build an XML database of the Hash values for all the instances of System.ini we found on the system.
- We can then extract the Hash values into a format that the BES Client process can read (FCIV stores them in a base64 encoded format in the XML file).
- After testing your Task on a system or two, target all of your suspected systems (I assume something like “All Computers”)
Now you simply need an Analysis to check for the Hash values you are looking for. You can use relevance for the Analysis similar to the following …
(Windows of Operating System) AND (exists file “HashList.txt” of folder “C:\Temp”)
with a property named …
Bad SYSTEM.INI
with a relevance of …
if (exists file “HashList.txt” whose (content of it contains “”) of folder “c:\temp”) THEN (substrings after " " of lines whose (it contains “”) of file “HashList.txt” of folder “c:\temp”) ELSE (NOTHING)
You can create a property for each file you are looking for as long as the files have been hashed by the initial Task. The relevance above should return the full path to every System.ini file that matches your “Bad” hash value. You can then enumerate the results using Web Reports, expanding the value of the “Bad SYSTEM.INI” property for all computers where “Bad SYSTEM.INI” contains “system.ini”.