Hey guys,I’m trying to write a relevance in which I need to filter out the Java processes by the command line for the existence of a specific middleware application.
exists process whose (name of it as lowercase = "java.exe")
I believe this relevance isn’t enough as it will give many false positives.
is there any command line filter in the process inspector in bigfix?
If you’re looking for a command line inspector on Windows, BigFix does not provide one natively. However, for non‑Windows platforms, a command line inspector is available. You can refer to the following link for details:
Inspector Search | BigFix Developer
For windows, you can try below (simply change BESClient.exe to java.exe)
exists select objects "* from Win32_Process" whose (exists string value of property "commandline" of it AND string value of property "commandline" of it as lowercase contains "besclient.exe") of wmi
hey VK,
thanks for this, I was working with the Linux one and it is fetching the command line argument, but my requirement is that I want to filter out the command line arguments by name. something like this.
q: exists(command line arguments of process "java.exe" whose (name of it contains "com.ibm.ws.runtime" or name of it contains "WebSphere"))
q: exists(command line arguments of process "java.exe" whose (it contains "com.ibm.ws.runtime" or it contains "WebSphere"))
This does not exists as this is giving an error and in the official document, it isn’t there. Do you know if there is a workaround for this?
I had my QNA loaded so tried few to see if this gives you what you need
”exists selects "CommandLine from Win32_Process where Name = 'java.exe'" whose (string value of it contains "com.ibm.ws.runtime" or string value of it contains "WebSphere") of wmi”
Typing from mobile hence cant validate it, however this should work:
exists processes whose (name of it as lowercase = "java.exe" AND (command line arguments of it as lowercase contains "your_string"))
Okay, will test this out and let you know, Thanks!
Watch the smart quotes. You’ll need to replace “ and “ with proper speech marks. These often get messed up copy-n-pasting from forum posted relevance that isn’t in markdown.
exists processes whose (name of it as lowercase = "java.exe" AND (command line arguments of it as lowercase contains "your_string"))
isn’t the same as
exists processes whose (name of it as lowercase = "java.exe" AND (command line arguments of it as lowercase contains "your_string"))
This command had "smart quotes" due to the forum or your browser changing them. You need to delete and retype the double quotes
I think the solution @vk.khurava gave, using WMI on Windows, is the preferred workaround for now.
Try
Q: exists processes "java.exe" whose (command line argument of it as lowercase contains "websphere")
A: False
T: 3997
You will probably need to correct the process name for your use case as the original example assumed a Windows EXE, which would not be the case on a non-Windows OS
Or maybe this (using a process that exists on my lab VM)
Q: exists processes "cron" whose (exists command line argument whose (it as lowercase contains "-f") of it)
A: True
T: 1714
I'm pretty sure the "command line argument" property.only exists for processes on Linux/UNIX, not in our Windows client.
Yes, it was the Nix OS this was aimed at. Windows would need the WMI approach that @vk.khurava also gave an example of
hey SLB, Working fine now.
Thank you very much
Hello,
This is working, thanks!