Hi All,
I’ve been using a task from BigFix.me to install sysmon on windows systems.
The original task prefetches sysmon.zip and an unzip utility.
yesterday, I noticed that the URL is providing a new version of sysmon.zip with a new sha value.
I’ve checked that the new version is good, no virus, no malware, installs manually and works fine. So I update my task with the new sha values.
Now, when I issue the task to install sysmon the client does not download the zip file. It receives the task and makes multiple download attempts. But, after a handful of tries, the task fails as follows
.
.
.
ActionLogMessage: (action:14655) Download url: 'http://download.sysinternals.com/files/Sysmon.zip’
ActionLogMessage: (action:14655) Download url: 'http://software.bigfix.com/download/redist/unzip-5.52.exe’
At 15:10:56 -0500 -
Report posted successfully
At 15:11:04 -0500 -
ActionLogMessage: (action:14655) JobFailed - cancel and fail action
ActionLogMessage: (action:14655) DownloadJobFailed
At 15:11:05 -0500 -
ActionLogMessage: (action:14655) ending action
.
.
.
If I go to the server and copy the file from the sha1 directory into the workstation client ~/__global/cache directory (that is to say, if I precache the file on the client) the task will run happily.
There is no error on the BF Server.
There is no relay in the loop.
Server and workstation are on the same network segment.
There is no problem with the unzip file. The client downloads it without issue.
There is no antivirus software on the endpoint. it’s just a test system.
There’s no intrusion detection on this network.
This happens on a Win10 system and a Win7 system.
BigFix platform is at 9.5.7
What can I do to troubleshoot this, short of using wireshark to demonstrate how little I know about wireshark and analying pcaps?