I’m working with the CISA KEV Content and find that the KEV scanner action fails with a thread execution error on one of my systems. It happens to be the Root server, but I don’t know if that is significant or not.
I can manually run the execute_scan.cmd batch file as administrator without raising the same error. Any ideas?
I saw a case once where an endpoint security - either CrowdStrike or CarbonBlack, I think - was stopping one of our download plug-ins from running on a root server as Local system, but not when we troubleshot as Administrator. I’d check into any kind of EDR logs you may have.
We reproduced that problem using psexec from microsoft.com/sysinternals , using psexec -i -s cmd.exe and then running the plugin/scan from the Local system command prompt.
Thanks Jason. I don’t have any EDR running on the Root server, but I ran the execute_scan.cmd batch from the LocalSytem command prompt just to check, and it completed successfully. There is a warning from 7-zip about data after the end of the kev_catalog.xml.zip archive, but it doesn’t appear to interfere with the manual batch file execution.
D:\Program Files (x86)\BigFix Enterprise\BES Client\kev_scanner>"D:\Program Files (x86)\BigFix Enterprise\BES Client/kev_scanner\7za.exe" e "D:\Program Files (x86)\BigFix Enterprise\BES Client/kev_scanner/kev_catalog.xml.zip" -o"D:\Program Files (x86)\BigFix Enterprise\BES Client/kev_scanner" -y
7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
Scanning the drive for archives:
1 file, 20821 bytes (21 KiB)
Extracting archive: D:\Program Files (x86)\BigFix Enterprise\BES Client\kev_scanner\kev_catalog.xml.zip
WARNINGS:
There are data after the end of archive
--
Path = D:\Program Files (x86)\BigFix Enterprise\BES Client\kev_scanner\kev_catalog.xml.zip
Type = zip
WARNINGS:
There are data after the end of archive
Physical Size = 20819
Tail Size = 2
Everything is Ok
Archives with Warnings: 1
Warnings: 1
Size: 223003
Compressed: 20821
D:\Program Files (x86)\BigFix Enterprise\BES Client\kev_scanner>"D:\Program Files (x86)\BigFix Enterprise\BES Client/kev_scanner/bin/wscansw.exe" -c "D:\Program Files (x86)\BigFix Enterprise\BES Client/kev_scanner/kev_config.xml" -i "D:\Program Files (x86)\BigFix Enterprise\BES Client/kev_scanner/kev_catalog.xml" -o "D:\Program Files (x86)\BigFix Enterprise\BES Client/kev_scanner/kev_results.xml.work" -e "D:\Program Files (x86)\BigFix Enterprise\BES Client/kev_scanner/kev_logs.xml"
D:\Program Files (x86)\BigFix Enterprise\BES Client\kev_scanner>"D:\Program Files (x86)\BigFix Enterprise\BES Client/kev_scanner/bin/wscanfs.exe" -reset
D:\Program Files (x86)\BigFix Enterprise\BES Client\kev_scanner>
I’m going to reinstall the scanner to see if that resolves the issue.