What about the GUID? isen’t that a value that Bigfix is creating ? and not something that we manual add.
To paste tags into the forum you have to wrap it in a code block. Highlight the text and hit the code icon above the editor window - it looks like </>
thanks 
For test purpose, I created siganture with “testguid”, but when you create signature via UI it will be created by BFI. Output shows that siganture was matched.
<MatchedSignature guid="TESTGUID">
<Variable name="IS_INSTALLED" value="true"/>
The reason your xml file did not work, because it was just signature there, but you need to wrap it so it is valid catalog file for scanner.
so if I was going to put the signature that you made into the GUI I would only use this part:
<?xml version="1.0" encoding="UTF-8"?>
<MultipleInstance>
<Iterator export="false" name="file_list">
<FindFilePathEx name="tq.ini"/>
</Iterator>
<Instance>
<Variable export="false" name="file_read">
<ReadFile path="$(file_list)tq.ini"/>
</Variable>
<Variable name="IS_INSTALLED">
<Compare relation="ne" type="string">
<VectorToScalar>
<Vector filter="*teamquest*">
<ValueOf value="$(file_read)"/>
</Vector>
</VectorToScalar>
<ValueOf value=""/>
</Compare>
</Variable>
<Condition withVariable="IS_INSTALLED">
<Action do="SKIP" onValue="false"/>
</Condition>
</Instance>
</MultipleInstance>
</Signature>
</Signatures><MultipleInstance>
<Iterator export="false" name="file_list">
<FindFilePathEx name="tq.ini"/>
</Iterator>
<Instance>
<Variable export="false" name="file_read">
<ReadFile path="$(file_list)tq.ini"/>
</Variable>
<Variable name="IS_INSTALLED">
<Compare relation="ne" type="string">
<VectorToScalar>
<Vector filter="*teamquest*">
<ValueOf value="$(file_read)"/>
</Vector>
</VectorToScalar>
<ValueOf value=""/>
</Compare>
</Variable>
<Condition withVariable="IS_INSTALLED">
<Action do="SKIP" onValue="false"/>
</Condition>
</Instance>
</MultipleInstance>When using UI to create it you just need part above, when testing you need wrapper.
Thank you for your help.
One more useful testing tip.
When testing new siganture, remove:
<Condition withVariable="IS_INSTALLED">
<Action do="SKIP" onValue="false"/>
</Condition>
This will cause scan results show:
<MatchedSignature guid="TESTGUID"> <Variable name="IS_INSTALLED" value="false"/>
When signature WORKS, but does not match.
another quistions, I trying to test a signature, looking for a specific path, but I get the same result whether or not it find it.
This is my signature:
<?xml version="1.0" encoding="UTF-8"?>
<Signatures version="1.0" xmlns="http://www.ibm.com/Tivoli/Signatures" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com/Tivoli/Signatures signatures.xsd">
<Signature guid="TESTGUID_OUD" type="OtherSignature">
<Variable name="IS_INSTALLED" export="true">
<Compare type="string" relation="ne">
<VectorToScalar>
<PathExists absolutePath="/opt/BESServer/Bigfix_scripts" />
</VectorToScalar>
<ValueOf value=""/>
</Compare>
</Variable>
</Signature>
</Signatures>
and I get this output i get whether or not it find the path.
<?xml version="1.0" encoding="UTF-8"?>
<MatchedSignatures>
<MatchedSignature guid="TESTGUID_OUD">
<Variable name="IS_INSTALLED" value="true"/>
</MatchedSignature>
</MatchedSignatures>PathExists returns true or false value, and you compare it to NOT empty string, so result is always true.
Hi again
wonder if you could help with another on of this Custom signature.
Im trying to find a file in a specific with this code, but I dont get anything, when I test it with the wscansw command.
<?xml version="1.0" encoding="UTF-8"?>
<Signatures version="1.0" xmlns="http://www.ibm.com/Tivoli/Signatures" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com/Tivoli/Signatures signatures.xsd">
<Signature guid="TESTGUID" type="OtherSignature">
<Instance>
<Variable name="IS_INSTALLED" export="true">
<Compare relation="ne" type="string">
<VectorToScalar>
<Vector filter="d:?apps?atlassian-confluence-7.2.0?bin">
<FindFilePathEx name="Tomcat9.exe"/>
</Vector>
</VectorToScalar>
<ValueOf value=""/>
</Compare>
</Variable>
<Condition withVariable="IS_INSTALLED">
<Action do="SKIP" onValue="false"/>
</Condition>
</Instance>
</Signature>
</Signatures>Wandy,
Try the following signature. Make sure the case matches with the information you are trying to compare with.
<?xml version="1.0" encoding="UTF-8"?>
<Signatures>
<Signature guid="EXTENDED SIGNATURE TEST" name="EXTENDED SIGNATURE TEST" type="OtherSignature">
<Variable name="IS_INSTALLED" export="true">
<Compare type="string" relation="ne">
<VectorToScalar>
<Vector filter="d:?apps?atlassian-confluence-7.2.0?bin?">
<FindFilePathEx name="Tomcat9.exe"/>
</Vector>
</VectorToScalar>
<ValueOf value="" />
</Compare>
</Variable>
</Signature>
</Signatures>Hi
Thanks for your answer, now I get this output
<?xml version="1.0" encoding="UTF-8"?>
<MatchedSignatures>
<MatchedSignature guid="EXTENDED SIGNATURE TEST" name="EXTENDED SIGNATURE TEST">
<Variable name="IS_INSTALLED" value="false"/>
</MatchedSignature>
</MatchedSignatures>
But I get this output no matter what file name I write in the “FindFilePathEx name=”
Hi again
I know that signatures on .exe files can be made from the scanned file data, but the thing is that I need to finde this file in this specifik path and not just anywhere.
Wandy,
Can you post screen shot of the exact directory location and file name from the machine where you are testing the signature?
Wandy,
Update the signature by changing the line
<Vector filter="d:?apps?atlassian-confluence-7.2.0?bin?">
to
<Vector filter="D:?apps?atlassian-confluence-7.2.0?bin?">
Then test it.
Hi
sorry for the late answer, I have been on vacation
But now it seems to work, now I get this:
<?xml version="1.0" encoding="UTF-8"?>
<MatchedSignatures>
<MatchedSignature guid="EXTENDED SIGNATURE TEST" name="EXTENDED SIGNATURE TEST">
<Variable name="IS_INSTALLED" value="true"/>
</MatchedSignature>
</MatchedSignatures>
so now its “true”
Thanks again