File Search then SHA1 or SHA256 value

Good day,

I’ve been searching through the site, but not finding what I’m searching for. (it’s very close to Maxadmin’s MD5 request, but not exactly)

Pardon me if I am not using the appropriate terms, I’m a total noob with Bigfix.

My goal is for an analyse to find a file on a system and if found then hash the found value and present it in my report.

I do not have any built-in hashing tools in my infrastructure, therefore, I cannot use FCIV etc… (I wish it was installed, as this would solve so many issues, but it’s not).

I am to believe that Bigfix as a built-in SHA1 and SHA256, if so, I want to levrage that.

To recap, every once in a while, I need to see if a file exist in my enterprise. And if so, I what that file hash value to be reported back.

That way, I can rule out any false positives on my end.

I hope I haven’t confused your brains.

Thank you

You can review file system inspectors here: https://support.bigfix.com/inspectors/Filesystem%20Objects_Any.html

You can find the hash of a file using SHA1 of or SHA256 of .

That being said – searching the computer for a file is not advised as it can take hours and cause client issues. If you have any idea where the file itself could reside on the system that would be a lot better.

1 Like

Thank you for the info strawgate.

The delay to search the drive is not really an issue right now. This is what I use to search for a file;

Relevance 1

(
exists
(
operating system
)
whose
(
it as string as lowercase contains “win” as lowercase
)
)
AND
(
exists
(
drive
whose
(
type of it=“DRIVE_FIXED”
)
)
whose
(
name of it as string =“C:”
)
)

(exists (operating system) whose (it as string as lowercase contains “win” as lowercase)) AND (exists (drive whose (type of it=“DRIVE_FIXED”)) whose (name of it as string =“C:”))

ACtion 1

//Prompts for file name to search
action parameter query “FileName” with description “Please enter the file names to search for” with default value “example: test.log”

delete __appendfile
delete findfile2.bat
appendfile @echo off
appendfile set FileName={parameter “FileName” of action}
appendfile del “{pathname of parent folder of regapp “BESClient.exe”}\foundfile2.txt”

//Check for Fixed drive D:
if {exists (drive whose (type of it=“DRIVE_FIXED”)) whose (name of it as string =“D:”)}
// Check C: and D: for the file
appendfile for %%A in (%FileName%) do dir “c:%%~A” “d:%%~A” /s /b /a >> “{pathname of parent folder of regapp “BESClient.exe”}\foundfile2.txt”

else
// Check just C: for the file
appendfile for %%A in (%FileName%) do dir “c:%%~A” /s /b /a >> “{pathname of parent folder of regapp “BESClient.exe”}\foundfile2.txt”

endif

move __appendfile findfile2.bat

// Use basic cmd line execution to ensure search of system folders
action uses wow64 redirection false
waithidden cmd.exe /c findfile2.bat 1>NUL 2>NUL

Once the above ran, and if it found something, only then I need a hash. I was also reading up on pushing (download) a file from the TEM server to perform the hashing then delete it, but there’s far more red tape involved with that way which I’m trying to avoid.

Thank you again, I’ll be reading up on your link.

I assume that you then want/need an Analysis to retrieve the SHA1 or SHA256 hash values if your file {pathname of parent folder of regapp “BESClient.exe”}\foundfile2.txt" exists with ‘stuff’ in it?

The Analysis would have the following Relevance …

(Windows of Operating System) AND (exists file "foundfile2.txt" whose (exists lines of it) of parent folder of regapp "BESClient.exe")

You would then add a Property with the following Relevance and a name of your choosing …

(pathnames of it, sha2_256s of it) of (files (lines of file "foundfile2.txt" of parent folder of regapp "BESClient.exe"))

I would recommend that you set the Evaluate every option for the property to evaluate no more than once every few hours to prevent overloading the client if there are many “found files” or they are big files. The issue is that as long as the foundfile2.txt file exists, the analysis will recalculate the desired SHA hash as frequently as the Evalute every option allows.

If you want a different hash value returned, the current options are …

  • sha1
  • sha2_224
  • sha2_256
  • sha2_384
  • sha2_512
2 Likes

Thank you Tim. Much appreciated.

I will look at this.

I’m not usually one to knock batch scripting, but you might be able to simplify that considerably with native actionscript. Fill in your parameters as above, but the basic logic is

(pathname of it, sha1 of it, sha2_256 of it) of find files “test.txt” of root folders of drives whose (type of it = “DRIVE_FIXED”)

Mind you, all of the performance warnings above are still in effect, and traversing entire filesystems is a cause for concern.

1 Like