Help with Bigfix Analyst Running Process

(imported topic written by russwm91)


Example would be “bad process.exe” is running live on workstation and located in C:\documents and setting"current user"\temp. So this report or analyst would be able to capture what workstations in the company are running a process that originates from path C:\windows\document and setting"current user"\temp. We are seeing more and more virus/spy-ware activity that is linked to random process names but seem to always be located in the C:\documents and setting"current user"\temp path.

What we have so far which should work but can’t figure last part the relevancy statement

selects “executablepath from Win32_Process” of wmi (This works will get all running paths of all exe programs)

selects “* from win32_process where ExecutablePath =‘C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe’”) of wmi

I don’t get errors with this but I don’t get a result either.

(This is just me trying to write something that seem logical but does not work.)



(imported comment written by cstoneba)

you could throw this in an analysis for a quick way to find the spyware…

services whose (image path of it as lowercase contains “c:\documents and settings”)