(imported topic written by SystemAdmin)

Hello,

I have BES agent V8.1.617 installed on a linux box. about every 60-90 seconds a file opens as a process ("/var/opt/BESClient/__BESData/BES Support/1Office Control.fxf").

Here is example (using lsof):

root@centos54-32 ~

lsof -p 11826|grep Control

Start=========================================

BESClient 11826 root 8r REG 253,0 73366 1214763 /var/opt/BESClient/__BESData/BES Support/1Office Control.fxf

Here are some of the contents of this file:

root@centos54-32 ~

cat “/var/opt/BESClient/__BESData/BES Support/1Office Control.fxf”|grep -i win|more

X-Relevant-When: name of operating system as lowercase starts with “win”

X-Relevant-When: exists site whose (name of it = “Enterprise Security” OR name of it = “SecureInfo EVR” OR name of it = "S

ANS Top Vulnerabilities to Windows Systems" OR name of it = “eEye Remediation Manager” OR name of it as string starts with

"Patches for Windows ")

X-Relevant-When: if (exists key “HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion” whose (exists value "ProductI

d" of it OR exists value “CommonFilesDir” of it) of registry) then (version of client >= “6.0”) else (version of client >=

“5.1”)

X-Relevant-When: number of keys whose (value “DisplayVersion” of it as string as version = “10” AND (character 1 of it = "

9" AND (it = “0” OR it = “1”) of character 2 of it AND (it = “11” OR it = “12” OR it = “13” OR it = “28” OR it = “15” OR i

t = “16” OR it = “17” OR it = “18” OR it = “19” OR it = “1A” OR it = “1B” OR it = “27” OR it = “29” OR it = “2A” OR it = "

2B" OR it = “3A” OR it = “3B” OR it = “51” OR it = “54”) of first 2 of following text of first 3 of it AND (preceding text

of first “%7D” of it ends with “6000-11D3-8CFE-0050048383C9”)) of name of it) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microso

ft\Windows\CurrentVersion\Uninstall" of registry > 1

X-Fixlet-Domain_Attributes: PatchManagement Warnings Windows

The computers listed below have multiple Office XP products installed.

==================================================CTRL-C

I have a solaris box and I tested to see if I’d see the same thing but I didn’t.

So my question is (even if the file opened on solaris the same way…which it didn’t), why is a file opening at all on a linux box if the file has what appears to be, conditional tests only related to windows?

Thanks much,

(imported comment written by BenKus)

Hi jgil,

The agent opens the file, determines that none of the Fixlets are relevant… It will probably take it less than a few milliseconds to complete this process so it shouldn’t be any issue on the computer…

We could add an operating system check on these tasks so your agent wouldn’t bother to re-evaluate them, but the agent is heavily optimized so it won’t cause any issues if the agent re-evaluates these periodically…

Ben

(imported comment written by SystemAdmin)

Hello Ben,

Thanks very much for the quick response.

It does not appear to be a few milliseconds. It appears to take anywhere from 2-4 seconds (at least on this VM with one cpu for testing). If the agent was heavily optimized, a quick check of the OS would certainly add to the optimization, IMHO. A single conditional test would use less CPU cycles than many false ones.

If there are fxf files designated for specific platforms, then this tree of conditional checks could easily grow over time and OS types. Is this the correct forum to make a change request to further improve this or could this be resolved thru a fixlet/action somehow?

Thanks much,