I’ve created an action running HijackThis utility, which generates a log file (hijackthis.exe /silentautolog). Basically, it scans the endpoint for malicious entries in registry and some other places. Is there way I can get the log file (hijackthis.log) back to the console?
There are a few examples in the system to reference.
For example, the “Run Nmap Scan” Task in the Asset Discovery site uses this feature to move the scan results.
// upload results
// set setting to send up results infrequently as optimization
setting “_BESClient_ArchiveManager_IntervalSeconds”=“604800” on “{parameter “action issue date” of action}” for client
// set max size to 8 MB to prevent too much data
setting “_BESClient_ArchiveManager_MaxArchiveSize”=“8388608” on “{parameter “action issue date” of action}” for client
// check for oversize
continue if {(exists file whose (name of it starts with “nmap-” AND name of it contains (parameter “current_time”) AND exists line whose (((exists key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESScanner-NMAP” whose (value “NmapVersion” of it as string as version < ") of x32 registry) AND it as lowercase contains “nmap run completed at”) OR ((exists key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESScanner-NMAP” whose (value “NmapVersion” of it as string as version >= “4.52”) of x32 registry) AND it as lowercase contains “nmap done at”)) of it AND size of it <= ((value of setting “_BESClient_ArchiveManager_MaxArchiveSize” of client) as integer)) of folder (pathname of windows folder & “\temp\nmap”))}
setting “_BESClient_ArchiveManager_OperatingMode”=“1” on “{parameter “action issue date” of action}” for client
setting “_BESClient_ArchiveManager_FileSet-nmap{parameter “current_time”}”="{parameter “nmapXMLFilePath”}" on “{parameter “action issue date” of action}” for client
// send results
setting “__BESClient_ArchiveManager_LastIntervalNumber”=“0” on “{parameter “action issue date” of action}” for client
However, you cannot browse these directories and their content via the TEM Consoles.
If you are on the TEM Server, of course this is easier to browse.
If on remote computers, then some file sharing and mounting will be required.
Or as most of the TEM modules will do, the uploaded files are being processed in some way. For example, NMAP scan files are processed by a service, then imported into the database for browsing from the Console.