made some more changes to the relevance
file “C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG” line starts with “ActionTaken=ARW_ACTION_KILL_THREAD”
however is keeps reporting as “undefined”
Please help. thanks
The relevance format is wrong
If you just want a “True” if the string is there then it would be
exists line whose ( it starts with "ActionTaken=ARW_ACTION_KILL_THREAD" ) of file "C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG"no matter what i try it keeps saying error, i even changed it to a word that i know is showing in the log file
exists line whose ( it starts with “ntfs” ) of file “C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG”
If you hover over the "<error>" it will show what the error is
Thanks AlanM - i did not know that - the error reads “the expression could not be validated”
I can’t find that exact text.
Can only find:
This expression could not be parsed.
The expression could not be understoodsorry
the expression could not be evaluated
Is the file “MBAMSERVICE.LOG” in use by Malware bytes at the time? If the file is “Locked” for writing, then BigFix may not be able to read the file.
That works TimRice - thank you
now all i have to do is figure out how to search a working log file 
The “could not be evaluated” suggests a relevance syntax or command error so that is not the same.
Can you post your exact analysis relevance?
here it is
exists line whose (it contains “ActionTaken=ARW_ACTION_KILL_THREAD” ) of file “C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG”
if i save the file to another location it works but since MalwareBytes lock the file for writing logs it does not work
That is going to be the issue then. You won’t be able to do this in an analysis unless you do it on a copy of a file made by an action.
is it possible to do a relevance to
copy the file to a temp directory and then search for “ActionTaken=ARW_ACTION_KILL_THREAD” after the search is complete delete the file in temp directory?
Well yes and no. Relevance can’t copy the file (you need an action to do so) but relevance can examine the copied file.
Relevance does not change the endpoint, only an action does.
how can i get the relevance to email me? i tried web reports but i cannot see any relevance option there
Relevance cannot email you. You would have to perform an action to “do” something. WebReports can do some emailing if you look into that.
ok thanks - is it possible after the relevance runs if its true to pop up a notification on the BgFix Console?
There are no notifications on the BigFix Console to my knowledge
can i add a fixlet and a relevance to a baseline?