I am creating an Analysis to look for running application / process “MsSense.exe”. This EXE is part of Microsoft Advanced Threat Protection.
For some reason I am finding the BigFix client will not find this process. Has anyone ran into a situation was BES Client seems to not see some running process?
Examples tried:
Using QNA running as user or elevated to admin:
“running applications”
No MsSense listed
Using Query - “MsSense” has no result but “explorer” does
Not too familiar with MsSense specifically. Can you show me a screenshot of a system running MSSense process and how you can check for this manually (without BigFix?) Perhaps then I can help you with how to find it using Query.
You may have to have the Client evaluate the relevance (rather than Fixlet Debugger)…it will have more visibility given that it runs as SYSTEM. This is possible via Fixlet Debugger by selecting Evaluate -> Evaluate Using -> Local Client. This is possible in Query as well (check ‘Evaluate by Agent’: https://help.hcltechsw.com/bigfix/9.5/webui/WebUI/Users_Guide/c_build_query.html)
This inspector will not get everything. In order for something to be a “running application” it must first be a registered application, which not all things are.
Try instead: unique values of names of processes
The most broad thing to do is to look at running processes. This works cross platform and will give back the most stuff. The next thing to do is look at running services, if the thing is a service as well. The final thing is to look for running applications, which will give you the least results but a bit more info for things that are both.
You could also try something like this:
unique values of (names of files of all running services; names of running applications; names of processes)
Or to go even further:
unique values of ( (service name of it | ""; image path of it | ""; display name of it | ""; name of file of it | "") of all running services ; (name of it | ""; name of image file of it | ""; pathname of image file of it | "") of processes ; (task name of it | ""; name of it | ""; pathname of it | "") of running applications )
This should maximize the info available about running items on the system, which you can filter down to what you are looking for using a whose statement, but having something that returns a TON is a good way to start to see if you can find what you are looking for, then filter down and optimize from there.