Securely retrieving sensitive scan results using BigFix agent

Usage and Config
1

Hello everyone,

I’m working on a use case in BigFix and would appreciate your recommendations and best practices.

I have developed a Task that deploys and executes a PowerShell script on endpoints. The script scans local drives for potential credential patterns (e.g., “password”, “pwd”, “clave”, etc.) within files such as .txt, .log, .ini, and .config.

The script works as expected and generates a CSV file locally with the findings. However, the output may contain sensitive information, which raises a concern about how to securely collect and centralize these results.

:magnifying_glass_tilted_left: Current situation

  • The scan runs locally on each endpoint via BigFix Agent

  • Results are written to a CSV file on the endpoint

  • The data may include sensitive content

  • No data exfiltration method has been implemented yet

:red_question_mark: Main question

What would be the recommended approach to securely transport or centralize these results using BigFix capabilities?

:thought_balloon: Options I'm considering

  • Uploading the file via BigFix Upload Manager

  • Sending results through Analysis / Properties (seems limited for large/sensitive data)

  • Writing to a secured network share

  • Using encryption before transfer (e.g., encrypting CSV before upload)

:locked_with_key: Key concerns

  • Protecting sensitive data during transit

  • Avoiding exposure on endpoints

  • Ensuring secure storage/access control on the server side

  • Keeping the solution scalable and maintainable

If anyone has implemented a similar use case or can suggest best practices (or things to avoid), I’d really appreciate your input.

Thanks in advance!

2

If you want to collect and centralize the actual results - use the Upload Manager

The files will be uploaded back to the Root Server with specific Prefix - after that you can do what ever you want with them - https://support.bigfix.com/product/documents/Upload_Archive_Manager_80_101211.pdf

This option is being used also by the BigFix Inventory product

1 Like
3

Agreed. One additional consideration if using the Upload Manager is to enable Message Level Encryption. This does introduce a bit of overhead, but it ensures that the information being uploaded is encrypted end-to-end (i.e. also encrypted not just in transit, but also at rest when on Relays).

2 Likes
4

@Aram l,

Could the client encrypt the sensitive payloads using the server's public key, before shoving it to Upload Manager?

-Andrew

5

Interesting....for what purpose? Message Level Encryption achieves this after it goes to Upload Manager (i.e. for any upstream Client communication), but you're suggesting to encrypt prior to proceeding to Upload Manager?

(and short answer is: not easily, no)

6

<adding 'play with openssl' to my to-do list>

3 Likes