I’ve done this with a scanning tool our security team uses. I prefetch a stand-alone 7-zip executable I have cached on our core server and use that create a zip file of the folder(s). From there I use the “archive” command to upload those results to our core server. This allows for an uninterrupted user experience while collecting necessary security data. Below is the action script I use to perform a scan using the Mandiant Redline software, package the results in a zip file, the upload it to the core:
//Configure settings for upload to IEM server
setting "_BESClient_ArchiveManager_MaxArchiveSize"="1048576000" on "{now}" for client
setting "_BESClient_ArchiveManager_OperatingMode"="2" on "{now}" for client
setting "_BESClient_ArchiveManager_FileSet-Redline"="C:\TEMP\Redline\{computer name}_{(month of current date as two digits as string) & (day_of_month of current date as two digits as string) & (year of current date as string)}.zip" on "{now}" for client
// Grab Redline and 7za
prefetch RedlineStandardx64.zip sha1:2c7a52a97969e1b568b3b5281e9384adb5386e30 size:10633601 http://bigfix-server:52311/RedlineStandardx64.zip
prefetch 7za.exe sha1:cee178da1fb05f99af7a3547093122893bd1eb46 size:587776 http://bigfix-server:52311/7za.exe
//Create TEMP folder if it doesn't exist
if {not exists folder "C:\TEMP"}
waithidden cmd.exe /C mkdir C:\TEMP
endif
//Extract Redline to C:\Temp
waithidden cmd.exe /C __Download\7za.exe x __Download\RedlineStandardx64.zip -oC:\TEMP\Redline -aoa
//Small sleep to allow above command to complete
waithidden cmd.exe /C ping -n 5 127.0.0.1
//Execute Redline
delete __appendfile
appendfile cd C:\Temp\Redline
appendfile RunRedlineAudit.bat
move __appendfile C:\Temp\Redline\start.bat
waithidden C:\Temp\Redline\start.bat
//Package up Redline file
copy __Download\7za.exe C:\TEMP\Redline\7za.exe
delete __appendfile
appendfile cd C:\TEMP\Redline
appendfile 7za.exe a {computer name}_{(month of current date as two digits as string) & (day_of_month of current date as two digits as string) & (year of current date as string)}.zip C:\Temp\Redline\Sessions
appendfile 7za.exe a {computer name}_{(month of current date as two digits as string) & (day_of_month of current date as two digits as string) & (year of current date as string)}.zip C:\Temp\Redline\x64\magent*.log
copy __appendfile C:\TEMP\Redline\package.bat
waithidden C:\TEMP\Redline\package.bat
//Send it to the IEM server
continue if {exists file whose (name of it starts with computer name) of folder "C:\TEMP\Redline"}
archive now
Take from this what you deem useful.