SecTeer VulnDetect & PatchPro Support Forum VulnDetect
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Download VulnDetect Installer
    • Login

    [Solved] No Detected Applications & Enumerating Drive Stall

    Scheduled Pinned Locked Moved Solved Bugs and Issues
    23 Posts 5 Posters 13.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      scottsan @Tom
      last edited by

      @Tom I tried the latest version of the agent and there is no change. I let it run for several hours and it just sits at Enumerating 'E:'. See details below.

      C:\Program Files (x86)\SecTeer VulnDetect>secteer --immediate
      [2019-02-01 03:17:14.122-0360] SecTeer Agent v1.0.0.0 starting in immediate mode
      [2019-02-01 03:17:14.122-0360] Starting SecTeer Agent in immediate mode
      [2019-02-01 03:17:14.126-0360] Running immediate inspection
      [2019-02-01 03:17:14.126-0360] Configuration:
      version:: 1.0.0.0
      authToken : 5cafb66c-fb52-4ad2-bd72-xxxxxxxxxxxx
      server : agent.vulndetect.com
      guid1::
      guid2::
      guid3::
      checkInInterval:: 600 seconds
      checkInRetryDelay:: 60 seconds
      maxCheckInRetryCount:: 10
      dataRetryDelay:: 1800 seconds
      inspectionWindow:: 21600 seconds
      timezoneOffset : -360 minutes
      currentTime:: 2019-01-31 21:17:14 (local time)
      checkInNow:: false
      inspectNow : true
      noFilesystem:: false
      noRegistry:: false
      noWinUpdate:: false
      noSystem:: false
      noPackage:: true
      inspectRemote:: false
      [2019-02-01 03:17:14.126-0360] Starting system inspection
      [2019-02-01 03:17:14.126-0360] Fetching inspection rules from server
      [2019-02-01 03:17:14.161-0360] Connecting to server: agent.vulndetect.com
      [2019-02-01 03:17:14.955-0360] Server returned 200 => OK
      [2019-02-01 03:17:14.958-0360] Found 'computerName' = 'LIVERNUGGET'
      [2019-02-01 03:17:15.030-0360] Enumerating Win32_OperatingSystem
      [2019-02-01 03:17:15.120-0360] Enumerating Win32_Bios
      [2019-02-01 03:17:15.153-0360] Searching updates: IsInstalled=0
      [2019-02-01 03:17:38.605-0360] Found 1 updates
      [2019-02-01 03:17:38.610-0360] Searching updates: IsInstalled=1
      [2019-02-01 03:17:53.877-0360] Found 71 updates
      [2019-02-01 03:17:54.112-0360] Filesystem redirection status: Redirection disabled
      [2019-02-01 03:17:54.112-0360] Enumerating 'C:'
      [2019-02-01 03:17:54.151-0360] Skipping 'C:$Windows.~WS', since it is blacklisted
      [2019-02-01 03:17:59.775-0360] Skipping 'C:\System Volume Information', since it is blacklisted
      [2019-02-01 03:18:03.357-0360] Skipping 'C:\Windows\InfusedApps', since it is blacklisted
      [2019-02-01 03:18:03.360-0360] Skipping 'C:\Windows\Installer', since it is blacklisted
      [2019-02-01 03:18:06.513-0360] Skipping 'C:\Windows\WinSxS', since it is blacklisted
      [2019-02-01 03:18:06.520-0360] Enumerating 'D:'
      [2019-02-01 03:18:10.193-0360] Enumerating 'E:'

      V T 2 Replies Last reply Reply Quote 0
      • V Offline
        VulnDetect @scottsan
        last edited by

        @scottsan We will come back with either a new version soon or some suggestions about how to troubleshoot it.
        The only workaround so far is by using the ignore option in the registry as discussed in this thread:
        https://vulndetect.org/topic/144/work-in-progress-exclude-specific-drives-folders-from-scan

        /Tom

        1 Reply Last reply Reply Quote 0
        • T Offline
          Tom VulnDetect Team Member @scottsan
          last edited by

          @scottsan I spoke to the developer of the agent and he needs some more debug info, to find out what is going on.

          We would very much appreciate if you would follow his instructions and provide us feedback:

          Download ProcMon:
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Run ProcMon as an administrative user.
Add the following filters:
Process Name is not secteer.exe => Exclude
Event Class is Registry => Exclude
Event Class is Network => Exclude
Event Class is Process => Exclude
Event Class is Profiling => Exclude

Make sure Edit -> Auto Scroll is enabled.
Make sure File -> Capture Events is enabled.

In an administrative command prompt, run:
secteer.exe --immediate --suppress-console --path e:\

And watch the output of ProcMon to see what directories it is accessing, and if there are any hints as to what the issue is.
Is there a directory loop with infinitely recursing directories ?
Does the output stop at any point, and if so, what is the path ?
Is it very slow to enumerate the drive ?

          /Tom
          Download the latest SecTeer VulnDetect agent here:
          https://vulndetect.com/dl/secteerSetup.exe

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            scottsan @Tom
            last edited by

            @Tom I ran procmon as instructed and have a .csv file of when the secteer command was started. The file is about 6MB. How can I send this to you?

            Here is some info from the file:

            ![0_1549303710471_9b918d37-215f-43a0-9ea3-b45c0b5c3844-image.png](Uploading 100%)
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 15320 CreateFile C:\Windows SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 15320 CreateFile C:\Windows\System32\wow64log.dll NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 15320 CreateFile C:\Windows SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 15320 QueryNameInformationFile C:\Windows SUCCESS Name: \Windows
            46:27.7 secteer.exe 15320 CloseFile C:\Windows SUCCESS
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 15320 CreateFile C:\Program Files (x86)\SecTeer VulnDetect SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 15320 CreateFile C:\Windows\SysWOW64\apphelp.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 15320 QueryBasicInformationFile C:\Windows\SysWOW64\apphelp.dll SUCCESS CreationTime: 2019-01-22 8:49:48 PM, LastAccessTime: 2019-01-22 8:49:48 PM, LastWriteTime: 2019-01-22 8:49:48 PM, ChangeTime: 2019-01-22 9:06:55 PM, FileAttributes: A
            46:27.7 secteer.exe 15320 CloseFile C:\Windows\SysWOW64\apphelp.dll SUCCESS
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 15320 CreateFile C:\Windows\SysWOW64\apphelp.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 15320 CreateFileMapping C:\Windows\SysWOW64\apphelp.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE
            46:27.7 secteer.exe 15320 CreateFileMapping C:\Windows\SysWOW64\apphelp.dll SUCCESS SyncType: SyncTypeOther
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
            46:27.7 secteer.exe 15320 CloseFile C:\Windows\SysWOW64\apphelp.dll SUCCESS
            46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES

            A 1 Reply Last reply Reply Quote 0
            • A Offline
              Anselm @scottsan
              last edited by

              @tom saving the result from procmon as "native process monitor format (PML)" and you can load it at another computer with procmon and you can use the functionality of procmon (e.g. filter) for analysing. Compressing PML file with 7z and compression level ultra can save ~90% of size.

              S 1 Reply Last reply Reply Quote 0
              • S Offline
                scottsan @Anselm
                last edited by

                @Anselm I have a zipped PML file that is 1.5MB. How do I get it to you?

                T 2 Replies Last reply Reply Quote 0
                • T Offline
                  Tom VulnDetect Team Member @scottsan
                  last edited by

                  @scottsan Thank you very much. You can send it to
                  tom [at] vulndetect [dot] com

                  /Tom
                  Download the latest SecTeer VulnDetect agent here:
                  https://vulndetect.com/dl/secteerSetup.exe

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    Tom VulnDetect Team Member @scottsan
                    last edited by

                    @scottsan Thank you so much for sending this. I hope and believe that we nailed the issue this time, a new agent has been released:
                    https://vulndetect.org/topic/411/release-secteer-vulndetect-agent-v1-0-1-0

                    You may download it here:
                    https://vulndetect.com/dl/secteerSetup.exe

                    /Tom
                    Download the latest SecTeer VulnDetect agent here:
                    https://vulndetect.com/dl/secteerSetup.exe

                    S 1 Reply Last reply Reply Quote 0
                    • S Offline
                      scottsan @Tom
                      last edited by

                      @Tom Hi Tom....it looks like things are working ok now. Thanks.

                      1 Reply Last reply Reply Quote 0
                      • OLLI_SO Offline
                        OLLI_S Community Moderator
                        last edited by

                        OK, I mark the topic as Solved and move it to the category Solved Bugs and Issues.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Download SecTeer Personal VulnDetect - an alternative to the long lost Secunia PSI

                        Please see our Privacy and Data Processing Policy
                        Sponsored and operated by SecTeer | VulnDetect is a replacement for the EoL Secunia PSI
                        Forum software by NodeBB