[Solved] No Detected Applications & Enumerating Drive Stall
-
@Tom I tried the latest version of the agent and there is no change. I let it run for several hours and it just sits at Enumerating 'E:'. See details below.
C:\Program Files (x86)\SecTeer VulnDetect>secteer --immediate
[2019-02-01 03:17:14.122-0360] SecTeer Agent v1.0.0.0 starting in immediate mode
[2019-02-01 03:17:14.122-0360] Starting SecTeer Agent in immediate mode
[2019-02-01 03:17:14.126-0360] Running immediate inspection
[2019-02-01 03:17:14.126-0360] Configuration:
version:: 1.0.0.0
authToken : 5cafb66c-fb52-4ad2-bd72-xxxxxxxxxxxx
server : agent.vulndetect.com
guid1::
guid2::
guid3::
checkInInterval:: 600 seconds
checkInRetryDelay:: 60 seconds
maxCheckInRetryCount:: 10
dataRetryDelay:: 1800 seconds
inspectionWindow:: 21600 seconds
timezoneOffset : -360 minutes
currentTime:: 2019-01-31 21:17:14 (local time)
checkInNow:: false
inspectNow : true
noFilesystem:: false
noRegistry:: false
noWinUpdate:: false
noSystem:: false
noPackage:: true
inspectRemote:: false
[2019-02-01 03:17:14.126-0360] Starting system inspection
[2019-02-01 03:17:14.126-0360] Fetching inspection rules from server
[2019-02-01 03:17:14.161-0360] Connecting to server: agent.vulndetect.com
[2019-02-01 03:17:14.955-0360] Server returned 200 => OK
[2019-02-01 03:17:14.958-0360] Found 'computerName' = 'LIVERNUGGET'
[2019-02-01 03:17:15.030-0360] Enumerating Win32_OperatingSystem
[2019-02-01 03:17:15.120-0360] Enumerating Win32_Bios
[2019-02-01 03:17:15.153-0360] Searching updates: IsInstalled=0
[2019-02-01 03:17:38.605-0360] Found 1 updates
[2019-02-01 03:17:38.610-0360] Searching updates: IsInstalled=1
[2019-02-01 03:17:53.877-0360] Found 71 updates
[2019-02-01 03:17:54.112-0360] Filesystem redirection status: Redirection disabled
[2019-02-01 03:17:54.112-0360] Enumerating 'C:'
[2019-02-01 03:17:54.151-0360] Skipping 'C:$Windows.~WS', since it is blacklisted
[2019-02-01 03:17:59.775-0360] Skipping 'C:\System Volume Information', since it is blacklisted
[2019-02-01 03:18:03.357-0360] Skipping 'C:\Windows\InfusedApps', since it is blacklisted
[2019-02-01 03:18:03.360-0360] Skipping 'C:\Windows\Installer', since it is blacklisted
[2019-02-01 03:18:06.513-0360] Skipping 'C:\Windows\WinSxS', since it is blacklisted
[2019-02-01 03:18:06.520-0360] Enumerating 'D:'
[2019-02-01 03:18:10.193-0360] Enumerating 'E:' -
@scottsan We will come back with either a new version soon or some suggestions about how to troubleshoot it.
The only workaround so far is by using the ignore option in the registry as discussed in this thread:
https://vulndetect.org/topic/144/work-in-progress-exclude-specific-drives-folders-from-scan -
@scottsan I spoke to the developer of the agent and he needs some more debug info, to find out what is going on.
We would very much appreciate if you would follow his instructions and provide us feedback:
Download ProcMon: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon Run ProcMon as an administrative user. Add the following filters: Process Name is not secteer.exe => Exclude Event Class is Registry => Exclude Event Class is Network => Exclude Event Class is Process => Exclude Event Class is Profiling => Exclude Make sure Edit -> Auto Scroll is enabled. Make sure File -> Capture Events is enabled. In an administrative command prompt, run: secteer.exe --immediate --suppress-console --path e:\ And watch the output of ProcMon to see what directories it is accessing, and if there are any hints as to what the issue is. Is there a directory loop with infinitely recursing directories ? Does the output stop at any point, and if so, what is the path ? Is it very slow to enumerate the drive ? -
@Tom I ran procmon as instructed and have a .csv file of when the secteer command was started. The file is about 6MB. How can I send this to you?
Here is some info from the file:
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 15320 CreateFile C:\Windows SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 15320 CreateFile C:\Windows\System32\wow64log.dll NAME NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 15320 CreateFile C:\Windows SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 15320 QueryNameInformationFile C:\Windows SUCCESS Name: \Windows
46:27.7 secteer.exe 15320 CloseFile C:\Windows SUCCESS
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 15320 CreateFile C:\Program Files (x86)\SecTeer VulnDetect SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 15320 CreateFile C:\Windows\SysWOW64\apphelp.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 15320 QueryBasicInformationFile C:\Windows\SysWOW64\apphelp.dll SUCCESS CreationTime: 2019-01-22 8:49:48 PM, LastAccessTime: 2019-01-22 8:49:48 PM, LastWriteTime: 2019-01-22 8:49:48 PM, ChangeTime: 2019-01-22 9:06:55 PM, FileAttributes: A
46:27.7 secteer.exe 15320 CloseFile C:\Windows\SysWOW64\apphelp.dll SUCCESS
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 15320 CreateFile C:\Windows\SysWOW64\apphelp.dll SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 15320 CreateFileMapping C:\Windows\SysWOW64\apphelp.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE
46:27.7 secteer.exe 15320 CreateFileMapping C:\Windows\SysWOW64\apphelp.dll SUCCESS SyncType: SyncTypeOther
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES
46:27.7 secteer.exe 15320 CloseFile C:\Windows\SysWOW64\apphelp.dll SUCCESS
46:27.7 secteer.exe 10620 QueryDirectory E:\ NO MORE FILES -
@tom saving the result from procmon as "native process monitor format (PML)" and you can load it at another computer with procmon and you can use the functionality of procmon (e.g. filter) for analysing. Compressing PML file with 7z and compression level ultra can save ~90% of size.
-
@Anselm I have a zipped PML file that is 1.5MB. How do I get it to you?
-
@scottsan Thank you very much. You can send it to
tom [at] vulndetect [dot] com -
@scottsan Thank you so much for sending this. I hope and believe that we nailed the issue this time, a new agent has been released:
https://vulndetect.org/topic/411/release-secteer-vulndetect-agent-v1-0-1-0You may download it here:
https://vulndetect.com/dl/secteerSetup.exe -
@Tom Hi Tom....it looks like things are working ok now. Thanks.
-
OK, I mark the topic as Solved and move it to the category Solved Bugs and Issues.
