Posts made by Tom

@lammertsm

I'm happy you found a solution.

And thank you very much for the detailed explanation, I'm certain other customers can benefit from this.

@lammertsm

Hi,

It appears that we have some outdated documentation, it will be fixed within a day or two. The OCSP / CRT hosts should be:

• r3.o.lencr.org
• r3.i.lencr.org

However, this is most likely not the cause of the issue that you have.

I can see that the host got registered with the system. This means that the installer managed to contact the backend and get the authToken, that you see in the logfile.

Since the installer is invoked interactively by the logged in user, it uses the same network / proxy settings as the user that is logged in, when it invokes the Agent to register for a authToken.

While the Agent runs as the SYSTEM user, after it is installed.

In some environments, there is restrictions on what the SYSTEM user can do on the network and whether it has access to a proxy.

I suspect that is what you are seeing here.

Since I don't know anything about your system configuration, it is hard to advise on the proper cause of action to allow the Agent network access.

VulnDetect Agent 3.0.1.0 is available. We would appreciate if you test and use this on selected systems.

Please report any and all issues you find with this latest Agent. It is a prerequisite for upcoming features, however, it is expected to be superseded soon, as more functionality will be added.

Updating your Microsoft 365 installations using Custom Software is very easy.

We have made the below simple sample code, which will update it in a safe manner.

You may want to alter this:
/update user displaylevel=false forceappshutdown=false

The displaylevel can be set to true, then the user will see a popup.

And you would be able to close the apps by changing forceappshutdown to true. Our tests shows that this is safe, as it doesn't close the apps, if people have unsaved documents open. However, please test this on a few hosts, before doing this across the entire company network.

$path64 = "C:\Program Files\Common Files\microsoft shared\ClickToRun"
$path32 = "C:\Program Files (x86)\Common Files\microsoft shared\ClickToRun"
$file = "OfficeC2RClient.exe"
$arguments = "/update user displaylevel=false forceappshutdown=false"
function updateOffice ($clicktorun, $arguments) {
    Start-Process -PassThru -FilePath $clicktorun -ArgumentList $arguments
}
if (Test-Path -LiteralPath "$path32\$file" -PathType Leaf -ErrorAction SilentlyContinue) {
    updateOffice -clicktorun $path32\$file -arguments $arguments
}
elseif (Test-Path -LiteralPath "$path64\$file" -PathType Leaf -ErrorAction SilentlyContinue) {
    updateOffice -clicktorun $path64\$file -arguments $arguments
}
else {
    Write-Host "Error: $file not found in default locations, aborting."
}

Remember to select All files:

@OLLI_S Lots of good ideas.
The first one, that about excluding drives or folders, is getting a lot closer. I don't have a date yet, but we will soon make the final decision about how it should be implemented in the backend and then it shouldn't be long before there will be a UI component for it too.

@GregAlexandre Noted. Thank you.
Btw. depending on your installation, you will be notified via the Windows Update details in VulnDetect about missing updates for old Office versions.

Thank you, product added

@GregAlexandre Interesting.

Luckily, I discussed this with a developer earlier today, and it seems that we can keep the --immediate though technically it will work quite differently.

Instead of running an inspection, it will signal the service and ask it to run the inspection.

Only caveat is that it most likely will require Admin privileges to send this signal.

And then the process will exit immediately, while the service runs in the background.

The other options will still vanish because they will be incompatible with the new changes.

@OLLI_S Just wanted to officially inform about some upcoming and breaking changes to the agent.

Well, breaking for the Toolbox, but not for anything else, as far as we can tell.

With the upcoming major release of the agent, it will no longer be possible to run the --immediate in the same as way as before.

The reason is simple: It doesn't make sense, because the inspection data returned by the agent are wrong, because the agent runs in the wrong context.

Instead, the --immediate will be changed to send a request for a new inspection task to the backend. Within 1 minute, the agent (the service) should pick up the task and inspect.

This also means that the following options will be removed from the agent:

--no-filesystem
--no-registry
--no-system
--no-msi
--no-winupdate
--ignore
--path

The "ignore" and "path" can still be controlled via the registry:
https://vulndetect.org/topic/2388/

I don't know how many users use the Toolbox, we use it, because it is a nice way to extract data for new detections, which in turn is posted to some internal sub-categories for documentation purposes.

But the functionality to inspect is not used by anyone at SecTeer.

@jak552 We discussed this a few days ago, it sounds like this is viable to implement in a soon to come UI update.
With some luck before the end of the year.

@OLLI_S Yes

Thank you, it has now been added and is public.

@GregAlexandre Thank you. Icon added, and "testing" flag has been removed from the app - which btw. is surprisingly popular.

2.4.2.0 is the latest and Recommended SecTeer VulnDetect Agent release:

v2.4.2.0 2022-10-16

• Fix issue with uninstalling agent.
• Update zlib dependency to latest versions.
• Update license file.

(this reply was made to ensure that this thread is at the top)

@GregAlexandre Did you have issues uploading the icon?
If so, then please email it to me, I believe you have my email addresses already.

@jak552 Thank you for the suggestions about SSO and MFA.

The SSO is sort of on the roadmap, as part of our next larger development tasks.

We will take the association between groups and sites into consideration, though my impression is that most of our current customers have multiple AD groups per site.

It sounds like we need to consider how we can be flexible, so one AD could be one site in some cases, and another AD could span multiple sites in other cases.

Thanks.

You can install and upgrade VirtualBox Guest Additions on your VirtualBox VM's.

Download the ISO image (VBox GuestAdditions):
https://www.oracle.com/virtualization/technologies/vm/downloads/virtualbox-downloads.html

Note: the link on the above page is not always updated timely, however, you can substitute the version in the link to get the latest iso file:
https://download.virtualbox.org/virtualbox/6.1.38/VBoxGuestAdditions_6.1.38.iso

Windows 10/11 will allow you do open the .iso file after displaying a warning, you can now copy the (signed) file called VBoxWindowsAdditions-amd64.exe (or VBoxWindowsAdditions-x86.exe if you have any 32bit guests) to another folder.

The installation is made silent by /S.

Installation of Microsoft SQL Server Management Studio is possible using the Custom Software feature.

You can find it here, we used 18.12.1 for our tests:
https://learn.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver16

You need to use the /install /quiet or perhaps /install /quiet /norestart arguments:

It is possible to install OBS Studio using the Custom Software feature.

Download the "Full Installer" from:
https://obsproject.com/download

We tested with version 28.0.2.

The silent install parameter is /S, remember capital S.