Agent Client Collector- Check command denied by Agent allow list

Vinay Chavhan
Tera Contributor

‎12-19-2022 01:51 AM

Hi All,

 

I have built a sub flow in Flow Designer to run a command on Agent machine (Host) to stop a process running on host machine. For this I have used Agent Client Collector Spoke and Selected Run Command on Agent as Action. After running the flow, the error reads "check command denied by the agent allow list"

In any case, can I run the command by modifying Agent Allow List file? or Is there any alternate way of making the agent, run the command on the Host machine it is installed on? So that we can stop the process remotely using Agent.

 

Error_ACC_allow_list.png

0 Helpfuls
  • 3,138 Views
11 REPLIES 11

Parag_Sanyashiv
Giga Guru

‎12-20-2022 05:57 AM

Hi Vinay,

 

This is an expected error when you have not added the command in the check-allow-list.json, which is situated in the Agent Folder in ProgramData. You can do it in two different ways:

1. You can add the command in check-allow-list.json

2. Else, You can create a batch file which contains the command and create a ACC plugin. Create a check definition which call the batch file. This way will also have a security check which is the certificate signing. You can bypass the certificate too by changing the flag in config.xml -

    verify-plugin-signature = False

once you do this, you can add and run any command.

0 Helpfuls

Vinay Chavhan
Tera Contributor
In response to Parag_Sanyashiv

‎12-21-2022 03:05 AM

Hi Parag,

 

as per the 1st option I tried entering the command manually in the Agent allow list, but it did not work. Can you please check whether it is correctly written or not, also please suggest anything else can be done there. 

 

And in the 2nd option you have mentioned to call the batch file, do we need to add it under command in check definition?

Preview file
60 KB
0 Helpfuls

Parag_Sanyashiv
Giga Guru
In response to Vinay Chavhan

‎12-21-2022 03:14 AM

Hi Vinay,

I checked the screenshot, and the check-allow-list seems correct, but while running the command from spoke, check whether you are missing any spacing, as a command should match exactly to what you have added in check-allow-list.json. And also, create a check definition for that command and generate the check allow list JSON from related links of the check definition. Test Check in the check definition first and then go for running it on the spoke.

 

And for the 2nd option, you need to add that command in check-allow-list.json associated with the plugin, not on the global one which resides in the ProgramData/ServiceNow.

Regards,

0 Helpfuls

Manikandan9
Tera Contributor
In response to Parag_Sanyashiv

‎12-22-2022 01:44 AM

As per your inputs we implemented option 2.Created batch file with command.Then created plugin, check definition . But it is failing when we test in check definition.check (Response code 3, check command denied by agent allow list)

Below is the content in check-allow-list.json. It is just to kill the process. We tried with taskkill /f  /im chrome.exe also but still failing with same error. Any inputs? We checked spacing also still no luck. Should it be only in .rb or .sh extension in check-allow-list.jon?

[
{
"args":[
""
],
"exec":"taskkill",
"skip_arguments":true
}
]

0 Helpfuls