- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2019 11:00 PM
Hey
recently while discovering on a windows server there was a problem of carbon black agent restricting executing of few scripts which were being run using our service account(Windows Servicenow) during the scanning of the machine
the below are the scripts and it was placed on the temp directory
1) c:\temp\httpupload.vbs [DC85C...489B5]
2) c:\temp\httpgetbin_encoded.vbs [40D54...1B2DB]
3) c:\temp\httpgetbin_adodb.vbs [60F74...F013B]
question is
is this a normal behavior of service now scanning to create scripts on temporary directory and execute and then delete it post that ?
- Do you know if there are more than the three vbs scripts identified that needs to run?
- Are you able to specify a different directory path to store and run these scripts?
Could you please help me on this too?\
Thanks
~ Sonu
Solved! Go to Solution.
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2019 05:25 AM
Yes this is normal behaviour as Discovery needs some helper scripts to discover certain things. You will also notice that it creates output files on the windows temp directory for commands being run to capture the output of them. I think you can actually change the folder they go to but I can't remember where (I would check the discovery properties). At the very worst you could open a HI ticket and ask. Essentially I believe it's using the $ADMIN share for most of them which leads to the temp folder.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2019 05:25 AM
Yes this is normal behaviour as Discovery needs some helper scripts to discover certain things. You will also notice that it creates output files on the windows temp directory for commands being run to capture the output of them. I think you can actually change the folder they go to but I can't remember where (I would check the discovery properties). At the very worst you could open a HI ticket and ask. Essentially I believe it's using the $ADMIN share for most of them which leads to the temp folder.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2019 03:23 AM
Our Server Admins complain about this files that they are not getting deleted after the Discovery has collected all necessary information. Does anyone of you know how to delete this temp files after the Server Disco is finished? is there a property or anything else I can adjust?
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2021 05:11 AM
Tuna,
Did you ever get an answer to this question? I am facing the same issue.
Thanks,
Jason
