I made a mistake. Actually for an other wmi rule (check if winrar in running)I get nothing. but with the one described in the previous mail I got this : pfqueue(7657) ERROR: [mac:08:00:27:10:b8:d0] No WMI header given in string '' (pf::scan::wmi::rules::parseResult)
On Sun, Apr 24, 2022 at 7:04 PM Joachim Leroy <joachimlero...@gmail.com> wrote: > Hello everyone. > > I simply would like to run WMI scan to see if the computer has AntiVirus > or not. My dream is to make ONE WMI scan work because I have been trying > for days. > > in the logs, the WMI scan is triggered > > *Pre Registration Scan - Current Scan Engine is : WMI_SCAN_ENGINE > (pf::api::trigger_scan)* > > here is the configuration > *scan.conf* > > > > > > > > > > > > > *[WMI_SCAN_ENGINE]wmi_rules=customAVduration=20scategories=registration=1username=administratordomain=domain.dompost_registration=0password=xxxxxxxpre_registration=1type=wmi* > > *wmi.conf* > > > > > > > > > > > > > *[customAV]request=select * from > AntiVirusProductnamespace=ROOT\SecurityCenter2action= > <<EOT[AntivirusPresent]attribute=displayNameoperator=matchvalue=*[1:!AntivirusPresent]action=trigger_violationaction_param > = mac = $mac, tid = 100002, type = INTERNALEOTon_tab=1* > > *security_events.conf* > > > > > > > > > > > *[100002]trigger=detect::100002actions=reevaluate_access,email_adminrecipient_template_email=security_event-triggereddesc=avaccess_duration=12hwindow=dynamicenabled=Ypriority=2auto_enable=N* > (i know that the tigger_id must only be the same than the tid and not be > the same that the security event id) > > If I do a mistake in the request or in the scan config I have errors in > the logs mentioning the wmi request but nothing with the "correct" > configuration and of course the security event is not triggered.and it is > not on node tab neither > > Any help would be welcome :D > Kind regards > > Leroy Joachim. >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
