Hello Joachim, Which PF version are you using ?
Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Apr 25, 2022, at 8:44 AM, Joachim Leroy via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > I made a mistake. Actually for an other wmi rule (check if winrar in > running)I get nothing. but with the one described in the previous mail I got > this : pfqueue(7657) ERROR: [mac:08:00:27:10:b8:d0] No WMI header given in > string '' (pf::scan::wmi::rules::parseResult) > > On Sun, Apr 24, 2022 at 7:04 PM Joachim Leroy <joachimlero...@gmail.com > <mailto:joachimlero...@gmail.com>> wrote: > Hello everyone. > > I simply would like to run WMI scan to see if the computer has AntiVirus or > not. My dream is to make ONE WMI scan work because I have been trying for > days. > > in the logs, the WMI scan is triggered > Pre Registration Scan - Current Scan Engine is : WMI_SCAN_ENGINE > (pf::api::trigger_scan) > > here is the configuration > scan.conf > [WMI_SCAN_ENGINE] > wmi_rules=customAV > duration=20s > categories= > registration=1 > username=administrator > domain=domain.dom > post_registration=0 > password=xxxxxxx > pre_registration=1 > type=wmi > > wmi.conf > [customAV] > request=select * from AntiVirusProduct > namespace=ROOT\SecurityCenter2 > action= <<EOT > [AntivirusPresent] > attribute=displayName > operator=match > value=* > [1:!AntivirusPresent] > action=trigger_violation > action_param = mac = $mac, tid = 100002, type = INTERNAL > EOT > on_tab=1 > > security_events.conf > [100002] > trigger=detect::100002 > actions=reevaluate_access,email_admin > recipient_template_email=security_event-triggered > desc=av > access_duration=12h > window=dynamic > enabled=Y > priority=2 > auto_enable=N > (i know that the tigger_id must only be the same than the tid and not be the > same that the security event id) > > If I do a mistake in the request or in the scan config I have errors in the > logs mentioning the wmi request but nothing with the "correct" configuration > and of course the security event is not triggered.and it is not on node tab > neither > > Any help would be welcome :D > Kind regards > > Leroy Joachim. > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VBzKJIPJ14I9t-o3XtbstXY6vlrIBY6Ba-QSKQ5Nf9Qq2aU_O2uPU3NuJP6cdM4Kh74ffzp9V0kVvq8HgNEcXnNZcYMC--ilOHdnwA$ > > <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VBzKJIPJ14I9t-o3XtbstXY6vlrIBY6Ba-QSKQ5Nf9Qq2aU_O2uPU3NuJP6cdM4Kh74ffzp9V0kVvq8HgNEcXnNZcYMC--ilOHdnwA$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users