My guess is that your violation never triggers right ? We already have a similar example on how to trigger it:
https://github.com/inverse-inc/packetfence/blob/03f8a65714be7915ddd8b2b5d007488c0b7154cb/conf/security_events.conf.defaults#L396 https://github.com/inverse-inc/packetfence/blob/03f8a65714be7915ddd8b2b5d007488c0b7154cb/conf/wmi.conf.example#L68 Keep in mind also the grace time does matter a lot because it will never re-evaluate if the grace time is still active. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Apr 26, 2022, at 9:32 AM, Joachim Leroy <joachimlero...@gmail.com> wrote: > > Hello. 10.3.0. It seems to be the last with WMI. > > On Tue, Apr 26, 2022 at 3:27 PM Zammit, Ludovic <luza...@akamai.com > <mailto:luza...@akamai.com>> wrote: > Hello Joachim, > > Which PF version are you using ? > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com/> > <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!T_crbHVE1xnyYfj8H5qguTc5tQ3YNiIG_umeARhxMRsU9kHGkWZ_TZ5LaARMYgDYam7EWfvnJ4hsXAE2yChqKGA$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!T_crbHVE1xnyYfj8H5qguTc5tQ3YNiIG_umeARhxMRsU9kHGkWZ_TZ5LaARMYgDYam7EWfvnJ4hsXAE2WhvwIzY$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!T_crbHVE1xnyYfj8H5qguTc5tQ3YNiIG_umeARhxMRsU9kHGkWZ_TZ5LaARMYgDYam7EWfvnJ4hsXAE2q_hrQCE$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!T_crbHVE1xnyYfj8H5qguTc5tQ3YNiIG_umeARhxMRsU9kHGkWZ_TZ5LaARMYgDYam7EWfvnJ4hsXAE2MYSvJtI$> > >> On Apr 25, 2022, at 8:44 AM, Joachim Leroy via PacketFence-users >> <packetfence-users@lists.sourceforge.net >> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >> >> I made a mistake. Actually for an other wmi rule (check if winrar in >> running)I get nothing. but with the one described in the previous mail I >> got this : pfqueue(7657) ERROR: [mac:08:00:27:10:b8:d0] No WMI header given >> in string '' (pf::scan::wmi::rules::parseResult) >> >> On Sun, Apr 24, 2022 at 7:04 PM Joachim Leroy <joachimlero...@gmail.com >> <mailto:joachimlero...@gmail.com>> wrote: >> Hello everyone. >> >> I simply would like to run WMI scan to see if the computer has AntiVirus or >> not. My dream is to make ONE WMI scan work because I have been trying for >> days. >> >> in the logs, the WMI scan is triggered >> Pre Registration Scan - Current Scan Engine is : WMI_SCAN_ENGINE >> (pf::api::trigger_scan) >> >> here is the configuration >> scan.conf >> [WMI_SCAN_ENGINE] >> wmi_rules=customAV >> duration=20s >> categories= >> registration=1 >> username=administrator >> domain=domain.dom >> post_registration=0 >> password=xxxxxxx >> pre_registration=1 >> type=wmi >> >> wmi.conf >> [customAV] >> request=select * from AntiVirusProduct >> namespace=ROOT\SecurityCenter2 >> action= <<EOT >> [AntivirusPresent] >> attribute=displayName >> operator=match >> value=* >> [1:!AntivirusPresent] >> action=trigger_violation >> action_param = mac = $mac, tid = 100002, type = INTERNAL >> EOT >> on_tab=1 >> >> security_events.conf >> [100002] >> trigger=detect::100002 >> actions=reevaluate_access,email_admin >> recipient_template_email=security_event-triggered >> desc=av >> access_duration=12h >> window=dynamic >> enabled=Y >> priority=2 >> auto_enable=N >> (i know that the tigger_id must only be the same than the tid and not be the >> same that the security event id) >> >> If I do a mistake in the request or in the scan config I have errors in the >> logs mentioning the wmi request but nothing with the "correct" configuration >> and of course the security event is not triggered.and it is not on node tab >> neither >> >> Any help would be welcome :D >> Kind regards >> >> Leroy Joachim. >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> <mailto:PacketFence-users@lists.sourceforge.net> >> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VBzKJIPJ14I9t-o3XtbstXY6vlrIBY6Ba-QSKQ5Nf9Qq2aU_O2uPU3NuJP6cdM4Kh74ffzp9V0kVvq8HgNEcXnNZcYMC--ilOHdnwA$ >> >> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VBzKJIPJ14I9t-o3XtbstXY6vlrIBY6Ba-QSKQ5Nf9Qq2aU_O2uPU3NuJP6cdM4Kh74ffzp9V0kVvq8HgNEcXnNZcYMC--ilOHdnwA$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users