Detected Applications - There is no data to display.

KI108 · 19 Dec 2018, 19:24

Re: Nothing to see
I get the same from yesterday. Windows 10 Pro 1809 17763.194. I tried with latest versions of Opera, Firefox, Chrome all showing same results.

Latest from logs says.
[2018-12-19 19:13:18.919-0360] No tasks to perform.
[2018-12-19 19:16:18.932-0360] Checking in with server
[2018-12-19 19:16:18.933-0360] Server = > 'agent.vulndetect.com'
[2018-12-19 19:16:18.949-0360] Connecting to server: agent.vulndetect.com
[2018-12-19 19:16:19.741-0360] Server returned 201 =>
[2018-12-19 19:16:19.744-0360] Check-in complete
[2018-12-19 19:16:19.744-0360] Next scheduled check-in is in 3 minutes
[2018-12-19 19:16:19.744-0360] Current configuration:
version:: 0.10.11.0
server : agent.vulndetect.com
guid1::
guid2::
guid3::
checkInInterval : 180 seconds
checkInRetryDelay : 60 seconds
maxCheckInRetryCount : 2
dataRetryDelay : 600 seconds
inspectionWindow : 21600 seconds
timezoneOffset : -360 minutes
serverTime : 2018-12-19 19:16:20 (UTC)
nextInspectionTime : 2018-12-20 13:10:00 (local time)
checkInNow:: false
noFilesystem : false
noRegistry : false
noWinUpdate : false
noSystem : false
noPackage:: true
[2018-12-19 19:16:19.744-0360] No tasks to perform.

Tom · 20 Dec 2018, 21:30

Don't you see the "authToken" in the log file?

[2018-12-20 21:25:41.529+0000] Current configuration:
             version:: 0.10.11.0
           authToken : aef31e67-721a-4d04-bcca-xxxxxxxxxxxx
              server : agent.vulndetect.com

If you don't, then you agent isn't registered properly.

In Configuration you should see a "review" agent or similar.

If you don't, then you have to uninstall and install again.

KI108 · 20 Dec 2018, 21:48

@Tom
Yes there is authToken in there. I had removed it for posting to the website. But in configuration it just lists

Last Agent IP Address
I removed it here

Last CheckIn
a minute ago

Last Inspection
2 days ago

Next CheckIn
in an hour

Next Inspection
in a day

Host name
I removed it here

Days of week to run inspections
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday
Hour of day to run inspections
: 15:45 --> I have changed it multiple times and tried
Inspections will run at this time each selected day.

I have changed the Hour of day to run the inspections multiple times to the nearest increment , Installed secteersetup.exe multiple times etc. . but still the same.
I don't see anything in Configurations to setup.

Per one of the notes i had run -- immediate command and it said it sent it to vulndetect yesterday. But still nothing happens.
Thanks for the any help.

Tom · 20 Dec 2018, 22:05

@KI108 Could you send me your hostname in the chat, then I will go see what we get in the server logs

KI108 · 20 Dec 2018, 23:33

@Tom
Sent. Thanks for looking into my issue. I appreciate your time and patience to try and resolve it.

Tom · 21 Dec 2018, 14:20

Just for the record, this answer was sent in the private chat to @KI108 :

The "Error => bad allocation" you see in the log, that is due to the agent not being able to allocate memory.

This puzzles us as it doesn't use more than 40MB on any of our test boxes, we have really done a lot to limit the memory footprint.

But, this lead us to look at another thing, it is spending around 10 minutes enumerating your filesystem, this usually takes less than a minute, depending on type of drive, system load and number of apps and AV products. Regardless, 10 minutes seems to be a very long time compared to what we normally see.

We suspect there may be a "looping path issue" or multiple symlinks to directories with a lot of files. But this is guess work.

I would appreciate is you could do two things:

Monitor the RAM usage in task manager while running the "secteer.exe --immediate"
Run

secteer.exe --immediate --path="c:\program files"

or

secteer.exe --immediate --path="c:\program files\mozilla firefox"

or something else specifc

KI108 · 22 Dec 2018, 19:05

@Tom
As mentioned in chat
Running immediate
with "C:" gave

[2018-12-21 18:05:10.392-0360] Enumerating 'c:'
[2018-12-21 18:05:10.419-0360] Recycle Bin: c:$Recycle.Bin
[2018-12-21 18:05:10.421-0360] Skipping 'c:$Recycle.Bin', since it is a Recycle Bin
[2018-12-21 18:05:10.442-0360] Error (a) enumerating directory 'c:\Documents and Settings' : 0x00000005 => Access is denied.
[2018-12-21 18:05:21.171-0360] Error (a) enumerating directory 'c:\ProgramData\Application Data' : 0x00000005 => Access is denied.
[2018-12-21 18:05:21.173-0360] Error (a) enumerating directory 'c:\ProgramData\Desktop' : 0x00000005 => Access is denied.
[2018-12-21 18:05:21.174-0360] Error (a) enumerating directory 'c:\ProgramData\Documents' : 0x00000005 => Access is denied.
[2018-12-21 18:05:21.768-0360] Error (a) enumerating directory 'c:\ProgramData\Microsoft\Diagnosis\FeedbackHub' : 0x00000005 => Access is denied.
Error (a) enumerating directory 'c:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA' : 0x00000005 => Access is denied.
[2018-12-21 18:05:21.769-0360] Error (a) enumerating directory 'c:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage' : 0x00000005 => Access is denied.
[2018-12-21 18:05:21.968-0360] Error (a) enumerating directory 'c:\ProgramData\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files\Documents and Settings' : 0x00000005 => Access is denied.
[2018-12-21 18:05:22.381-0360] Error (a) enumerating directory 'c:\ProgramData\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files\ProgramData\Application Data' : 0x00000005 => Access is denied.
[2018-12-21 18:05:22.381-0360]

KI108 · 22 Dec 2018, 19:10

Basically it starts of with 34% memory and slowly increased around 80%, before it quit with bad allocation. The Secteer itself starts of around 2 MB or so and slowly went past 2000 MB or so.

Mostly it was c:\ProgramData\Microsoft\Windows... or \Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\ which was doing recursively inside up to 23 times in one path like below

[2018-12-21 18:10:58.180-0360] Error (a) enumerating directory 'c:\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files

\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files

\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\All Users\Microsoft\Windows\Containers\BaseImages\e5ee5788-c3b5-420c-9baa-16c0eee19a9e\Files
\Users\WDAGUtilityAccount\AppData\Local\Application Data' : 0x00000005 => Access is denied.

KI108 · 22 Dec 2018, 19:13

C:\ProgramData\Microsoft\Windows\Containers

Directory of C:\ProgramData\Microsoft\Windows\Containers

10/02/2018 11:00 PM <DIR> .
10/02/2018 11:00 PM <DIR> ..
12/21/2018 06:47 PM <DIR> BaseImages
12/22/2018 11:54 AM <DIR> Dumps
12/21/2018 08:20 PM <DIR> Sandboxes
12/21/2018 08:20 PM <DIR> Zygotes
0 File(s) 0 bytes
6 Dir(s) 230,609,969,152 bytes free

Directory of C:\ProgramData\Microsoft\Windows\Containers\BaseImages

12/21/2018 06:47 PM <DIR> .
12/21/2018 06:47 PM <DIR> ..
12/21/2018 06:47 PM <DIR> 81d3cadc-05e5-4680-9e82-e479c73896b6
0 File(s) 0 bytes

Directory of C:\ProgramData\Microsoft\Windows\Containers\BaseImages\81d3cadc-05e5-4680-9e82-e479c73896b6

12/21/2018 06:47 PM <DIR> .
12/21/2018 06:47 PM <DIR> ..
12/21/2018 06:46 PM <DIR> Files
12/21/2018 06:47 PM <DIR> Snapshot
12/21/2018 06:46 PM 4,194,304 SystemTemplate.vhdx
12/21/2018 06:46 PM 75,497,472 SystemTemplateBase.vhdx
2 File(s) 79,691,776 bytes
4 Dir(s) 230,609,874,944 bytes free

File folder

C:\ProgramData\Microsoft\Windows

3.23 GB (3,469,314,133 bytes)

10,497 Files, 1,134 Folders

Read-only (Only applies to files in folder)

These were Containers Properties under C:\ProgramData\Microsoft\Windows

KI108 · 22 Dec 2018, 19:20

For the time being I ran Secteer immediate for path C:\Program files and again with C:\Program Files (x86) to see if any software was not latest and I found two.
After Secunia PSI went away, I have been using PatchMyPC, SUMO, Heimdal Pro to see what needs updating. Unlike Secunia which used to show almost everything, these 3 give bits and pieces and that is why I was looking for a better option.
Thanks for looking into this.
Like Secteer excludes scanning Recycle Bin, similarly this directory structure of Containers needs to be excluded also.
C:\ProgramData\Microsoft\Windows
and
C:\Users\All Users\Microsoft\Windows
That's my thought.
@Tom Once again appreciate your time and patience in resolving these issues.

Tom · 23 Dec 2018, 10:16

For some reason there is an issue in that folder, that cause the structure to recurse / loop endlessly.

We are looking at approaches to avoid following such loops (in a generic way, rather than excluding that specific folder). Due to the holidays a solution is not right around the corner, but it is on the high priority list and we will address it soon.

KI108 · 27 Dec 2018, 15:13

@Tom
Another question. Does one need to be logged in through browser for inspections to work? The reason I ask is, I did not login to vulndetect.com for few days and when i logged in today, I see last inspection 6 days ago.

Last CheckIn a minute ago

Last Inspection 6 days ago

Next CheckIn in 11 minutes

Tom · 27 Dec 2018, 22:07

@KI108 No, the agent will run if the PC is turned on. So no need for logging in via browser.

But I suppose this could be because even the automatic inspection is failing for you.

Could you send me your log again via email?

KI108 · 27 Dec 2018, 22:54

@Tom
I have emailed the log to you. Thanks for looking into it.

KI108 · 28 Dec 2018, 15:11

@Tom
It was set to 08:20 CST and I had changed to 09:20 CST to force it yesterday but it still didn't do anything.

Last CheckIn 14 minutes ago

Last Inspection 7 days ago

Next CheckIn in 9 minutes

Next Inspection in 9 minutes

Will see what happens in the next 10 minutes

KI108 · 28 Dec 2018, 15:34

@Tom
It worked this time.

Last CheckIn a minute ago

Last Inspection a minute ago

Next CheckIn in an hour

Next Inspection in a day

Though it did the c:\ and came back with the bad allocation after all the 0x00000005 => Access is denied.

Also the version still shows version:: 0.10.11.0 in the log. With the back -end changes you mentioned in other post of Nothing to see was this supposed to change?

Tom · 29 Dec 2018, 10:32

@KI108 Yes, this was expected
We did not have time to work on changes to the agent yet, and this is something that we need to investigate and test properly, before we deploy it.
And I'm afraid that we need to clear an issue or two more before we can fix this one, sorry.
I'll keep you posted when there is news.

Tom · 26 Jan 2019, 18:46

@KI108 Sorry for the long wait, we are planning to make improvements to the agent during next week. I hope you have time to test later in the week.

KI108 · 26 Jan 2019, 22:36

@Tom Sure, I will once you update the agent. Thanks for looking into it.

Tom · 2 Feb 2019, 01:30

@KI108 We now have a new version of the agent, can you please test it and report back to us?
https://test.vulndetect.com/dl/secteerSetup.exe

The new version is NOT available from the normal download location yet.