dcokers

We just got LEM installed recently and I was kind of surprised that Sysmon logs events on a PC that LEM will not. A lot of other SIEM vendors actually use Sysmon as their notification mechanism. We install both Sysmon and the LEM Agent on every computer. Sysmon gives us the ability to alert on suspicious commands. For…

Just noticed the activate rule button is gone

that happened for me as well

Upgrading now, one thing I was curious about: We monitor service that are installed on servers, we do this through the SEM of course. When the SEM Agent gets upgraded I get an alert about a service installed called "swfsv2fltr." Any idea what this is? Its something new I believe.

Let me know if you need help.

Saw this today, thought it was funny

gotcha, I guess Nessus is just scanning for log4j-versionI.jar files.

We saw this on an old SEM agents installed on Windows devices in: C:\windows\syswow64\ContegoSPOP\6.3.1\jars\log4j-1.2.14.jar

@"tony.johnson" I am interested in this as well, can you look at getting this page available. 

Interesting, we have the C:\Windows\SysWOW64\ContegoSPOP\6.3.1.hotfix5 folder on our desktops but we do not have the BIN folder. The BIN Folder for us is in the C:\Windows\SysWOW64\ContegoSPOP\jre6.7.0\bin folder. There is a java.exe file in there, but no where else in the C:\Windows\SysWOW64\ContegoSPOP directory. Our…

My question is that I am only getting logs from my file server. The file server is my biggest concern, it has the LEM agent installed and is setup as FIM. So if my PC writes a file to the file server my alert comes from my server, not my PC. So I can't shutdown the IP of the PC, just the file server. Is this normal or…

Are you sure this is related to the LEM agent. I have the 6.7 LEM agent installed on 400+ workstations/servers but I only see this Nessus plugin (121231) as vulnerable on two machines and it is because Java is install on these machines, not because of the LEM agent.

These are all on Cisco switches, we do not have any WiFi devices on our network. The devices in this example are a printer, a laptop, a security camera, and a VM.

We are familiar with Nessus and the multitude of issues their scans can cause. We have also fought issues with printers and applications having issues after a scan. I was more curious about the Swfsfltrv2.sys FIM connector driver in general though. Usually Tenable has been pretty good at helping us identify issues with…

I've seen this article, we've been on 3.3.1 since June, we were on 3.3 before that. The problem we are having is rogue alerts being created, the devices are not showing as a Rogue Device but an Alert is being generated as if they were a Rogue Device. Typical timeline: 1 - we add a device to our network that has a unique…

vote for this idea here:

Are you able to monitor file creation without the agent and FIM going?

you da man, this is exactly what we were looking for. Good idea on using Procmon for finding the key. Now that we know where the reg key is we can find a way to script this change in. Thanks again!

Thanks, space isn't a concern for us at this time. I am more worried about CPU and memory usage on the appliance. We have ~400 PCs. I think file monitor on desktops could be valuable in tracking issues associated with mass file copy/deletions and in the areas of ransomware detection. We also have an issue with an…

From your LEM Appliance, go to Manage > Nodes > Add Node > Agent Node and select local installation. This package will have all that included.

Anybody have any feedback on the new version? How has the first week gone so far.

rschroeder​ I like this report, but I am still kind of perplexed on why such a report is offered in Kiwi CatTools and is not integrated with Orion NCM or NPM. I believe your report requires me to monitor every switch interface, which we do not have licensed. Kiwi Cat Tools has a great report called Report.X-Ref.Port MAC…

Is this happening on a computer that has never accessed NPM?

I wanted to post some more information, maybe some can help me as to what our issue might be. Monday, August 6th, 10:49am CT four Rogue Alerts came into our Email: Went to UDT at 10:57pm and observed there were four Active Alerts for the below MAC IDs: **:**:**:**:F2:A4 **:**:**:**:75:4E **:**:**:**:91:27 **:**:**:**:19:CA…

I actually just came to this forum to see if there was any similar issues. We updated to 6.7 last week. We have seen this memory usage issue on a few servers and PCs. The Javaw.exe is the executable that has the memory issues and that file is located in the Solarwinds folder C:\Windows\SysWOW64\ContegoSPOP\jre6.7.0\bin I…

I've seen this problem as well on larger files. Usually the file is still transferring and the 100% is not accurate. After a while the file will appear.

A few times when I've had a rule go crazy I've rebuilt the rule and the issue fixed itself. Also, this might be obvious, but in group policy there is a setting for AD account auto-unlock period, I think the default is 30 minutes. I thought I'd bring this up just in case its getting auto unlocked before you have a chance to…

I've setup a rule in my firewall before to allow this. You'll need to get a your firewall admin to do this for you though because he'll need to setup a port on the firewall so that port gets forwarded to an internal IP address. The PC dameware client will need to match this port as well. Your remote client will then…

Does this Hot Fix cover CVE-2019-3980?