Hi Guys,
I'm trying to scan a host using response action.
looks like you can only scan a specific folder or directory rather than the entire host like C drive
is it possible to scan the entire host ?
And also where do you check the results of the scan after complete?
Hi Charles,
Thanks for reaching out. I presume you're trying the scan command via Responder? If yes, then it is indeed possible to scan the entire C drive. You should be able to enter a scan action like so, scan --path "C:\" and that should work. See screenshot.
A scan action result is going to generate an alert if a malicious file is found and you should see that alert on the Alerts page (/app/security/alerts). An alert is not generated otherwise. See the screenshot for such an alert.
You can see the results of action requests, including the scan action, on the Response console, the Host's Details flyout for the host. Hosts are listed out on the Endpoint list page (app/security/administration/endpoints). You can also see the action's result on the Response Actions History page (app/security/administration/response_actions_history) by expanding the action item. See screenshots.
Hope this helps, but please do reach out again if you need help.
Hi,
i have tried to run the scan exactly the same way you advise its not completing the scan but stuck in a pending mode. any idea what might cause the issue ??
Unfortunately we don't have any built-in means to observe the progress, neither end-to-end, nor on the endpoint. The action will remain pending in the UI until an outcome is received. It can be tricky as a large directory tree can take considerable time to get scanned.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
