Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS-CAT Pro Assessor v4

Product Version

v4.*All

Date



Problem

When running an Assessor scan against a Windows target, the scan stops unexpectedly while gathering networking parameters.

When Assessor is run with INFO-level logging, the /logs/assessor-cli.log file contains the following entry:

Code Block
INFO org.cisecurity.session.impl.BaseSession - Starting Execution for Command --> 
""C:\Windows\Temp\ccpa-temp-20220927T155943132\ciscat.exe" "collect_ipconfig""
ERROR org.cisecurity.wrapper.SessionUtilities - Exception Creating Session!
org.xml.sax.SAXParseException: Content is not allowed in prolog.

Solution

This particular issue can be caused by network interfaces (virtual or physical) that return insufficient data for the assessment to proceed. To verify this, open an administrative PowerShell terminal on the target Windows system and run the following Get-WmiObject command:

Code Block
Get-WmiObject -Namespace "root\cimv2" -Query "SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IpEnabled='True'" | Select-Object Description, Index, IPAddress, MACAddress | ConvertTo-Csv -NoTypeInformation

The resulting output will indicate which adapters are affected, if any.

In the below example, the "Appgate Tunnel" interface does not return a corresponding MAC address value:

Code Block
"Description","Index","IPAddress","MACAddress"
"Intel(R) Wi-Fi 6 AX201 160MHz","1","System.String[]","88:D8:2E:07:FC:C9"
"VirtualBox Host-Only Ethernet Adapter","5","System.String[]","0A:00:27:00:00:03""
"Appgate Tunnel","16","System.String[]", 

To allow the scan to complete, temporarily disable the affected interface in the system settings. The query used by Assessor collects this data only from adapters with enabled TCP/IP bindings.

Once the scan completes, the interface can be re-enabled.

Keywords;

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2022

Center for Internet Security®


Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

Jira Legacy
serverSystem JIRA
serverIdb90ca2a8-9df7-3869-89db-c424866c1b16
keySUPPORT-22328

Created by

Allan Cornwell

Reviewed by

Approved by

Remove by