Files & Directories Scanner

Comments

11 comments

  • Luke Nichols

    Jordan,

    Is your files & directories scanner in your default scan profile? Is your PDQ Deploy package set to scan after deployment? Which scan profile is it set to use?

    1
    Comment actions Permalink
  • Jordan Maresch

    Yes - it is in the default scan, as well as several other scans (Applications and a "test" which only scans for this file).

    PDQ is set to scan after deployment.

    Scan profile used is Applications, which also includes the file and directory scan.

    1
    Comment actions Permalink
  • Luke Nichols

    Could you post a screenshot of your scanner?

    1
    Comment actions Permalink
  • Colby Bouma

    >Yes - it is in the default scan, as well as several other scans

    That's what's causing the problem. Each of those Scan Profiles keeps their own history of that file. In order to correctly see the changed file, you would have to run each Scan Profile that looks for that file. For this reason I recommend having only 1 Scan Profile that looks for a particular file.

    1
    Comment actions Permalink
  • Jordan Maresch

    Colby,
    That makes sense. I’ll delete the other scan profiles entirely and keep it on the default scanner only. I’ll report back the findings.

    If that doesn’t work, I’ll post the scanner screenshot as Luke requested.

    1
    Comment actions Permalink
  • Jordan Maresch

    This worked! Thank you very much!

    1
    Comment actions Permalink
  • Joshua H.

    Colby,

    Does this principle apply to other scanners besides Files and Directories?

    Thanks

    Josh

    0
    Comment actions Permalink
  • Colby Bouma

    Yes, the Registry scanner. PowerShell and WMI each create 1 table for each scanner, so they don't have this problem.

    0
    Comment actions Permalink
  • Joshua H.

    Right, I suspected as much and duplicated the behavior with the Registry scanner. I've gone through my scan profiles and deduplicated the files and registry scanners. Thanks for verifying.

    0
    Comment actions Permalink
  • Colby Bouma

    Also, it is now possible to link a Scanner to multiple Scan Profiles: https://www.reddit.com/r/pdq/comments/iyfsku/experimental_scanners_can_be_tied_to_multiple/

    0
    Comment actions Permalink
  • Joshua H.

    Interesting. The duplicate scanners I had existed because it was faster to run a single file/registry scanner than to run the Standard scan profile (where some of my custom file/registry scanners were duplicated in). I suspect I'd either mess up the database or forget which scanners I've "linked" so I'll just avoid duplicates from now on.

    It would be swell if I could "nest" a scanner in multiple profiles from the GUI. Or, at least have the scanner editor or Files/Registry panes alert me when a file/registry path is duplicated in multiple scanners.

    Thanks!

    0
    Comment actions Permalink

Please sign in to leave a comment.