ntevl Probe Temporary File

book

Article ID: 140663

calendar_today

Updated On:

Products

DX Infrastructure Management NIMSOFT PROBES

Issue/Introduction

Our Security team has asked a question related to the UIM ntevl probe. It looks like it generates a file named ntevl.pos.new which contains some XML like:

<setup> ... application_pos = 42943 ,,, system_pos = 250518 ... </setup>

It looks like the file may be a short-lived temporary file created then deleted by the probe or robot, possibly each time it reads the Windows event log. Our security software flagged it to be investigated so we just need to understand what this file is so we can confirm it's not a threat.

Cause

- presence of ntevl.pos.new file picked up by security software scan

Environment

Release : 9.0.2

Component : UIM - NTEVL

Resolution

The ntevl.pos* files are created by the ntevl probe.


ntevl.pos.new is a temporary file. We have seen a few cases where anti-virus picks up on them during a scan.

The ntevl.pos (position file) is documented here:


https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/ntevl-im-configuration.html




ntevl.pos.new is related to backing up the position file. The ntevl probe maintains 3 additional .pos backup files and updates them serially. During a probe restart or reading pos files, it picks-up the last updated file.

Attachments