Our Security team has asked a question related to the UIM ntevl probe. It looks like it generates a file named ntevl.pos.new which contains some XML like:

<setup> ... application_pos = 42943 ,,, system_pos = 250518 ... </setup>

It looks like the file may be a short-lived temporary file created then deleted by the probe or robot, possibly each time it reads the Windows event log. Our security software flagged it to be investigated so we just need to understand what this file is so we can confirm it's not a threat.

- presence of ntevl.pos.new file picked up by security software scan

Release : 9.0.2

Component : UIM - NTEVL

The ntevl.pos* files are created by the ntevl probe.

ntevl.pos.new is a temporary file. We have seen a few cases where anti-virus picks up on them during a scan.

The ntevl.pos (position file) is documented here:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/ca-unified-infrastructure-management-probes/GA/alphabetical-probe-articles/ntevl-nt-event-log-monitoring/ntevl-im-configuration.html

ntevl.pos.new is related to backing up the position file. The ntevl probe maintains 3 additional .pos backup files and updates them serially. During a probe restart or reading pos files, it picks up the last updated file.