Our Security team has asked a question related to the UIM ntevl probe. It looks like it generates a file named ntevl.pos.new which contains some XML like:
<setup> ... application_pos = 42943 ,,, system_pos = 250518 ... </setup>
It looks like the file may be a short-lived temporary file created then deleted by the probe or robot, possibly each time it reads the Windows event log. Our security software flagged it to be investigated so we just need to understand what this file is so we can confirm it's not a threat.
Release : 9.0.2
Component : UIM - NTEVL
The ntevl.pos* files are created by the ntevl probe.
ntevl.pos.new is a temporary file. We have seen a few cases where anti-virus picks up on them during a scan.
The ntevl.pos (position file) is documented here:
ntevl.pos.new is related to backing up the position file. The ntevl probe maintains 3 additional .pos backup files and updates them serially. During a probe restart or reading pos files, it picks-up the last updated file.