ntevl Probe Temporary File
Article ID: 140663
Updated On:
Products
Issue/Introduction
Our Security team has asked a question related to the UIM ntevl probe. It looks like it generates a file named ntevl.pos.new which contains some XML like:
<setup> ... application_pos = 42943 ,,, system_pos = 250518 ... </setup>
It looks like the file may be a short-lived temporary file created then deleted by the probe or robot, possibly each time it reads the Windows event log. Our security software flagged it to be investigated so we just need to understand what this file is so we can confirm it's not a threat.
Environment
Release :Any UIM
Component : UIM - NTEVL
Cause
- presence of ntevl.pos.new file picked up by security software scan
Resolution
The ntevl.pos* files are created by the ntevl probe.
ntevl.pos.new is a temporary file. We have seen a few cases where anti-virus picks up on them during a scan.
The ntevl.pos (position file) is documented here:
ntevl.pos.new is related to backing up the position file. The ntevl probe maintains 3 additional .pos backup files and updates them serially. During a probe restart or reading pos files, it picks up the last updated file.
Feedback
