|Applies To|| |
|Issue||Modules are downloaded and written to the \Files directory according to the settings specified in the Global Parameters page as shown below.|
When the file is written to this directory, an underscore is appended to the filename to prevent inadvertent execution of the module. The file name is written to the database when this download is completed and is available for analysis should an analyst decide further investigation is required.
RSA has observed instances in which a module is present in the database but is NOT present on disk. When access to this file is attempted, the following error is logged in the ConsoleServer-Error.log file:
|Cause||In most cases this is due to AV software quarantining or deleting the file in question although there are other potential causes of this error such as lack of drive space.|
|Resolution||To correct this error requires that you first inventory the files in the \Files directory and then compare the files on disk to those in the database. Finally, any files that are present in the database but are not present on disk will be removed from the database. RSA has provided a simple tool (ExportEcatRelFiles.exe) that will inventory the \Files directory and export the relative path of these files to a text file. Once this is complete, run the attached query “Delete Entries From MachineDownloaded.sql” to remove unwanted entries from the database.|