Scanner is freezing during scan and exiting Comand Prompt with Exit code 99

[Estarossa68]

Hello Team,

I am using the Scanner to check if there are Vulnerable files on Computers but somehow the scan is quitting during scan and afterwards it is generating a errorcode file with the Exitcode 99. I did not see on the main readme an error Code like 99.

I am using the arg/param:

log4j2-scan.exe --scan-log4j1 --scan-logback --scan-zip --drives C --report-csv --report-path "home directory" --backup-path "other directory" --old-exit-code --silent --debug --fix --force-fix \

I hope you guys can help me in my Issue!

Thank you very much in advance!

Kind Regards

Estarossa

[xeraph]

@Estarossa68 --old-exit-code option is deprecated. (only supported for backward compatibility). Exit code in README file states new exit code. If --old-exit-code run exit with 99, it means you have 99 vulnerable or potentially vulnerable files on C drive.

Do not use --silent option if you feel scanner is freezed. --silent option hide progress status reporting.

[maikas89]

Hi Xeraph, thanks for your fast reply. I'm from the same company as Estarossa.

We removed the --old-exit-code parameter and still get 99 as Error code. on 50% of the devices the script is running without any problems the other 50% are getting this error code. We're pushing the script with the Microsoft Endpoint Configuration Manager.

I tried to run the script manually on one of the affacted devices and there was "only" 8 vulnerable or potentially files.

When the problem occurs the scan stops in the middle of the process. We don't get any "completed" message and either no error message in the log.

[xeraph]

@maikas89 Damn.. It may be another graalvm native image issue. https://github.com/oracle/graal/issues/1600 I'll investigate more details. Use JAR version if possible.

[xeraph]

@maikas89 Just to clarify, Do you use v2.6.1 release?

[maikas89]

@maikas89 Just to ensure, Do you use v2.6.1 release?

yes. We started with the 2.5.3 release and updated today to v2.6.1. The problem exists on both releases.

[xeraph]

If any one has same problem, regression would be help. It's very hard to reproduce in my environment. e.g. static or non-static, native-image version difference. code base changes..

[xeraph]

@maikas89 Does scanner terminate randomly when you run scanner repeatedly and manually on affected machine? or some other conditions? Also try other build from package.zip https://github.com/logpresso/CVE-2021-44228-Scanner/suites/4742913126/artifacts/131086305

[maikas89]

@maikas89 Does scanner terminate randomly when you run scanner repeatedly and manually on affected machine? or some other conditions? Also try other build from package.zip https://github.com/logpresso/CVE-2021-44228-Scanner/suites/4742913126/artifacts/131086305

I tried the .exe file --> still the same problem.

It seems that the scan always stops on the same step. Started scan on client x --> it stops with error code 99 after 4 entrys in the logs (vulnerabilty) --> Started scan again it stops again with 99 after the same 4 entrys Started scan on client y --> it stops with error code 99 after 12 entrys in the logs (vulnerabilty) --> Started scan again it stops again with 99 after the same 12 entrys

If i start the scan manually (the same script) the scan is working (without MECM/SCCM). The MECM/SCCM runs the script with the local system account. But as i said 50% of the clients are working without any problems mit the MECM/SCCM

[sureshgurram123]

I am facing the same issue. When I run the scanner manually never experienced 99 error. But the when the tool rolled out through sccm few machines ( 4 out of 10 ) failed with 99 error. Able to run the tool manually in all these 4 machines. I am using 2.6.1 version

[xeraph]

@maikas89 @sureshgurram123 I don't know sccm well. Does MECM/SCCM run powershell script remotely? If it does, I suspect remote shell memory limit. https://stackoverflow.com/questions/9665981/outofmemory-exception-on-remote-execution-using-powershell-invoke-command

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384372(v=vs.85).aspx The defult memory limit on remote shells is 150MB

[maikas89]

Unfortunately i don't know the exact way how the SCCM (or other Software distribution) handels script execution. I know that the SCCM downloads the script + source files locally then the script get's started with the local system account. I increased the remote shell memory limit on 5 devices but the problem still occurs on all of these clients :(

[xeraph]

@Estarossa68 @maikas89 @sureshgurram123 Would you try v2.9.0 release? I reduced scanner memory footprint significantly. https://github.com/logpresso/CVE-2021-44228-Scanner/releases/tag/v2.9.0