[Xymon] Xymon PSClient version 3

Tom Schmidt tom at 4schmidts.com
Mon May 20 19:21:19 CEST 2024 

Stef,
    I have not had any Malware alerts for nssm.exe.  On Windows 11, I don't
find any DLL files in %TEMP%, but I do on Windows 10.

    For your updated xymonclient.ps1 file, how do we start it without
nssm.exe?

    Also, attached is a patch file to add CPU thread count to the cpu
output. Currently it only reports the number of cores, so this patch adds
the number of threads, looking like this:

CPU states:
	total	3.05%
	cores:   6
	threads: 12

Tom

On Sun, May 19, 2024 at 4:13 AM Stef Coene <stef.coene at docum.org> wrote:

> Hi,
>
> Recently we had a customer where random dll files in the Temp directory
> are flagged as malware.
> It turned out that this was caused by the nssm.exe used for the Xymon
> client service.
>
> Has anyone else had nssm.exe flagged as ransomware?
>
>
> I decided to rewrite the client and integrated the code from this script
> so nssm.exe is not needed:
>
> https://github.com/JFLarvoire/SysToolsLib/blob/master/PowerShell/PSService.ps1
> FYI, this also creates an .exe file and random files in the temp
> directory but they are nog flagged as malware. It looks like the random
> files are a way for Windows Service Manager to cope with the an .exe
> file as service.
>
> I also made sure I can do a seamless upgrade to this new client.
> This also means patching the 2.xxx client so it can be upgraded to this
> new version without interaction.
>
> I have to clean up my 2.xxx code and the new script and will update my
> github page in the next few weeks:
> https://github.com/StefCoene/xymon-stuff/tree/main/WinPSClient
> I also have to rollout the new client in our production environments so
> its' possible that I encounter some unexpected bugs.
>
>
> Stef
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20240520/60e9def3/attachment.htm>
-------------- next part --------------
*** xymonclient-b3.00.ps1	2024-05-19 09:19:02.610568835 -0600
--- xymonclient.ps1	2024-05-20 09:00:35.581390486 -0600
***************
*** 1043,1049 ****
          $script:HaveCmd.$cmd = (get-command -ErrorAction:SilentlyContinue $cmd) -ne $null
      }
  
!     @("cpuinfo","totalload","numcpus","numcores","numvcpus","osinfo","svcs","procs","disks",`
      "netifs","svcprocs","localdatetime","uptime","usercount",`
      "XymonProcsCpu","XymonProcsCpuTStart","XymonProcsCpuElapsed") `
      | %{ if (get-variable -erroraction SilentlyContinue $_) { Remove-Variable $_ }}
--- 1043,1049 ----
          $script:HaveCmd.$cmd = (get-command -ErrorAction:SilentlyContinue $cmd) -ne $null
      }
  
!     @("cpuinfo","totalload","numcpus","numcores","numthreads","numvcpus","osinfo","svcs","procs","disks",`
      "netifs","svcprocs","localdatetime","uptime","usercount",`
      "XymonProcsCpu","XymonProcsCpuTStart","XymonProcsCpuElapsed") `
      | %{ if (get-variable -erroraction SilentlyContinue $_) { Remove-Variable $_ }}
***************
*** 1070,1076 ****
          $script:XymonProcsCpuElapsed = (Get-Date).ticks - $script:XymonProcsCpuTStart
          $script:XymonProcsCpuTStart = (Get-Date).Ticks
      }
!     $script:XymonProcsCpuElapsed *= $script:numcores
      
      foreach ($p in $script:procs) {
          # store the process name in XymonProcsCpu
--- 1070,1076 ----
          $script:XymonProcsCpuElapsed = (Get-Date).ticks - $script:XymonProcsCpuTStart
          $script:XymonProcsCpuTStart = (Get-Date).Ticks
      }
!     $script:XymonProcsCpuElapsed *= $script:numthreads
      
      foreach ($p in $script:procs) {
          # store the process name in XymonProcsCpu
***************
*** 1150,1157 ****
  
      WriteLog "XymonCollectInfo: CPU info"
      $script:cpuinfo = [ProcessorInformation]::GetSystemInfo()
!     $script:numcores  = $cpuinfo.NumberOfProcessors
      WriteLog "Found $($script:numcores) cores"
  
      WriteLog "XymonCollectInfo: calling XymonProcsCPUUtilisation"
      XymonProcsCPUUtilisation
--- 1150,1160 ----
  
      WriteLog "XymonCollectInfo: CPU info"
      $script:cpuinfo = [ProcessorInformation]::GetSystemInfo()
!     $script:processorinfo = Get-CimInstance –ClassName Win32_Processor |
!      Select-Object -Property NumberOfCores, NumberOfLogicalProcessors
!     $script:numcores, $script:numthreads = $script:processorinfo.NumberOfCores, $script:processorinfo.NumberOfLogicalProcessors
      WriteLog "Found $($script:numcores) cores"
+     WriteLog "Found $($script:numthreads) threads (logical processors)"
  
      WriteLog "XymonCollectInfo: calling XymonProcsCPUUtilisation"
      XymonProcsCPUUtilisation
***************
*** 1396,1402 ****
      ""
      "CPU states:"
      "`ttotal`t{0}`%" -f [string]$totalcpu
!     "`tcores: {0}" -f [string]$script:numcores
  
      if ($script:XymonProcsCpuElapsed -gt 0) {
          ""
--- 1399,1406 ----
      ""
      "CPU states:"
      "`ttotal`t{0}`%" -f [string]$totalcpu
!     "`tcores:   {0}" -f [string]$script:numcores
!     "`tthreads: {0}" -f [string]$script:numthreads
  
      if ($script:XymonProcsCpuElapsed -gt 0) {
          ""

More information about the Xymon mailing list