AttackSurfaceAnalyzer
AttackSurfaceAnalyzer copied to clipboard
microsoft
Estimate duration of scan and show progess indicator
Is your feature request related to a problem? Please describe. After several hours of waiting (close to 5h) for the registry scanner to complete, I gave up and aborted asa.exe because to a user its unclear if and when the scan will finish Describe the solution you'd like Estimate duration of scan and show progess indicator
Describe alternatives you've considered there are none :(
System Configuration (please complete the following information):
- OS: Windows
- OS Version: Windows 10 1809
- Application Version: v.2.1.33-beta+b477f7d31c
- CLI or GUI: GUI
Additional context
Now listening on: http://localhost:5000
Application started. Press Ctrl+C to shut down.
[10:53:27 INF] Loaded filters: Embedded
[10:53:27 INF] Begin 11/20/19, 10:53:24 AM.
[10:53:27 INF] Starting 8 Collectors.
[10:53:27 INF] Starting OpenPortCollector.
[10:53:29 INF] Completed OpenPortCollector in 00h:00m:01s:245ms.
[10:53:29 INF] Starting ServiceCollector.
[10:53:31 INF] Completed ServiceCollector in 00h:00m:02s:602ms.
[10:53:31 INF] Starting UserAccountCollector.
[10:53:57 INF] Completed UserAccountCollector in 00h:00m:26s:127ms.
[10:53:57 INF] Starting RegistryCollector.
Application is shutting down...
...
date
Mittwoch, 20. November 2019 15:05:44
Thanks for your report and sorry for the issues you're having.
A registry collection should only take a few minutes.
I'm investigating issues with the registry collector on the 2.1 series. If you need the registry collector, for now, try the 2.0 series.
-------- Original Message -------- On Nov 20, 2019, 6:07 AM, mi-hol wrote:
Is your feature request related to a problem? Please describe. After several hours of waiting (close to 5h) for the registry scanner to complete, I gave up and aborted asa.exe because to a user its unclear if and when the scan will finish Describe the solution you'd like Estimate duration of scan and show progess indicator
Describe alternatives you've considered there are none :(
System Configuration (please complete the following information):
- OS: Windows
- OS Version: Windows 10 1809
- Application Version: v.2.1.33-beta+b477f7d31c
- CLI or GUI: GUI
Additional context
Now listening on: http://localhost:5000 Application started. Press Ctrl+C to shut down. [10:53:27 INF] Loaded filters: Embedded [10:53:27 INF] Begin 11/20/19, 10:53:24 AM. [10:53:27 INF] Starting 8 Collectors. [10:53:27 INF] Starting OpenPortCollector. [10:53:29 INF] Completed OpenPortCollector in 00h:00m:01s:245ms. [10:53:29 INF] Starting ServiceCollector. [10:53:31 INF] Completed ServiceCollector in 00h:00m:02s:602ms. [10:53:31 INF] Starting UserAccountCollector. [10:53:57 INF] Completed UserAccountCollector in 00h:00m:26s:127ms. [10:53:57 INF] Starting RegistryCollector. Application is shutting down... ... date Mittwoch, 20. November 2019 15:05:44
— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or unsubscribe.
https://www.nuget.org/packages/ShellProgressBar/# for implementing something like this in the CLI as well.
To clarify, you're experiencing a bug in the registry collector. In my testing it should take between 3 minutes (clean docker image) and 20 minutes to do a registry scan. You should not expect your current run to complete.
bug in registry collector seems fixed but there seems to be another one because the "static scan" doesn't stop and the wheel in UI keeps turning
On a different PC with Insider Build 19018 of Windows 20H1 when I enabled FileSystemCollector it got a Fatal error. System.AccessViolationException: Attempted to read or write protected memory
Fatal error. System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
at AttackSurfaceAnalyzer.Utils.NativeMethods.WinVerifyTrust(IntPtr, System.Guid, WinTrustData)
at AttackSurfaceAnalyzer.Utils.NativeMethods.WinVerifyTrust(IntPtr, System.Guid, WinTrustData)
at AttackSurfaceAnalyzer.Utils.NativeMethods.VerifyEmbeddedSignature(System.String)
at AttackSurfaceAnalyzer.Collectors.FileSystemCollector.FileSystemInfoToFileSystemObject(System.IO.FileSystemInfo, Boolean, Boolean)
at AttackSurfaceAnalyzer.Collectors.FileSystemCollector.<ExecuteInternal>b__7_0(System.IO.FileSystemInfo)
at System.Threading.Tasks.Parallel+<>c__DisplayClass44_0`2[[System.__Canon, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e],[System.__Canon, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].<PartitionerForEachWorker>b__1(System.Collections.IEnumerator ByRef, Int32, Boolean ByRef)
at System.Threading.Tasks.TaskReplicator+Replica.Execute()
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(System.Threading.Thread, System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(System.Threading.Tasks.Task ByRef, System.Threading.Thread)
at System.Threading.ThreadPoolWorkQueue.Dispatch()
Good news is that the root cause seems pwsh7.preview5 running asa.exe. When I ran ASA under cmd.exe FileSystemCollector completed, but cmd.exe is so old fashioned :(
[21:29:22 INF] AttackSurfaceAnalyzer v.2.1.34-beta+fc82c7bde8
Hosting environment: Production
Content root path: C:\Users\user\Downloads\Asa-win-2.1.34-beta\res
Now listening on: http://localhost:5000
Application started. Press Ctrl+C to shut down.
[21:30:31 INF] Loaded filters: Embedded
[21:30:31 INF] Begin 11/21/19, 09:29:54 PM.
[21:30:31 INF] Starting 1 Collectors.
[21:30:31 INF] Starting FileSystemCollector.
[21:30:31 INF] Scanning root C:\
[22:17:47 INF] Completed FileSystemCollector in 00h:47m:16s:437ms.
Using cmd.exe on the same PC ASA fileCollector finishes, I#ve created a bug for pwsh https://github.com/PowerShell/PowerShell/issues/11149
"static scan doesn't stop"
Thanks. I'll investigate this tomorrow. It's always good to double check any functionality issues with the CLI.
bug in registry collector seems fixed but there seems to be another one because the "static scan" doesn't stop and the wheel in UI keeps turning
I think this is fixed in https://github.com/microsoft/AttackSurfaceAnalyzer/releases/tag/v2.1.35-beta%2B9c028830ac
Good news is that the root cause seems pwsh7.preview5 running asa.exe. When I ran ASA under cmd.exe FileSystemCollector completed, but cmd.exe is so old fashioned :(
It works for me running Windows Terminal (beta) with standard release Powershell.
Ilya made comment Perhaps ASA tries to access a file locked by pwsh within pinvoke WinVerifyTrust() @gfs could you perhaps step in and verify his assumption as I'd guess a debug session will be required and addition of try/catch block in source code
It works for me running Windows Terminal (beta) with standard release Powershell
What version is meant by this? (i.e. Windows PowerShell 5.1, PowerShell Core 6.2.3,..)
What version is meant by this? (i.e. Windows PowerShell 5.1, PowerShell Core 6.2.3,..)
5.1.145
@gfs could you perhaps step in and verify his assumption as I'd guess a debug session will be required and addition of try/catch block in source code
They are probably correct. There already is a try/catch around this (See NativeMethods.cs:391), but it looks like the native code exceptions aren't being passed properly.
What version is meant by this? (i.e. Windows PowerShell 5.1, PowerShell Core 6.2.3,..) 5.1.145
For a cross platform tool testing under PowerShell Core 6 and its successor PowerShell 7 seems a MUST
For Console, https://www.nuget.org/packages/ShellProgressBar/ seems like it would do the trick. This would require rewriting the FileSystem and Registry Collectors (the long running ones) to pre-enumerate the trees they're working on, and then show a progress bar based on how much of that has been processed rather than working off an enumerable. It is unclear if that has performance ramifications.