5 Replies Latest reply on Feb 11, 2010 9:25 AM by jstrain

    Function of system32\cba\xfr.exe?

    jstrain Apprentice

      We have a small handful of workstations that have a version of xfr.exe that is being flagged as a security vulnerability (due to being out of date).  What is the function of this exe, and can we remove / rename it?

        • 1. Re: Function of system32\cba\xfr.exe?
          phoffmann SupportEmployee

          It'd be nice to know what version first of all that is, and what has flagged it as being out of date. Can you provide more infos here?

           

          The most sensible approach would be to upgrade the LANDesk client, if it's out of date. Is there a reason why that cannot be done (the question is genuine - it could be some "no touch" server system or so?).

           

          I would advise against fiddling with CBA-related files, as that's equivalent to the spine of LANDesk, and you can well break the backbone of the Common Base Agent that way (and thus, communication with the client in general).

           

          - Paul Hoffmann

          LANDesk EMEA Technical Lead

          • 2. Re: Function of system32\cba\xfr.exe?
            jstrain Apprentice

            Thank you for the reply, Paul.

             

            We are running updated clients.  We are at 8.8 sp3, installed since November 09.  The file version was 6.12.0.144.  The reason I asked for it's purpose was only 20 machines out of 2000 nodes had this out of date file.  I had a related issue with msgsys.exe, which was resolved in a ticket call after 3 months by having a beta patch created for us to update msgsys.exe to version 6.12.0.151.  This beta patch updated iao.exe, msgsys.exe, and xfr.exe to 6.12.0.151.

             

            I could not figure out why only a handful of my nodes had xfr.exe in system32\cba\.  All of my other nodes have that file residing in program files\landesk...  That's why I asked.

            • 3. Re: Function of system32\cba\xfr.exe?
              jstrain Apprentice

              Oh, and Eeye Retina Vulnerability scanner picked up on these files as a high vulnerability.

              • 4. Re: Function of system32\cba\xfr.exe?
                phoffmann SupportEmployee

                Thanks for the explanation - that fills in some of the blanks.

                 

                So my suspicion is that you've got some "old remnants" of CBA floating around ... this could be either parts of a (seriously) old LANDesk agent which didn't get cleaned out (I'm talking LDMS 6.62 / LDMS 7'ish time-frame. Maybe LDMS 8.0, can't remember quite for sure when we changed CBA) ... or there's some other software that has installed it (we OEM parts of CBA out to other software vendors, so it's quite possible that they used/continue to use the old stuff in its old locations).

                 

                It can come as quite a surprise (certainly did to me when I saw some other products using WUSER32 registry keys, which is our remote control stuff, for instance) .

                 

                The question then comes in the form of - what are the boxes?

                 

                If they're "normal desktops", I'd go with the safe route and just re-image them (in case that it's just left overs from some uninstall that wasn't quite as thorough as it should've been, or the remnant of some older piece of software that you no longer user) - since most of your devices don't have this stuff, I'd hazard a guess that your current image doesn't have this issue .

                 

                That'd certainly be the cleanest / most sure-fire way to get shot of this. (We did have some vulnerabilities with CBA over the years, but the last one I think was in 8.5 time frame, which was years ago...)

                 

                Does this help any?

                 

                - Paul Hoffmann

                LANDesk EMEA Technical Lead

                • 5. Re: Function of system32\cba\xfr.exe?
                  jstrain Apprentice

                  Yes, that covers it.  We started with 8.beta.  Since I started this post, we've gone ahead either removed or updated the files that were flagged by Retina.  It makes since now that these may be remnants of an old agent.