Suche
Close this search box.

Vulnerability scan show filepath of a vulnerable file

FortiEMS 7.0.7, FCL 7.0.7

How to identify the filepath of a vulnerable file inside

There are three ways to get the filepath of a vulnerable file, which had been found in a vulnerability scan on the FortiClient

FortiEMS Server – if the Client is connected with a FortiEMS Server

FortiClient Logs:

  • Request the FortiClient Logs, wait a minute and then download the FortiClient Logs
  • Open the .log File in the zip file with an editor, search for all lines for your vulnerability ID (FortiGuard ID, screenshot below) and check the detectedpath.

FortiClient Diagnostics result
will include much more details of the client, might be also helpful for further troubleshooting

  • Download Diagnostics on the FortiEMS Server for the Endpoint
  • Open the diag.zip with e.g. 7-zip, open the cab file, select vcm_result.txt with Notepad++ , which can be found in FCDiagData\general\logs\vcm\DATE OF THE LAST SCAN\ folder.

FortiClient – Directly on the Client

  • If you shouldn’t have access to the FortiEMS Server you may find the Logs directly on the PC where the FortiClient is installed
  • The default path is :
    • C:\Program Files\Fortinet\FortiClient\logs\vcm\DATE OF THE LAST SCAN\vcm_result.txt

Analyze the log file (diag.zip)

  • Search inside the file for the vulnerability Name you’re interested in e.g. log4net or the FortiGuard IDe.g. 2705 you’re interested in and verify if “ERROR” or “Found vulnerable file”
  • Here’s an example of a log entry to to a vulnerable file
    • [01-30 12:00:19][  ERROR]: VID: 2705, Found vulnerable file: C:\Program Files (x86)\Piusi\Self Service Management 2018\CLIENT\log4net.dll, ver 2.0.8.0
  • Log entry of a up to date file
    • [01-30 12:00:19][   INFO]: VID: 2705, file: C:\Program Files (x86)\Lavasoft\Web Companion\Application\log4net.dll, up to date:1, MatchProductname : 1

Below are screenshots of an example how to find the filepath of a vulnerable file found in a vulnerability scan

Show the vulnerability of a Endpoint inside FortiEMS
Note the FortiGuard ID of the vulnerability you’re interested in

Download the Diagnostics Result

Extract the vcm_result.txt from the downloaded diag.zip file and open it in a text editor where you can search easy for through the whole file (e.g.: Notepad++ or Visual Studio Code)
Usally you may select the folder with the newest date (results from the last successful scan)

Search for the FortiGuard ID e.g.: 2705 inside the vcm_result.txt file and for “ERROR” or “Found vulnerable file” and you may find the filepath here