Enabling the collection of checksums

Available from 9.2.3. You enable the collection of checksums by running a fixlet that changes the configuration of the software scan for BigFix Inventory. When you select checksums and run the fixlet against a chosen endpoint, this endpoint is given new properties that represent either MD5, SHA-256, or both. Based on these properties, the software scan can recognize which checksums must be collected from an endpoint. If you choose just one type of checksum and want to add another one later, you need to run the fixlet again.

Before you begin

  • Upgrade the BigFix Inventory server to version 9.2.3, or higher.
  • If you upgraded from previous versions, stop all Initiate Software Scan actions, and rerun the software scan against your endpoints. The software scan was changed to collect checksums, and must be started from the updated fixlet.
  • Divide your environment into scan groups to distribute the load of the imported data:
    • If the extended data import (three times longer) is acceptable, enable the collection of file hashes for all scan groups, and collect the data according to schedule.
    • If the extended data import does not meet your expectations, rearrange your scan groups into smaller ones with fewer endpoints to lower the amount of data included in a single data import. After the first import is completed for all scan groups, you can go back to the previous setup.

About this task

It is important that you enable checksums for a small group of endpoints. After data from the first group is imported to BigFix Inventory, proceed to the next group. Because of the checksums, each file is detected as changed. By default, BigFix Inventory imports the delta file system scan, so only data that changed since the last scan. However, when it detects too many changes, it always chooses the full file system scan over the delta file system scan. Importing so many results might overload your data import. In such a case, you must recover from accumulated scans. This applies not only to enabling the checksums for the first time, but also to each change, such as adding a new type of checksum to be collected, or removing it.

Procedure

  1. Log in to the BigFix console.
  2. In the navigation bar, click Sites > External Sites > BigFix Inventory v10 > Fixlets and Tasks.
  3. In the upper right pane, select Configure File Checksums Collection (MD5/SHA-256).
  4. Select the types of checksums that you want to collect, either MD5, SHA-256, or both.
    Important: Always select all checksums that you want to collect, especially if you are running the fixlet for the next time. New properties always overwrite the previous ones.
  5. Click Take Action.
  6. Select the computers from which you want to collect checksums, and click OK.
  7. Optional: In the navigation bar, go to Analyses, select File Checksums Collection Settings (MD5/SHA-256), and click Activate. The analysis shows which checksums are collected from your endpoints.
    Results of the analysis show checksums settings for particular endpoints

Results

Checksums are displayed in BigFix Inventory after the next software scan finishes and its results are imported from BigFix during the import of data.

Example

In an environment with 60 000 endpoints divided into 6 scan groups (each with 10 000 endpoints), where each scan group is scanned on a different day, the file hashes will be collected in 6 days. The initial import for each scan group after enabling the collection might be three times longer. Next imports will take about 10% longer.

Impact of file hashes on the BigFix Inventory database size

For both DB2 and SQL Server databases, the collection of file hashes (MD5 and SHA-256) is expected to result in a 20% growth of the disk space consumption.

Impact of file hashes on the BigFix client

File hashes are calculated during the software scan and the results are gathered on the endpoint. The size of scan results will increase by about 5%. For an average endpoint with 30 matched and 800 unmatched raw data files, an additional 0.5 MB of disk space might be consumed.

What to do next

You can view the checksums in the user interface or retrieve them by using REST API.