iQCloud - Felix Options

Owned by Conor McCann
Jun 27, 2019
3 min read


Felix Options

A number of pieces of scan engine logic can be enabled/disabled by adding -D arguments to the file "felix.sh" found at "/opt/iqas/server-4.5/".

In typical situations the defaults are appropriate, but situations may arise where these may be needed to enhance scanning results or issue diagnosis.

Args stated as having defaults are defaulted within the java jars themselves and only need to be added to the "felix.sh" for overwriting purposes.


-Dload.catalog-update=<boolean>

Can be modified to disable individual updates to the catalog, such as adding a Signature/Product/Manufacturer etc.

Enabled by default, with the value "true". 


-Dload.catalog-sync=<boolean>

Can be modified to disable the bulk synchronization of the Appliance catalog. (A manually trigger event)

Enabled by default, with the value "true". 


-Dload.catalog-default=<boolean>

Can be modified to disable the loading of the default (embedded) catalog.

This embedded catalog is overwritten after manually triggering the Catalog Update pictured above.

Enabled by default, with the value "true". 


-Denable.esxdiscovery=<boolean>

Can be modified to enable the scanning of VMWare content on an ESX host when the host is identified. 

This embedded catalog is overwritten after manually triggering the Catalog Update pictured above.

Disabled by default, with the value "false".


-Dtcpvcon=<boolean>

Can be modified to enable the deployment of an .exe tool to the target temp directory on Windows 2000, 2003 and XP.

This is useful in legacy environments where older devices without the "netstat" command are available.

The tool is leveraged to gather process to port mapping used for the creation of dependency mapping and service discovery.

More detailed information on the topic in /wiki/spaces/HADM/pages/1508991.

Disabled by default, with the value "false".


-Dforcetcpvconuse=<boolean>

Can be modified to remove the Windows Edition constraint from the "-Dtcpvcon" functionality.

Disabled by default, with the value "false".


-Dskipworkstation=<boolean>

Can be modified to enable the scanning of a Windows Desktop targets.

Enabled by default, with the value "true".


-Denable.pingcommand=<boolean>

Can be modified to use the Java isReachable() method instead of a command line execution.

Enabled by default, with the value "true". Disabling has known issues and should be avoided currently.


-Dtmp.clean=<boolean>

The WMICommand Connector uses Python to query remote Windows devices.

In order to achieve this the desired WMI query is written to a temporary local file.

This local file is then passed as an argument to a Python method.

This -D argument can be modified to preserve the file in the Appliance for diagnosis assistance.

Enabled by default, with the value "true". 


-Dwmiexec.wait=<Integer>

When a WMIcommand Connector executes a remote query, the query output is written to a temporary file on the target device.

Before attempting to read the response from the remote file the Appliance waits a period of time to allow the target device to finish the writing operation.

In environments with slow running machines it may be necessary to increase to this wait time to successfully gather target data.

This will increase scan times.

The wait time is in seconds.

Enabled by default, with the value "2". 


-Denable.foundapps=<boolean>

Can be modified to allow the creation of unqualified product instances on the Appliance.

Disabled by default, with the value "false". The functionality is now provided by the cloud side services.


-Dschema.strict=<boolean>

Can be modified to prevent the throwing of an ClassViolationException when an attempt to use an undefined property with a meta-model object.

This will instead add a log message prefixed with "Ignoring undefined property".

Enabled by default, with the value "true". 


-Dserialization.prettyprint=<boolean>

Can be modified to prevent the pretty print formatting of JSON contained in .msg files.

Enabled by default, with the value "true". 


-Dmessages.trace=<boolean>

Can be modified to prevent the writing of .msg files to the messages "/opt/iqas/server4.5/tmp/messages" directory.

Enabled by default, with the value "true". 


-Dmessages.silence=<String>

Can be modified to prevent the writing of specific types of messages as .msg files to the messages "/opt/iqas/server4.5/tmp/messages" directory.

Any message type provided in the argument will be excluded.

Empty by default.


-DstripReflexiveProcesses=<boolean>

Can be modified to enable the sending of self referencing processes to the ingestion service.

Some self referencing services are valid, but are problematic cloud side currently.

Enabled by default, with the value "true". 


-Diquate.discovery.osdetection=<boolean>

Can be modified to disable the guessing operating system type during port scanning.

Enabled by default, with the value "true".