Does anyone have any advice on how to detect Spigot adware? I did some research on where it might reside in files and registry but this all returns false:
C:\Program Files (x86)\Common Files\Spigot
C:\Program Files\Common Files\Spigot
Display Name = YTD of uninstall registry
Display Name = IOBit of uninstall registry
Other places I am going to try, but reaching out to see if anyone has looked for this specific adware before?
exists keys “HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall{28e56cfb-e30e-4f66-85d8-339885b726b8}” of (x64 registries;x32 registries)
Use this relevance to create a computer group; or you can put this in your action script as a conditional. Personally, I like making groups, and then just throwing whatever I need to at the entire group…
@mwolff, do you have any relevance advice on how to “searchlight” for the existence of the adware setting in “HKEY_USERS”? I am testing a task the runs to gather the “HKEY_USERS” hive on a machine known to have the adware, but am ultimately looking to gather knowledge on those machines for which you don’t know the user value (you don’t know where the adware is installed)? Thanks -
Sure. You can look through subkeys by using the “of keys” inspector.
Say you want to inspect HKEY_USERS\x\Software. Since we don’t know what X is, we can just substitute every possible value by using relevance.
exists keys “Software” of keys of keys “HKEY_USERS” of (x32 registries;x64 registries)
This is functionally the same as saying "Does the key Software exist in any of the keys underneath HKEY_USERS?, and BigFix will iterate through each subkey one by one.
For example, most standard Windows installs have the admin profile enabled, as well as possibly a guest and some other profiles. Each key value thus becomes a variable:
hku\s-1-5-18\software
khu\s-1-5-20\software
hlu\whatever-the-guid-of-your-account-is\software
Oh, by the way, you can do this with a property or even BigFix Query to get more immediate results compared to a Task.
I would always recommend using the Relevance Tester first, of course, to lessen the impact on your production environment. Bonus points if you have a dev environment to write relevance queries in and test it across multiple machines with BFQ.