I’m trying to write an analysis to find an executable on systems. From poking into different systems I’ve seen the executable exist in c:, %systemroot%\system32, %systemroot%\system32\dllcache, etc. What would be a good relevance script to hunt this out.
That is true Jesse, if I know the subdirectory under Program Files is always consistent. I have been finding these little buggers (trojan executables, etc) in directories under Windows, Program Files, etc where the directory name varies from system to system, but the executable name is the same.
Ah, I think maybe you misunderstood my answer… i was trying to address your question about folders with ‘spaces’.
To search your file system for a particular file, you have a number of options. The key thing to consider is that the search gets more costly with the number of locations you are trying to search. The more you can narrow your target the better.
If you can narrow it down to a couple of locations, you could use an expression like this:
exists file “badguy.dll” of (system folder; windows folder; folder “C:\Program Files”; folders of system folder)
This would search 3 known folders (system folder, windows folder, and C:\Program Files), and also search any folders of the system folder. It will not go deeper than one level of folders below the system folder.
You can also use the ‘descendants’ inspector. This will do a full depth search through all child folders of the folder you pass to the inspector.
This one will look through the entire C:\ drive. You do NOT want to make a fixlet that has this relevance. It’s okay to make a property, but you should set it to evaluate once per day or even less frequently:
exists descendant whose (name of it = “badguy.dll”) of root folders of drive “c:”
Similar caveats for this one, but it’s not quite as bad since you’re only looking through program files and the windows folder (which includes the system folder):
exists descendant whose (name of it = “badguy.dll”) of (windows folder; folder “C:\Program Files”; folders of system folder)
You got me, I did misunderstand. I’ve incorporated some of your and Doug’s info into analyses I’ve set up. Similar question - I’ve seen some objects “morph”, change names ever so slightly. I know I can do something like (exists file whose (name of it contains “objectname”) of windows folder. But what if the object changes from objectname.exe to objectname[1].exe. I’m wondering if I could use the "
" or “?” wildcard to look for objectname
.exe, for example. That way I could possibly cut out some false positives.
I have another similar, but different situation. Our DBAs have installed Oracle all over the place (C drive, D drive, different folder names for same versions, etc) and I’m looking for The VERSION of “TIMEZONE.DAT” so we can locate all the Oracle problem DST issues in our enviornment.
I don’t want to scan a machine unless I have to… Looking in installed applications doesn’t yield like “Oracle 10” or anything that easy. The services have a long name which contains the word Oracle (OracleServiceO101 (OracleServiceO101) - Running), but nothing easily pulled out without some extra relevance.
One thing remains true, the pathname before the file is \oracore\zoneinfo
You got me, I did misunderstand. I’ve incorporated some of your and Doug’s info into analyses I’ve set up. Similar question - I’ve seen some objects “morph”, change names ever so slightly. I know I can do something like (exists file whose (name of it contains “objectname”) of windows folder. But what if the object changes from objectname.exe to objectname[1].exe. I’m wondering if I could use the “” or “?” wildcard to look for objectname.exe, for example. That way I could possibly cut out some false positives.
SteveC,
Try this:
exists find files “objectname*.exe” of windows folder