Extended signatures for BFI

Wandy · September 4, 2020, 9:13am

Hi again
wonder if you could help with another on of this Custom signature.

Im trying to find a file in a specific with this code, but I dont get anything, when I test it with the wscansw command.

<?xml version="1.0" encoding="UTF-8"?>
<Signatures version="1.0" xmlns="http://www.ibm.com/Tivoli/Signatures" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com/Tivoli/Signatures signatures.xsd">
<Signature guid="TESTGUID" type="OtherSignature">
<Instance>
<Variable name="IS_INSTALLED" export="true">
<Compare relation="ne" type="string">
<VectorToScalar>
<Vector filter="d:?apps?atlassian-confluence-7.2.0?bin">
<FindFilePathEx name="Tomcat9.exe"/>
</Vector>
</VectorToScalar>
<ValueOf value=""/>
</Compare>
</Variable>
<Condition withVariable="IS_INSTALLED">
<Action do="SKIP" onValue="false"/>
</Condition>
</Instance>
</Signature>
</Signatures>

ssakunala · September 4, 2020, 1:19pm

Wandy,
Try the following signature. Make sure the case matches with the information you are trying to compare with.

<?xml version="1.0" encoding="UTF-8"?>
  <Signatures>
    <Signature guid="EXTENDED SIGNATURE TEST" name="EXTENDED SIGNATURE TEST" type="OtherSignature">

<Variable name="IS_INSTALLED" export="true">
  <Compare type="string" relation="ne">
    <VectorToScalar>
      <Vector filter="d:?apps?atlassian-confluence-7.2.0?bin?">
        <FindFilePathEx name="Tomcat9.exe"/>
      </Vector>
    </VectorToScalar>
    <ValueOf value="" />
  </Compare>
</Variable>

</Signature>
</Signatures>

Wandy · September 17, 2020, 5:38am

Hi
Thanks for your answer, now I get this output

<?xml version="1.0" encoding="UTF-8"?>
<MatchedSignatures>
  <MatchedSignature guid="EXTENDED SIGNATURE TEST" name="EXTENDED SIGNATURE TEST">
    <Variable name="IS_INSTALLED" value="false"/>
  </MatchedSignature>
</MatchedSignatures>

But I get this output no matter what file name I write in the “FindFilePathEx name=”

Wandy · September 17, 2020, 5:44am

Hi again
I know that signatures on .exe files can be made from the scanned file data, but the thing is that I need to finde this file in this specifik path and not just anywhere.

ssakunala · September 17, 2020, 12:21pm

Wandy,
Can you post screen shot of the exact directory location and file name from the machine where you are testing the signature?

Wandy · September 18, 2020, 5:19am

ssakunala · September 18, 2020, 1:26pm

Wandy,
Update the signature by changing the line
<Vector filter="d:?apps?atlassian-confluence-7.2.0?bin?">
to
<Vector filter="D:?apps?atlassian-confluence-7.2.0?bin?">

Then test it.

Wandy · September 29, 2020, 7:42am

Hi

sorry for the late answer, I have been on vacation

But now it seems to work, now I get this:

<?xml version="1.0" encoding="UTF-8"?>
<MatchedSignatures>
  <MatchedSignature guid="EXTENDED SIGNATURE TEST" name="EXTENDED SIGNATURE TEST">
    <Variable name="IS_INSTALLED" value="true"/>
  </MatchedSignature>
</MatchedSignatures>

so now its “true”

Thanks again