I have been asked how a definition works if simply a file name is put into the File Detection logic for a definition.
Where does vulscan look if no path is specified?
Some applications register themselves in the following registry key:
Vulscan checks this key first when scanning for files without a path.
In fact, vulscan itself is registered in this key. This is how you can type "vulscan" from the Run or Search line in Windows and it will find it, even though it is not listed in the environment variables. Other programs register themselves a well... look for yourself in that key.
If vulscan does not find it in the HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths key it will look in the current working directory for Vulscan.
If run as the SYSTEM account that working directory should be WINDOWS\SYSTEM32.
If run as the user it really could be anywhere
Good stuff, I would make this a document.
Thanks David, I have been wondering how you guys are now finding the .exe , etc, in file detection when you only list that file and no path.