2 Replies Latest reply: Feb 8, 2012 8:50 AM by mrspike RSS

    Application paths in vulnerability definitions

    LANDave SupportEmployee

      I have been asked how a definition works if simply a file name is put into the File Detection logic for a definition.


      Where does vulscan look if no path is specified?


      Some applications register themselves in the following registry key:


      HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths


      Vulscan checks this key first when scanning for files without a path.


      In fact, vulscan itself is registered in this key. This is how you can type "vulscan" from the Run or Search line in Windows and it will find it, even though it is not listed in the environment variables.   Other programs register themselves a well... look for yourself in that key.


      If vulscan does not find it in the HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths key it will look in the current working directory for Vulscan.


      If run as the SYSTEM account that working directory should be WINDOWS\SYSTEM32.


      If run as the user it really could be anywhere