Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

Why would a scan filter policy that targets all executables return a lower file count than that of a Windows explorer search?

Article ID: 49439

Applies To

• Application Control Solution 6.1 SP1

Question

A Reference Machine Policy Scan returned 1566 EXE's compared to a Windows file search of the machine which returned 1640. Why would there be a difference of 74 items?

Answer

Just because there is a file that is a ".exe" does not necessarily mean it is in fact an executable. The following test was performed for comparative purposes:

A File Specification filter ("*.exe; *.sys NOT Executable) was created that had the following configuration:

  • Wildcard ".exe;.sys"
  • Exclude "Program File Executables"

The file scan task was then run to report on the above filter, which resulted in a result of 113 files under the Windows directory on a test server. Most of these are related to Windows Installer (icon files). WDM drivers were also listed (which are user mode DLLs). A scan of a few of the other executables listed (non-exhaustive) indicated non-PE COFF headers (invalid PE COFF marker).

 

 

  • No labels