Scan policy results different than Windows search

Applies To

Application Control Solution 6.1 SP1

Question

A Reference Machine Policy Scan returned 1566 EXE's compared to a Windows file search of the machine which returned 1640. Why would there be a difference of 74 items?

Answer

Just because there is a file that is a ".exe" does not necessarily mean it is in fact an executable. The following test was performed for comparative purposes:

A File Specification filter ("*.exe; *.sys NOT Executable) was created that had the following configuration:

  • Wildcard ".exe;.sys"
  • Exclude "Program File Executables"

The file scan task was then run to report on the above filter, which resulted in a result of 113 files under the Windows directory on a test server. Most of these are related to Windows Installer (icon files). WDM drivers were also listed (which are user mode DLLs). A scan of a few of the other executables listed (non-exhaustive) indicated non-PE COFF headers (invalid PE COFF marker).