Scan policy results different than Windows search
Applies To
Application Control Solution 6.1 SP1
Question
A Reference Machine Policy Scan returned 1566 EXE's compared to a Windows file search of the machine which returned 1640. Why would there be a difference of 74 items?
Answer
Just because there is a file that is a ".exe" does not necessarily mean it is in fact an executable. The following test was performed for comparative purposes:
A File Specification filter ("*.exe; *.sys NOT Executable) was created that had the following configuration:
- Wildcard ".exe;.sys"
- Exclude "Program File Executables"
The file scan task was then run to report on the above filter, which resulted in a result of 113 files under the Windows directory on a test server. Most of these are related to Windows Installer (icon files). WDM drivers were also listed (which are user mode DLLs). A scan of a few of the other executables listed (non-exhaustive) indicated non-PE COFF headers (invalid PE COFF marker).