/build/static/layout/Breadcrumb_cap_w.png

Massive Malware Smart Label (and K1000 Scripting Practices)

(AUTHOR'S NOTE: Check out my other two queries for VPNs/Proxies and P2P/Torrent Clients over here! Also, you might want to follow this post, as I'll update the query as I change it and find more signatures to track!)

So a few months ago I was tasked with tracking down some Conduit malware infections in my enterprise setting. I was provided with this nice little print out of IP addresses and was told to track them down manually and fix the problem. I knew I could do a more efficient job by using KACE inventory tracking and reports.

Since I was assigned that little malware-cleanup job, I've hand-filtered through over 16,750 software signatures gathered from over 9000 workstations in our enterprise. I wanted to share this massive smart-label script I created. I also think it's a good example of how to produce a well-documented script that is easily understood by newcomers. Not that KACE SQL is that complicated... But still!

The query catches all malware names that I could find based on Vendor and Display fields. This pastes right into the smart label script - you can use the wizard to create one and paste this in there. Everything is commented to hell and back, so it largely explains itself. Remember when creating scripts you should comment everything so that new people coming in can make sense of what you've written. Changelogs, while bloating the line count, are useful for troubleshooting if something goes wrong. Since KACE editor is not monospaced font the layout gets a little funky. I chose to keep it functional for monospaced editors because I do all my editing in Notepad++.

This script catches approximately 270 different software names and publishers, with about 10 exludes built in to avoid common false-positives I ran across, and a switch to only put softwares in the Malware label if they aren't rated with Threat 5. Essentially what this does is creates a nice little label that only shows up in my list if NEW malware comes onto my network, and anything I've already identified and flagged Threat 5 is ignored. So any time I see the Malware label in my list, I know there's new malware I need to categorize. If you want the label to stick all the time, you can just comment out or remove the last line.

The intention here is to use the Reporting features to generate a report that shows machines with Threat 5 software (see link below for example report). You can design the report with the wizard so that it shows machines by IP and even username logged in, so you can see exactly who and where the infections are. If your enterprise uses VNC or something similar, you can easily track users down and clean up the infection.

You can change little things here and there. Most of my signatures will catch the words between the parens if they show up ANYWHERE in that field. That's why, for example, I commented out "Converter" because there were lots of legit files with the word converter in them. If you know a file started with the word Converter, you could remove the first % so it read "... like 'Converter%')" for example.

Below I've linked an image gallery to show how I used the KACE Report Wizard to set up the report I use in conjunction with the Smart Label query I've pasted into the code box below that. Just keep in mind that Report won't show anything until you go into Software Inventory, use "View All" to view the Malware label, and classify it all as Threat 5, since the report operates off the Threat rating, and not the Malware label itself. Enjoy! :)

Report Wizard Gallery here: (link outdated with updated KACE release... Sorry folks, don't have time to fix it!)

/* ##################################################### */
/* # PURPOSE: Flags Software Inventory items with the # */
/* # Malware label for quick flagging and reporting. # */
/* ##################################################### */ /* ##### COMMENTS ##### */
/* Display and Vendor names are encased in single quotes. Percents are wildcards. First block is names, second is publishers, third is excludes.
Please keep new entries alphabetical first, then search function second.
Please verify changes for false positives & update changelog. Suggested parsing editor is something monospaced. This editor is trash. */ /* ##### CHANGELOG ##### */
/*
04.22.2014 Real Name <email>
* Created query.

04.23.2014 Real Name <email>
* Added 100+ more signatures.

04.24.2014 Real Name <email>
* Added 100+ more signatures.
* Fixed formatting for ease of reading.
* Added comment blocks & changelog. 05.05.2014 Real Name <email>
* Change 'File Type Assistant' to 'File Type' for broader catch.
* Added 2 new signatures.
* Removed filter for 'IOBit' signature.
* Moved commented lines and added "Disabled Entries" section. 05.06.2014 Real Name <email>
* Added 2 new signatures. 05.07.2014 Real Name <email>
* Added 11 new signatures.
* Removed 1 signature. 05.08.2014 Real Name <email>
* Added 3 new signatures.

05.08.2014 Real Name <email>
* Cleaned up the script a little for uniformity.
*/ /* ##### BEGIN QUERY ####### */
/* # Leave this part alone. # */
/* ########################## */ SELECT ID FROM SOFTWARE WHERE /* ########## START NAME INCLUDES ######### */
/* # These all need to be "OR" and "like" # */
/* # New signature = add another paren! # */
/* # Parens in groups of 10, lines of 30. # */
/* ############################################# */
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( ( /* # DISABLED ENTRIES # */
/* ##################### */
/*((
OR SOFTWARE.DISPLAY_NAME like '%Convert%')
OR SOFTWARE.DISPLAY_NAME like '%Microsoft Search Enhancement Pack%') */
/* ##################### */ SOFTWARE.DISPLAY_NAME like '%24x7 Help%')
OR SOFTWARE.DISPLAY_NAME like '%advanced registry optimizer%')
OR SOFTWARE.DISPLAY_NAME like '%Advanced System Protector%')
OR SOFTWARE.DISPLAY_NAME like '%Allyrics-22%')
OR SOFTWARE.DISPLAY_NAME like '%appbar%')
OR SOFTWARE.DISPLAY_NAME like '%appgraffiti%')
OR SOFTWARE.DISPLAY_NAME like '%Babylon%')
OR SOFTWARE.DISPLAY_NAME like '%backupdutylite%')
OR SOFTWARE.DISPLAY_NAME like '%BitGuard%')
OR SOFTWARE.DISPLAY_NAME like '%Blitz Media Player%')
OR SOFTWARE.DISPLAY_NAME like '%Browse For Change%')
OR SOFTWARE.DISPLAY_NAME like '%BrowserProtect%')
OR SOFTWARE.DISPLAY_NAME like '%browsersafeguard%')
OR SOFTWARE.DISPLAY_NAME like '%browsetosave%')
OR SOFTWARE.DISPLAY_NAME like '%Buzz-it%')
OR SOFTWARE.DISPLAY_NAME like '%BuzzSearch%')
OR SOFTWARE.DISPLAY_NAME like '%cioolsalecooupon%')
OR SOFTWARE.DISPLAY_NAME like '%clean water action%')
OR SOFTWARE.DISPLAY_NAME like '%Community Smartbar%')
OR SOFTWARE.DISPLAY_NAME like '%Conduit%')
OR SOFTWARE.DISPLAY_NAME like '%consumer input%')
OR SOFTWARE.DISPLAY_NAME like '%ConvertHelper%')
OR SOFTWARE.DISPLAY_NAME like '%Coupon%')
OR SOFTWARE.DISPLAY_NAME like '%Crawler%')
OR SOFTWARE.DISPLAY_NAME like '%crossreader%')
OR SOFTWARE.DISPLAY_NAME like '%Deal Boat%')
OR SOFTWARE.DISPLAY_NAME like '%Dealio%')
OR SOFTWARE.DISPLAY_NAME like '%DealPly%')
OR SOFTWARE.DISPLAY_NAME like '%Deals%')
OR SOFTWARE.DISPLAY_NAME like '%DefaultTab%')
OR SOFTWARE.DISPLAY_NAME like '%Delta%')
OR SOFTWARE.DISPLAY_NAME like '%Dictionaryboss%')
OR SOFTWARE.DISPLAY_NAME like '%Dmuninstaller%')
OR SOFTWARE.DISPLAY_NAME like '%Driver Performer%')
OR SOFTWARE.DISPLAY_NAME like '%driverupdate%')
OR SOFTWARE.DISPLAY_NAME like '%facemoods%')
OR SOFTWARE.DISPLAY_NAME like '%Fast Free Converter%')
OR SOFTWARE.DISPLAY_NAME like '%Fast Search%')
OR SOFTWARE.DISPLAY_NAME like '%File Type%')
OR SOFTWARE.DISPLAY_NAME like '%Files Opened%')
OR SOFTWARE.DISPLAY_NAME like '%free file viewer%')
OR SOFTWARE.DISPLAY_NAME like '%free opener%')
OR SOFTWARE.DISPLAY_NAME like '%Free Video Player%')
OR SOFTWARE.DISPLAY_NAME like '%freemake%')
OR SOFTWARE.DISPLAY_NAME like '%Funmoods%')
OR SOFTWARE.DISPLAY_NAME like '%Gaming Extension%')
OR SOFTWARE.DISPLAY_NAME like '%genieo%')
OR SOFTWARE.DISPLAY_NAME like '%genieoExtra%')
OR SOFTWARE.DISPLAY_NAME like '%highlightly%')
OR SOFTWARE.DISPLAY_NAME like '%Hoopla%')
OR SOFTWARE.DISPLAY_NAME like '%I Want This%')
OR SOFTWARE.DISPLAY_NAME like '%IB Updater%')
OR SOFTWARE.DISPLAY_NAME like '%iLivid%')
OR SOFTWARE.DISPLAY_NAME like '%IM completer%')
OR SOFTWARE.DISPLAY_NAME like '%image converter%')
OR SOFTWARE.DISPLAY_NAME like '%Iminent%')
OR SOFTWARE.DISPLAY_NAME like '%InboxAce%')
OR SOFTWARE.DISPLAY_NAME like '%Incredibar%')
OR SOFTWARE.DISPLAY_NAME like '%installconverter%')
OR SOFTWARE.DISPLAY_NAME like '%installmac%')
OR SOFTWARE.DISPLAY_NAME like '%InstallX Search Protect%')
OR SOFTWARE.DISPLAY_NAME like '%Internet Turbo%')
OR SOFTWARE.DISPLAY_NAME like '%InternetHelper%')
OR SOFTWARE.DISPLAY_NAME like '%Iwebar%')
OR SOFTWARE.DISPLAY_NAME like '%level quality%')
OR SOFTWARE.DISPLAY_NAME like '%Linksicle%')
OR SOFTWARE.DISPLAY_NAME like '%Lpt System Updater%')
OR SOFTWARE.DISPLAY_NAME like '%LTCM Client %')
OR SOFTWARE.DISPLAY_NAME like '%Lyri%')
OR SOFTWARE.DISPLAY_NAME like '%Mega Browse%')
OR SOFTWARE.DISPLAY_NAME like '%MixiDJ%')
OR SOFTWARE.DISPLAY_NAME like '%mobogenie%')
OR SOFTWARE.DISPLAY_NAME like '%mplayer%')
OR SOFTWARE.DISPLAY_NAME like '%muvic%')
OR SOFTWARE.DISPLAY_NAME like '%My Scrap Nook%')
OR SOFTWARE.DISPLAY_NAME like '%My Web Search%')
OR SOFTWARE.DISPLAY_NAME like '%MyPC Backup%')
OR SOFTWARE.DISPLAY_NAME like '%Mysearchdial%')
OR SOFTWARE.DISPLAY_NAME like '%NetAssistant%')
OR SOFTWARE.DISPLAY_NAME like '%Netzero%')
OR SOFTWARE.DISPLAY_NAME like '%Online Vault%')
OR SOFTWARE.DISPLAY_NAME like '%Open It!%')
OR SOFTWARE.DISPLAY_NAME like '%openfreely%')
OR SOFTWARE.DISPLAY_NAME like '%Optimizer Pro%')
OR SOFTWARE.DISPLAY_NAME like '%ParetoLogic%')
OR SOFTWARE.DISPLAY_NAME like '%pc clean%')
OR SOFTWARE.DISPLAY_NAME like '%pc health%')
OR SOFTWARE.DISPLAY_NAME like '%PC Optimizer%')
OR SOFTWARE.DISPLAY_NAME like '%PC Performer%')
OR SOFTWARE.DISPLAY_NAME like '%playbryte%')
OR SOFTWARE.DISPLAY_NAME like '%Plus-hd%')
OR SOFTWARE.DISPLAY_NAME like '%PriceGong%')
OR SOFTWARE.DISPLAY_NAME like '%PricePeep%')
OR SOFTWARE.DISPLAY_NAME like '%privacy safeguard%')
OR SOFTWARE.DISPLAY_NAME like '%quiknowledge%')
OR SOFTWARE.DISPLAY_NAME like '%qwiklinx%')
OR SOFTWARE.DISPLAY_NAME like '%regcure%')
OR SOFTWARE.DISPLAY_NAME like '%RegCurePro%')
OR SOFTWARE.DISPLAY_NAME like '%regcurePro%')
OR SOFTWARE.DISPLAY_NAME like '%registry dr%')
OR SOFTWARE.DISPLAY_NAME like '%registrydr%')
OR SOFTWARE.DISPLAY_NAME like '%regwork%')
OR SOFTWARE.DISPLAY_NAME like '%re-markit%')
OR SOFTWARE.DISPLAY_NAME like '%Savekeep%')
OR SOFTWARE.DISPLAY_NAME like '%savesense%')
OR SOFTWARE.DISPLAY_NAME like '%SaveValet%')
OR SOFTWARE.DISPLAY_NAME like '%Savings%')
OR SOFTWARE.DISPLAY_NAME like '%Search module%')
OR SOFTWARE.DISPLAY_NAME like '%Search Protect%')
OR SOFTWARE.DISPLAY_NAME like '%Search Settings%')
OR SOFTWARE.DISPLAY_NAME like '%searchassist%')
OR SOFTWARE.DISPLAY_NAME like '%Searchqu%')
OR SOFTWARE.DISPLAY_NAME like '%SearchYa%')
OR SOFTWARE.DISPLAY_NAME like '%Selectionlinks%')
OR SOFTWARE.DISPLAY_NAME like '%Shop To Win%')
OR SOFTWARE.DISPLAY_NAME like '%Shopop%')
OR SOFTWARE.DISPLAY_NAME like '%Shopper%')
OR SOFTWARE.DISPLAY_NAME like '%shopping%')
OR SOFTWARE.DISPLAY_NAME like '%siteranker%')
OR SOFTWARE.DISPLAY_NAME like '%smartbar%')
OR SOFTWARE.DISPLAY_NAME like '%snap.do%')
OR SOFTWARE.DISPLAY_NAME like '%Softsafe%')
OR SOFTWARE.DISPLAY_NAME like '%software version updater%')
OR SOFTWARE.DISPLAY_NAME like '%speed%')
OR SOFTWARE.DISPLAY_NAME like '%speedypc%')
OR SOFTWARE.DISPLAY_NAME like '%strongvault%')
OR SOFTWARE.DISPLAY_NAME like '%surf%')
OR SOFTWARE.DISPLAY_NAME like '%swag%')
OR SOFTWARE.DISPLAY_NAME like '%swagbucks%')
OR SOFTWARE.DISPLAY_NAME like '%television%')
OR SOFTWARE.DISPLAY_NAME like '%The Sea App %')
OR SOFTWARE.DISPLAY_NAME like '%tube dimmer%')
OR SOFTWARE.DISPLAY_NAME like '%tuneupmymac%')
OR SOFTWARE.DISPLAY_NAME like '%uninstall helper%')
OR SOFTWARE.DISPLAY_NAME like '%url assistant%')
OR SOFTWARE.DISPLAY_NAME like '%VO Package%')
OR SOFTWARE.DISPLAY_NAME like '%video player%')
OR SOFTWARE.DISPLAY_NAME like '%videoconverter%')
OR SOFTWARE.DISPLAY_NAME like '%videoplayer%')
OR SOFTWARE.DISPLAY_NAME like '%visualbee%')
OR SOFTWARE.DISPLAY_NAME like '%w3i%')
OR SOFTWARE.DISPLAY_NAME like '%wajam%')
OR SOFTWARE.DISPLAY_NAME like '%weather channel%')
OR SOFTWARE.DISPLAY_NAME like '%weatherbug%')
OR SOFTWARE.DISPLAY_NAME like '%web assistant%')
OR SOFTWARE.DISPLAY_NAME like '%web layers%')
OR SOFTWARE.DISPLAY_NAME like '%web protect%')
OR SOFTWARE.DISPLAY_NAME like '%Web-cake%')
OR SOFTWARE.DISPLAY_NAME like '%webcake%')
OR SOFTWARE.DISPLAY_NAME like '%websteroids%')
OR SOFTWARE.DISPLAY_NAME like '%wildtangent%')
OR SOFTWARE.DISPLAY_NAME like '%yontoo%')
OR SOFTWARE.DISPLAY_NAME like '%youtube downloader%')
OR SOFTWARE.DISPLAY_NAME like '%ytd%')
OR SOFTWARE.DISPLAY_NAME like 'saver%')
OR SOFTWARE.DISPLAY_NAME like 'Shop%') /* ########## START PUBLISHER INCLUDES ######### */
/* # These all need to be "OR" and "like" # */
/* # New signature = add another paren! # */
/* ############################################# */
OR SOFTWARE.PUBLISHER like '%215 apps%')
OR SOFTWARE.PUBLISHER like '%adpeak%')
OR SOFTWARE.PUBLISHER like '%Alactro%')
OR SOFTWARE.PUBLISHER like '%ALOT%')
OR SOFTWARE.PUBLISHER like '%apn%')
OR SOFTWARE.PUBLISHER like '%aws convergence%')
OR SOFTWARE.PUBLISHER like '%backupdutylite%')
OR SOFTWARE.PUBLISHER like '%Bandoo%')
OR SOFTWARE.PUBLISHER like '%betwikx%')
OR SOFTWARE.PUBLISHER like '%bitberry%')
OR SOFTWARE.PUBLISHER like '%blue labs%')
OR SOFTWARE.PUBLISHER like '%browsersafeguard%')
OR SOFTWARE.PUBLISHER like '%compete%')
OR SOFTWARE.PUBLISHER like '%compuclever%')
OR SOFTWARE.PUBLISHER like '%Conduit%')
OR SOFTWARE.PUBLISHER like '%creative island media%')
OR SOFTWARE.PUBLISHER like '%crossreader%')
OR SOFTWARE.PUBLISHER like '%dealply%')
OR SOFTWARE.PUBLISHER like '%delta%')
OR SOFTWARE.PUBLISHER like '%DomaIQ%')
OR SOFTWARE.PUBLISHER like '%download freely%')
OR SOFTWARE.PUBLISHER like '%DownloadHelper%')
OR SOFTWARE.PUBLISHER like '%Ellora%')
OR SOFTWARE.PUBLISHER like '%exent%')
OR SOFTWARE.PUBLISHER like '%ez freeware%')
OR SOFTWARE.PUBLISHER like '%facemoods%')
OR SOFTWARE.PUBLISHER like '%fast free converter%')
OR SOFTWARE.PUBLISHER like '%freeze.com%')
OR SOFTWARE.PUBLISHER like '%funmoods%')
OR SOFTWARE.PUBLISHER like '%gigaclicks%')
OR SOFTWARE.PUBLISHER like '%GreenTree%')
OR SOFTWARE.PUBLISHER like '%growth systems%')
OR SOFTWARE.PUBLISHER like '%highlightly%')
OR SOFTWARE.PUBLISHER like '%Honlyn Limited%')
OR SOFTWARE.PUBLISHER like '%ibrytre%')
OR SOFTWARE.PUBLISHER like '%image converter%')
OR SOFTWARE.PUBLISHER like '%iminent%')
OR SOFTWARE.PUBLISHER like '%incredibar%')
OR SOFTWARE.PUBLISHER like '%incredimail%')
OR SOFTWARE.PUBLISHER like '%innovative apps%')
OR SOFTWARE.PUBLISHER like '%installconverter%')
OR SOFTWARE.PUBLISHER like '%InstallX%')
OR SOFTWARE.PUBLISHER like '%internethelper%')
OR SOFTWARE.PUBLISHER like '%iwebar%')
OR SOFTWARE.PUBLISHER like '%jdi backup%')
OR SOFTWARE.PUBLISHER like '%jenkat media%')
OR SOFTWARE.PUBLISHER like '%level quality%')
OR SOFTWARE.PUBLISHER like '%linksicle%')
OR SOFTWARE.PUBLISHER like '%linkury%')
OR SOFTWARE.PUBLISHER like '%Lyri%')
OR SOFTWARE.PUBLISHER like '%mediatechsoft%')
OR SOFTWARE.PUBLISHER like '%Mindspark Interactive%')
OR SOFTWARE.PUBLISHER like '%mixidj%')
OR SOFTWARE.PUBLISHER like '%my pop%')
OR SOFTWARE.PUBLISHER like '%my scrap nook%')
OR SOFTWARE.PUBLISHER like '%my web search%')
OR SOFTWARE.PUBLISHER like '%mypc backup%')
OR SOFTWARE.PUBLISHER like '%mysearchdial%')
OR SOFTWARE.PUBLISHER like '%omega partners%')
OR SOFTWARE.PUBLISHER like '%ooo industry%')
OR SOFTWARE.PUBLISHER like '%openit%')
OR SOFTWARE.PUBLISHER like '%Paretologic%')
OR SOFTWARE.PUBLISHER like '%pc health%')
OR SOFTWARE.PUBLISHER like '%pc optimizer pro%')
OR SOFTWARE.PUBLISHER like '%pc utilities%')
OR SOFTWARE.PUBLISHER like '%pcrx.com%')
OR SOFTWARE.PUBLISHER like '%performersoft%')
OR SOFTWARE.PUBLISHER like '%pinwid%')
OR SOFTWARE.PUBLISHER like '%playbryte%')
OR SOFTWARE.PUBLISHER like '%plus hd%')
OR SOFTWARE.PUBLISHER like '%pricegong%')
OR SOFTWARE.PUBLISHER like '%privacy safeguard%')
OR SOFTWARE.PUBLISHER like '%quiknowledge%')
OR SOFTWARE.PUBLISHER like '%qwiklinx%')
OR SOFTWARE.PUBLISHER like '%regcure%')
OR SOFTWARE.PUBLISHER like '%re-markit%')
OR SOFTWARE.PUBLISHER like '%rightsurf%')
OR SOFTWARE.PUBLISHER like '%savings%')
OR SOFTWARE.PUBLISHER like '%search module%')
OR SOFTWARE.PUBLISHER like '%search results%')
OR SOFTWARE.PUBLISHER like '%selectionlinks%')
OR SOFTWARE.PUBLISHER like '%shop to win%')
OR SOFTWARE.PUBLISHER like '%shopperreports%')
OR SOFTWARE.PUBLISHER like '%shoppingchip%')
OR SOFTWARE.PUBLISHER like '%showpass%')
OR SOFTWARE.PUBLISHER like '%slimware%')
OR SOFTWARE.PUBLISHER like '%speedypc software%')
OR SOFTWARE.PUBLISHER like '%spigot%')
OR SOFTWARE.PUBLISHER like '%strongvault%')
OR SOFTWARE.PUBLISHER like '%suprasavings%')
OR SOFTWARE.PUBLISHER like '%surf canyon%')
OR SOFTWARE.PUBLISHER like '%suurfkeepit%')
OR SOFTWARE.PUBLISHER like '%sweetpacks%')
OR SOFTWARE.PUBLISHER like '%systemspeedup%')
OR SOFTWARE.PUBLISHER like '%systweak%')
OR SOFTWARE.PUBLISHER like '%television%')
OR SOFTWARE.PUBLISHER like '%tuguu%')
OR SOFTWARE.PUBLISHER like '%Uniblue systems%')
OR SOFTWARE.PUBLISHER like '%video player%')
OR SOFTWARE.PUBLISHER like '%visual tools%')
OR SOFTWARE.PUBLISHER like '%visualbee%')
OR SOFTWARE.PUBLISHER like '%volonet%')
OR SOFTWARE.PUBLISHER like '%w3i%')
OR SOFTWARE.PUBLISHER like '%wajam%')
OR SOFTWARE.PUBLISHER like '%wajam%')
OR SOFTWARE.PUBLISHER like '%We-care.com%')
OR SOFTWARE.PUBLISHER like '%web cake%')
OR SOFTWARE.PUBLISHER like '%web layers%')
OR SOFTWARE.PUBLISHER like '%web protect%')
OR SOFTWARE.PUBLISHER like '%webcake%')
OR SOFTWARE.PUBLISHER like '%wildtangent%')
OR SOFTWARE.PUBLISHER like '%xportsoft%')
OR SOFTWARE.PUBLISHER like '%yontoo%')
OR SOFTWARE.PUBLISHER like 'resoft%')
/* ############### START EXCLUDES ############## */
/* # These all need to be "AND" and "not like" # */
/* # New signature = add another paren! # */
/* ############################################# */
AND SOFTWARE.PUBLISHER not like '%Aimersoft%')
AND SOFTWARE.PUBLISHER not like '%DivX%')
AND SOFTWARE.DISPLAY_NAME not like '%canon%')
AND SOFTWARE.DISPLAY_NAME not like '%deltagraph%')
AND SOFTWARE.DISPLAY_NAME not like '%Keyspan High Speed USB Serial Adapter%')
AND SOFTWARE.DISPLAY_NAME not like '%MAGIX Speed burnR%')
AND SOFTWARE.DISPLAY_NAME not like '%panasonic%')
AND SOFTWARE.DISPLAY_NAME not like '%speedstudy%')
AND SOFTWARE.DISPLAY_NAME not like '%SpeedswitchXP%')
AND SOFTWARE.DISPLAY_NAME not like '%VPN%') /* ######################### The Label Switch ######################### */
/* # Comment this to ID ALL software listed above as malware. # */
/* # Uncomment this to only ID software that haven't been categorized. # */
/* ###################################################################### */
AND SOFTWARE.THREAT != '5') /* ##### END QUERY ####### */

Comments

  • Updated the query to look a little nicer, after realizing how messy it was before. :) - colbya 7 years ago
  • Wow, thanks OP. - smrmcjason 7 years ago
    • No problem! Just glad someone in the community finds it useful. You can check back periodically, as I'll post comments indicating when I've updated the script. I like to keep these things current instead of letting them languish. - colbya 7 years ago
    • I just added a link to an Imgur gallery that shows the report wizard set up I use to generate a really slick report to utilize this information. You might enjoy that too. :) - colbya 7 years ago
  • I'm not sure I'm doing this correctly. I'm on k1000 6.0 which may make a difference.
    I create a temp smart lable, go to edit it, and paste your query in. I get an error stating: "1064: you have an error in your SQL syntax;" - animerunt 7 years ago
    • I can't tell you for sure because we haven't upgraded to 6.0 yet, but let's see... It would help to get more of the beginning of that syntax error, since it usually tells you where it goes wrong. It'll say something like "your SQL syntax; near..." and then show you the whole query. But the first couple of lines of it usually shows you.

      You might also try making sure you properly copy and pasted it. If you miss any of the comment flags (/* or */), the editor thinks it's part of the query and it will throw errors.

      You might also try copy and pasting it into and intermediary like Notepad, that will strip all the editing and HTML that might've been picked up from copying it out of the code box above.

      I don't think the query structure has changed that much from 5.x to 6.x. I can't imagine that happening, so there must be some other superficial error. If you give me a little more of the error log I might be able to tell you more. :) - colbya 7 years ago
      • You are correct. It told me it was near the last line. Found the issue. When copying and pasting from itninja, they evidently like to add on a little extra to the end of the selection.

        It added "- See more at: http://www.itninja.com/blog/view/massive-malware-smart-label-and-k1000-scripting-practices#sthash.Svuqed2b.dpuf" to the end of the copied text. Removed that and it was good to go. - animerunt 7 years ago
  • Updated post phrasing so it sounded better, and added a gallery link to show how I set up the report to utilize this query info! - colbya 7 years ago
  • Nice script. I got a lot of false positives, but I did see some conduit entries. - flip1001 7 years ago
    • Yeah, there's some customization that needs to go into it based on whatever programs are on your network. I know some things, like the catch for 'speed', will pull up some things it shouldn't.

      That's why I tried to keep it clean and easily editable, and you can always add the false positives to the exclude list.

      You might also change the switch at the end to only ID things that are Threat 3. That way if you ID it, it won't pick it up. That would allow you to classify the false positives as Threat 1 (or really any threat other than 3), to keep them from coming up on the smart label. :) - colbya 7 years ago
  • Ok, I am kind of a noob, I have not been able to figure out how to get this thing to work and generate useful data. I have created a new SQL report. It runs, but just lists line numbers and then a series of numbers on the right side. What am I doing wrong? Just frustrated. The learning curve on this device is a pain. - smrmcjason 7 years ago
    • Hello smrmcjason! It's not working for you because this is a smart label for automatically flagging software from the inventory founds by KACE agents. Not an SQL report. Try adding the info in the code box from my post to a new SQL smart label instead. Remember you may need to change some of the content because it could result in false positives in your enterprise depending on the software you use. I'd you have further trouble feel free to leave more comments and I'll help a add much add I can. - colbya 7 years ago
  • Thanks, got the smart label created. That is a huge start. Now, to create actions to deny/remove this junk automatically. ;-) - smrmcjason 7 years ago
    • I'd be very careful with that if I were you. Not only are you going to have to make a ton of Uninstaller packages but you'll have to make new ones for each version of malware that comes out if you're using KACE. Also make sure you don't have a bunch of false positives or you might accidentally delete something you don't want deleted. Just some mistakes I've made and things I've come across :) - colbya 7 years ago
  • Yeah, I re-thought that after I posted that. Just going to use this as a basis for manual removal. Once we get the herd thinned out it will be easy to maintain after that. Thanks as always for the master list. If you need anything or help maintaining it let me know. I will help here I am able. - smrmcjason 7 years ago
    • The label as it is now is from manually picking through roughly 17,000 entries like I said. Once you go through that much, it's just a game of finding what you missed, Googling unfamiliar signatures in inventory, and adding them to the list. If you come across any new signatures not included in the list, or refinements to things that frequently flag false positives, if you send me a private message with the changes I'd be happy to include it in my updates of the post! And from my experience, you're definitely correct: it's a breeze once you thin it out :) - colbya 7 years ago
  • Hello, how i can use this ? it's compatible with kace 6.2 ? have you an update list ? - gjoubert 6 years ago
  • Do not know if you are still keeping up with this, but I found this site that may help in adding new malware to the list. http://www.spywareguide.com/product_list_full.php - gurugabe 5 years ago
This post is locked

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ