(AUTHOR'S NOTE: Check out my other two queries for VPNs/Proxies and P2P/Torrent Clients over here! Also, you might want to follow this post, as I'll update the query as I change it and find more signatures to track!)
So a few months ago I was tasked with tracking down some Conduit malware infections in my enterprise setting. I was provided with this nice little print out of IP addresses and was told to track them down manually and fix the problem. I knew I could do a more efficient job by using KACE inventory tracking and reports.
Since I was assigned that little malware-cleanup job, I've hand-filtered through over 16,750 software signatures gathered from over 9000 workstations in our enterprise. I wanted to share this massive smart-label script I created. I also think it's a good example of how to produce a well-documented script that is easily understood by newcomers. Not that KACE SQL is that complicated... But still!
The query catches all malware names that I could find based on Vendor and Display fields. This pastes right into the smart label script - you can use the wizard to create one and paste this in there. Everything is commented to hell and back, so it largely explains itself. Remember when creating scripts you should comment everything so that new people coming in can make sense of what you've written. Changelogs, while bloating the line count, are useful for troubleshooting if something goes wrong. Since KACE editor is not monospaced font the layout gets a little funky. I chose to keep it functional for monospaced editors because I do all my editing in Notepad++.
This script catches approximately 270 different software names and publishers, with about 10 exludes built in to avoid common false-positives I ran across, and a switch to only put softwares in the Malware label if they aren't rated with Threat 5. Essentially what this does is creates a nice little label that only shows up in my list if NEW malware comes onto my network, and anything I've already identified and flagged Threat 5 is ignored. So any time I see the Malware label in my list, I know there's new malware I need to categorize. If you want the label to stick all the time, you can just comment out or remove the last line.
The intention here is to use the Reporting features to generate a report that shows machines with Threat 5 software (see link below for example report). You can design the report with the wizard so that it shows machines by IP and even username logged in, so you can see exactly who and where the infections are. If your enterprise uses VNC or something similar, you can easily track users down and clean up the infection.
You can change little things here and there. Most of my signatures will catch the words between the parens if they show up ANYWHERE in that field. That's why, for example, I commented out "Converter" because there were lots of legit files with the word converter in them. If you know a file started with the word Converter, you could remove the first % so it read "... like 'Converter%')" for example.
Below I've linked an image gallery to show how I used the KACE Report Wizard to set up the report I use in conjunction with the Smart Label query I've pasted into the code box below that. Just keep in mind that Report won't show anything until you go into Software Inventory, use "View All" to view the Malware label, and classify it all as Threat 5, since the report operates off the Threat rating, and not the Malware label itself. Enjoy! :)
Report Wizard Gallery here: (link outdated with updated KACE release... Sorry folks, don't have time to fix it!)
/* ##################################################### */
/* # PURPOSE: Flags Software Inventory items with the # */
/* # Malware label for quick flagging and reporting. # */
/* ##################################################### */ /* ##### COMMENTS ##### */
/* Display and Vendor names are encased in single quotes. Percents are wildcards. First block is names, second is publishers, third is excludes.
Please keep new entries alphabetical first, then search function second.
Please verify changes for false positives & update changelog. Suggested parsing editor is something monospaced. This editor is trash. */ /* ##### CHANGELOG ##### */
/*
04.22.2014 Real Name <email>
* Created query.
04.23.2014 Real Name <email>
* Added 100+ more signatures.
04.24.2014 Real Name <email>
* Added 100+ more signatures.
* Fixed formatting for ease of reading.
* Added comment blocks & changelog. 05.05.2014 Real Name <email>
* Change 'File Type Assistant' to 'File Type' for broader catch.
* Added 2 new signatures.
* Removed filter for 'IOBit' signature.
* Moved commented lines and added "Disabled Entries" section. 05.06.2014 Real Name <email>
* Added 2 new signatures. 05.07.2014 Real Name <email>
* Added 11 new signatures.
* Removed 1 signature. 05.08.2014 Real Name <email>
* Added 3 new signatures.
05.08.2014 Real Name <email>
* Cleaned up the script a little for uniformity.
*/ /* ##### BEGIN QUERY ####### */
/* # Leave this part alone. # */
/* ########################## */ SELECT ID FROM SOFTWARE WHERE /* ########## START NAME INCLUDES ######### */
/* # These all need to be "OR" and "like" # */
/* # New signature = add another paren! # */
/* # Parens in groups of 10, lines of 30. # */
/* ############################################# */
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( (((((((((( ((((((((((
(((((((((( ( /* # DISABLED ENTRIES # */
/* ##################### */
/*((
OR SOFTWARE.DISPLAY_NAME like '%Convert%')
OR SOFTWARE.DISPLAY_NAME like '%Microsoft Search Enhancement Pack%') */
/* ##################### */ SOFTWARE.DISPLAY_NAME like '%24x7 Help%')
OR SOFTWARE.DISPLAY_NAME like '%advanced registry optimizer%')
OR SOFTWARE.DISPLAY_NAME like '%Advanced System Protector%')
OR SOFTWARE.DISPLAY_NAME like '%Allyrics-22%')
OR SOFTWARE.DISPLAY_NAME like '%appbar%')
OR SOFTWARE.DISPLAY_NAME like '%appgraffiti%')
OR SOFTWARE.DISPLAY_NAME like '%Babylon%')
OR SOFTWARE.DISPLAY_NAME like '%backupdutylite%')
OR SOFTWARE.DISPLAY_NAME like '%BitGuard%')
OR SOFTWARE.DISPLAY_NAME like '%Blitz Media Player%')
OR SOFTWARE.DISPLAY_NAME like '%Browse For Change%')
OR SOFTWARE.DISPLAY_NAME like '%BrowserProtect%')
OR SOFTWARE.DISPLAY_NAME like '%browsersafeguard%')
OR SOFTWARE.DISPLAY_NAME like '%browsetosave%')
OR SOFTWARE.DISPLAY_NAME like '%Buzz-it%')
OR SOFTWARE.DISPLAY_NAME like '%BuzzSearch%')
OR SOFTWARE.DISPLAY_NAME like '%cioolsalecooupon%')
OR SOFTWARE.DISPLAY_NAME like '%clean water action%')
OR SOFTWARE.DISPLAY_NAME like '%Community Smartbar%')
OR SOFTWARE.DISPLAY_NAME like '%Conduit%')
OR SOFTWARE.DISPLAY_NAME like '%consumer input%')
OR SOFTWARE.DISPLAY_NAME like '%ConvertHelper%')
OR SOFTWARE.DISPLAY_NAME like '%Coupon%')
OR SOFTWARE.DISPLAY_NAME like '%Crawler%')
OR SOFTWARE.DISPLAY_NAME like '%crossreader%')
OR SOFTWARE.DISPLAY_NAME like '%Deal Boat%')
OR SOFTWARE.DISPLAY_NAME like '%Dealio%')
OR SOFTWARE.DISPLAY_NAME like '%DealPly%')
OR SOFTWARE.DISPLAY_NAME like '%Deals%')
OR SOFTWARE.DISPLAY_NAME like '%DefaultTab%')
OR SOFTWARE.DISPLAY_NAME like '%Delta%')
OR SOFTWARE.DISPLAY_NAME like '%Dictionaryboss%')
OR SOFTWARE.DISPLAY_NAME like '%Dmuninstaller%')
OR SOFTWARE.DISPLAY_NAME like '%Driver Performer%')
OR SOFTWARE.DISPLAY_NAME like '%driverupdate%')
OR SOFTWARE.DISPLAY_NAME like '%facemoods%')
OR SOFTWARE.DISPLAY_NAME like '%Fast Free Converter%')
OR SOFTWARE.DISPLAY_NAME like '%Fast Search%')
OR SOFTWARE.DISPLAY_NAME like '%File Type%')
OR SOFTWARE.DISPLAY_NAME like '%Files Opened%')
OR SOFTWARE.DISPLAY_NAME like '%free file viewer%')
OR SOFTWARE.DISPLAY_NAME like '%free opener%')
OR SOFTWARE.DISPLAY_NAME like '%Free Video Player%')
OR SOFTWARE.DISPLAY_NAME like '%freemake%')
OR SOFTWARE.DISPLAY_NAME like '%Funmoods%')
OR SOFTWARE.DISPLAY_NAME like '%Gaming Extension%')
OR SOFTWARE.DISPLAY_NAME like '%genieo%')
OR SOFTWARE.DISPLAY_NAME like '%genieoExtra%')
OR SOFTWARE.DISPLAY_NAME like '%highlightly%')
OR SOFTWARE.DISPLAY_NAME like '%Hoopla%')
OR SOFTWARE.DISPLAY_NAME like '%I Want This%')
OR SOFTWARE.DISPLAY_NAME like '%IB Updater%')
OR SOFTWARE.DISPLAY_NAME like '%iLivid%')
OR SOFTWARE.DISPLAY_NAME like '%IM completer%')
OR SOFTWARE.DISPLAY_NAME like '%image converter%')
OR SOFTWARE.DISPLAY_NAME like '%Iminent%')
OR SOFTWARE.DISPLAY_NAME like '%InboxAce%')
OR SOFTWARE.DISPLAY_NAME like '%Incredibar%')
OR SOFTWARE.DISPLAY_NAME like '%installconverter%')
OR SOFTWARE.DISPLAY_NAME like '%installmac%')
OR SOFTWARE.DISPLAY_NAME like '%InstallX Search Protect%')
OR SOFTWARE.DISPLAY_NAME like '%Internet Turbo%')
OR SOFTWARE.DISPLAY_NAME like '%InternetHelper%')
OR SOFTWARE.DISPLAY_NAME like '%Iwebar%')
OR SOFTWARE.DISPLAY_NAME like '%level quality%')
OR SOFTWARE.DISPLAY_NAME like '%Linksicle%')
OR SOFTWARE.DISPLAY_NAME like '%Lpt System Updater%')
OR SOFTWARE.DISPLAY_NAME like '%LTCM Client %')
OR SOFTWARE.DISPLAY_NAME like '%Lyri%')
OR SOFTWARE.DISPLAY_NAME like '%Mega Browse%')
OR SOFTWARE.DISPLAY_NAME like '%MixiDJ%')
OR SOFTWARE.DISPLAY_NAME like '%mobogenie%')
OR SOFTWARE.DISPLAY_NAME like '%mplayer%')
OR SOFTWARE.DISPLAY_NAME like '%muvic%')
OR SOFTWARE.DISPLAY_NAME like '%My Scrap Nook%')
OR SOFTWARE.DISPLAY_NAME like '%My Web Search%')
OR SOFTWARE.DISPLAY_NAME like '%MyPC Backup%')
OR SOFTWARE.DISPLAY_NAME like '%Mysearchdial%')
OR SOFTWARE.DISPLAY_NAME like '%NetAssistant%')
OR SOFTWARE.DISPLAY_NAME like '%Netzero%')
OR SOFTWARE.DISPLAY_NAME like '%Online Vault%')
OR SOFTWARE.DISPLAY_NAME like '%Open It!%')
OR SOFTWARE.DISPLAY_NAME like '%openfreely%')
OR SOFTWARE.DISPLAY_NAME like '%Optimizer Pro%')
OR SOFTWARE.DISPLAY_NAME like '%ParetoLogic%')
OR SOFTWARE.DISPLAY_NAME like '%pc clean%')
OR SOFTWARE.DISPLAY_NAME like '%pc health%')
OR SOFTWARE.DISPLAY_NAME like '%PC Optimizer%')
OR SOFTWARE.DISPLAY_NAME like '%PC Performer%')
OR SOFTWARE.DISPLAY_NAME like '%playbryte%')
OR SOFTWARE.DISPLAY_NAME like '%Plus-hd%')
OR SOFTWARE.DISPLAY_NAME like '%PriceGong%')
OR SOFTWARE.DISPLAY_NAME like '%PricePeep%')
OR SOFTWARE.DISPLAY_NAME like '%privacy safeguard%')
OR SOFTWARE.DISPLAY_NAME like '%quiknowledge%')
OR SOFTWARE.DISPLAY_NAME like '%qwiklinx%')
OR SOFTWARE.DISPLAY_NAME like '%regcure%')
OR SOFTWARE.DISPLAY_NAME like '%RegCurePro%')
OR SOFTWARE.DISPLAY_NAME like '%regcurePro%')
OR SOFTWARE.DISPLAY_NAME like '%registry dr%')
OR SOFTWARE.DISPLAY_NAME like '%registrydr%')
OR SOFTWARE.DISPLAY_NAME like '%regwork%')
OR SOFTWARE.DISPLAY_NAME like '%re-markit%')
OR SOFTWARE.DISPLAY_NAME like '%Savekeep%')
OR SOFTWARE.DISPLAY_NAME like '%savesense%')
OR SOFTWARE.DISPLAY_NAME like '%SaveValet%')
OR SOFTWARE.DISPLAY_NAME like '%Savings%')
OR SOFTWARE.DISPLAY_NAME like '%Search module%')
OR SOFTWARE.DISPLAY_NAME like '%Search Protect%')
OR SOFTWARE.DISPLAY_NAME like '%Search Settings%')
OR SOFTWARE.DISPLAY_NAME like '%searchassist%')
OR SOFTWARE.DISPLAY_NAME like '%Searchqu%')
OR SOFTWARE.DISPLAY_NAME like '%SearchYa%')
OR SOFTWARE.DISPLAY_NAME like '%Selectionlinks%')
OR SOFTWARE.DISPLAY_NAME like '%Shop To Win%')
OR SOFTWARE.DISPLAY_NAME like '%Shopop%')
OR SOFTWARE.DISPLAY_NAME like '%Shopper%')
OR SOFTWARE.DISPLAY_NAME like '%shopping%')
OR SOFTWARE.DISPLAY_NAME like '%siteranker%')
OR SOFTWARE.DISPLAY_NAME like '%smartbar%')
OR SOFTWARE.DISPLAY_NAME like '%snap.do%')
OR SOFTWARE.DISPLAY_NAME like '%Softsafe%')
OR SOFTWARE.DISPLAY_NAME like '%software version updater%')
OR SOFTWARE.DISPLAY_NAME like '%speed%')
OR SOFTWARE.DISPLAY_NAME like '%speedypc%')
OR SOFTWARE.DISPLAY_NAME like '%strongvault%')
OR SOFTWARE.DISPLAY_NAME like '%surf%')
OR SOFTWARE.DISPLAY_NAME like '%swag%')
OR SOFTWARE.DISPLAY_NAME like '%swagbucks%')
OR SOFTWARE.DISPLAY_NAME like '%television%')
OR SOFTWARE.DISPLAY_NAME like '%The Sea App %')
OR SOFTWARE.DISPLAY_NAME like '%tube dimmer%')
OR SOFTWARE.DISPLAY_NAME like '%tuneupmymac%')
OR SOFTWARE.DISPLAY_NAME like '%uninstall helper%')
OR SOFTWARE.DISPLAY_NAME like '%url assistant%')
OR SOFTWARE.DISPLAY_NAME like '%VO Package%')
OR SOFTWARE.DISPLAY_NAME like '%video player%')
OR SOFTWARE.DISPLAY_NAME like '%videoconverter%')
OR SOFTWARE.DISPLAY_NAME like '%videoplayer%')
OR SOFTWARE.DISPLAY_NAME like '%visualbee%')
OR SOFTWARE.DISPLAY_NAME like '%w3i%')
OR SOFTWARE.DISPLAY_NAME like '%wajam%')
OR SOFTWARE.DISPLAY_NAME like '%weather channel%')
OR SOFTWARE.DISPLAY_NAME like '%weatherbug%')
OR SOFTWARE.DISPLAY_NAME like '%web assistant%')
OR SOFTWARE.DISPLAY_NAME like '%web layers%')
OR SOFTWARE.DISPLAY_NAME like '%web protect%')
OR SOFTWARE.DISPLAY_NAME like '%Web-cake%')
OR SOFTWARE.DISPLAY_NAME like '%webcake%')
OR SOFTWARE.DISPLAY_NAME like '%websteroids%')
OR SOFTWARE.DISPLAY_NAME like '%wildtangent%')
OR SOFTWARE.DISPLAY_NAME like '%yontoo%')
OR SOFTWARE.DISPLAY_NAME like '%youtube downloader%')
OR SOFTWARE.DISPLAY_NAME like '%ytd%')
OR SOFTWARE.DISPLAY_NAME like 'saver%')
OR SOFTWARE.DISPLAY_NAME like 'Shop%') /* ########## START PUBLISHER INCLUDES ######### */
/* # These all need to be "OR" and "like" # */
/* # New signature = add another paren! # */
/* ############################################# */
OR SOFTWARE.PUBLISHER like '%215 apps%')
OR SOFTWARE.PUBLISHER like '%adpeak%')
OR SOFTWARE.PUBLISHER like '%Alactro%')
OR SOFTWARE.PUBLISHER like '%ALOT%')
OR SOFTWARE.PUBLISHER like '%apn%')
OR SOFTWARE.PUBLISHER like '%aws convergence%')
OR SOFTWARE.PUBLISHER like '%backupdutylite%')
OR SOFTWARE.PUBLISHER like '%Bandoo%')
OR SOFTWARE.PUBLISHER like '%betwikx%')
OR SOFTWARE.PUBLISHER like '%bitberry%')
OR SOFTWARE.PUBLISHER like '%blue labs%')
OR SOFTWARE.PUBLISHER like '%browsersafeguard%')
OR SOFTWARE.PUBLISHER like '%compete%')
OR SOFTWARE.PUBLISHER like '%compuclever%')
OR SOFTWARE.PUBLISHER like '%Conduit%')
OR SOFTWARE.PUBLISHER like '%creative island media%')
OR SOFTWARE.PUBLISHER like '%crossreader%')
OR SOFTWARE.PUBLISHER like '%dealply%')
OR SOFTWARE.PUBLISHER like '%delta%')
OR SOFTWARE.PUBLISHER like '%DomaIQ%')
OR SOFTWARE.PUBLISHER like '%download freely%')
OR SOFTWARE.PUBLISHER like '%DownloadHelper%')
OR SOFTWARE.PUBLISHER like '%Ellora%')
OR SOFTWARE.PUBLISHER like '%exent%')
OR SOFTWARE.PUBLISHER like '%ez freeware%')
OR SOFTWARE.PUBLISHER like '%facemoods%')
OR SOFTWARE.PUBLISHER like '%fast free converter%')
OR SOFTWARE.PUBLISHER like '%freeze.com%')
OR SOFTWARE.PUBLISHER like '%funmoods%')
OR SOFTWARE.PUBLISHER like '%gigaclicks%')
OR SOFTWARE.PUBLISHER like '%GreenTree%')
OR SOFTWARE.PUBLISHER like '%growth systems%')
OR SOFTWARE.PUBLISHER like '%highlightly%')
OR SOFTWARE.PUBLISHER like '%Honlyn Limited%')
OR SOFTWARE.PUBLISHER like '%ibrytre%')
OR SOFTWARE.PUBLISHER like '%image converter%')
OR SOFTWARE.PUBLISHER like '%iminent%')
OR SOFTWARE.PUBLISHER like '%incredibar%')
OR SOFTWARE.PUBLISHER like '%incredimail%')
OR SOFTWARE.PUBLISHER like '%innovative apps%')
OR SOFTWARE.PUBLISHER like '%installconverter%')
OR SOFTWARE.PUBLISHER like '%InstallX%')
OR SOFTWARE.PUBLISHER like '%internethelper%')
OR SOFTWARE.PUBLISHER like '%iwebar%')
OR SOFTWARE.PUBLISHER like '%jdi backup%')
OR SOFTWARE.PUBLISHER like '%jenkat media%')
OR SOFTWARE.PUBLISHER like '%level quality%')
OR SOFTWARE.PUBLISHER like '%linksicle%')
OR SOFTWARE.PUBLISHER like '%linkury%')
OR SOFTWARE.PUBLISHER like '%Lyri%')
OR SOFTWARE.PUBLISHER like '%mediatechsoft%')
OR SOFTWARE.PUBLISHER like '%Mindspark Interactive%')
OR SOFTWARE.PUBLISHER like '%mixidj%')
OR SOFTWARE.PUBLISHER like '%my pop%')
OR SOFTWARE.PUBLISHER like '%my scrap nook%')
OR SOFTWARE.PUBLISHER like '%my web search%')
OR SOFTWARE.PUBLISHER like '%mypc backup%')
OR SOFTWARE.PUBLISHER like '%mysearchdial%')
OR SOFTWARE.PUBLISHER like '%omega partners%')
OR SOFTWARE.PUBLISHER like '%ooo industry%')
OR SOFTWARE.PUBLISHER like '%openit%')
OR SOFTWARE.PUBLISHER like '%Paretologic%')
OR SOFTWARE.PUBLISHER like '%pc health%')
OR SOFTWARE.PUBLISHER like '%pc optimizer pro%')
OR SOFTWARE.PUBLISHER like '%pc utilities%')
OR SOFTWARE.PUBLISHER like '%pcrx.com%')
OR SOFTWARE.PUBLISHER like '%performersoft%')
OR SOFTWARE.PUBLISHER like '%pinwid%')
OR SOFTWARE.PUBLISHER like '%playbryte%')
OR SOFTWARE.PUBLISHER like '%plus hd%')
OR SOFTWARE.PUBLISHER like '%pricegong%')
OR SOFTWARE.PUBLISHER like '%privacy safeguard%')
OR SOFTWARE.PUBLISHER like '%quiknowledge%')
OR SOFTWARE.PUBLISHER like '%qwiklinx%')
OR SOFTWARE.PUBLISHER like '%regcure%')
OR SOFTWARE.PUBLISHER like '%re-markit%')
OR SOFTWARE.PUBLISHER like '%rightsurf%')
OR SOFTWARE.PUBLISHER like '%savings%')
OR SOFTWARE.PUBLISHER like '%search module%')
OR SOFTWARE.PUBLISHER like '%search results%')
OR SOFTWARE.PUBLISHER like '%selectionlinks%')
OR SOFTWARE.PUBLISHER like '%shop to win%')
OR SOFTWARE.PUBLISHER like '%shopperreports%')
OR SOFTWARE.PUBLISHER like '%shoppingchip%')
OR SOFTWARE.PUBLISHER like '%showpass%')
OR SOFTWARE.PUBLISHER like '%slimware%')
OR SOFTWARE.PUBLISHER like '%speedypc software%')
OR SOFTWARE.PUBLISHER like '%spigot%')
OR SOFTWARE.PUBLISHER like '%strongvault%')
OR SOFTWARE.PUBLISHER like '%suprasavings%')
OR SOFTWARE.PUBLISHER like '%surf canyon%')
OR SOFTWARE.PUBLISHER like '%suurfkeepit%')
OR SOFTWARE.PUBLISHER like '%sweetpacks%')
OR SOFTWARE.PUBLISHER like '%systemspeedup%')
OR SOFTWARE.PUBLISHER like '%systweak%')
OR SOFTWARE.PUBLISHER like '%television%')
OR SOFTWARE.PUBLISHER like '%tuguu%')
OR SOFTWARE.PUBLISHER like '%Uniblue systems%')
OR SOFTWARE.PUBLISHER like '%video player%')
OR SOFTWARE.PUBLISHER like '%visual tools%')
OR SOFTWARE.PUBLISHER like '%visualbee%')
OR SOFTWARE.PUBLISHER like '%volonet%')
OR SOFTWARE.PUBLISHER like '%w3i%')
OR SOFTWARE.PUBLISHER like '%wajam%')
OR SOFTWARE.PUBLISHER like '%wajam%')
OR SOFTWARE.PUBLISHER like '%We-care.com%')
OR SOFTWARE.PUBLISHER like '%web cake%')
OR SOFTWARE.PUBLISHER like '%web layers%')
OR SOFTWARE.PUBLISHER like '%web protect%')
OR SOFTWARE.PUBLISHER like '%webcake%')
OR SOFTWARE.PUBLISHER like '%wildtangent%')
OR SOFTWARE.PUBLISHER like '%xportsoft%')
OR SOFTWARE.PUBLISHER like '%yontoo%')
OR SOFTWARE.PUBLISHER like 'resoft%')
/* ############### START EXCLUDES ############## */
/* # These all need to be "AND" and "not like" # */
/* # New signature = add another paren! # */
/* ############################################# */
AND SOFTWARE.PUBLISHER not like '%Aimersoft%')
AND SOFTWARE.PUBLISHER not like '%DivX%')
AND SOFTWARE.DISPLAY_NAME not like '%canon%')
AND SOFTWARE.DISPLAY_NAME not like '%deltagraph%')
AND SOFTWARE.DISPLAY_NAME not like '%Keyspan High Speed USB Serial Adapter%')
AND SOFTWARE.DISPLAY_NAME not like '%MAGIX Speed burnR%')
AND SOFTWARE.DISPLAY_NAME not like '%panasonic%')
AND SOFTWARE.DISPLAY_NAME not like '%speedstudy%')
AND SOFTWARE.DISPLAY_NAME not like '%SpeedswitchXP%')
AND SOFTWARE.DISPLAY_NAME not like '%VPN%') /* ######################### The Label Switch ######################### */
/* # Comment this to ID ALL software listed above as malware. # */
/* # Uncomment this to only ID software that haven't been categorized. # */
/* ###################################################################### */
AND SOFTWARE.THREAT != '5') /* ##### END QUERY ####### */
I create a temp smart lable, go to edit it, and paste your query in. I get an error stating: "1064: you have an error in your SQL syntax;" - animerunt 9 years ago
You might also try making sure you properly copy and pasted it. If you miss any of the comment flags (/* or */), the editor thinks it's part of the query and it will throw errors.
You might also try copy and pasting it into and intermediary like Notepad, that will strip all the editing and HTML that might've been picked up from copying it out of the code box above.
I don't think the query structure has changed that much from 5.x to 6.x. I can't imagine that happening, so there must be some other superficial error. If you give me a little more of the error log I might be able to tell you more. :) - colbya 9 years ago
It added "- See more at: http://www.itninja.com/blog/view/massive-malware-smart-label-and-k1000-scripting-practices#sthash.Svuqed2b.dpuf" to the end of the copied text. Removed that and it was good to go. - animerunt 9 years ago
That's why I tried to keep it clean and easily editable, and you can always add the false positives to the exclude list.
You might also change the switch at the end to only ID things that are Threat 3. That way if you ID it, it won't pick it up. That would allow you to classify the false positives as Threat 1 (or really any threat other than 3), to keep them from coming up on the smart label. :) - colbya 9 years ago