Global Moderators group | VulnDetect - An alternative to the End-of-Life Secunia PSI and SUMo / DUMo

Tom

Custom Software & Advanced Customisation - Technical Usage Guide

These features allow you to deploy Windows installers and supporting files to any Windows device.
Both features work the same way operationally; Advanced Customisation ties into our version-based detection for supported applications.

What the System Does

Execution Context

Each job runs either as SYSTEM or as the logged-in user.
Advanced Customisation automatically selects the correct context for the target app.

All uploaded files are placed into a temporary working directory controlled by our package wrapper. This directory is cleaned up automatically after execution.

Primary Installer vs. Additional Files

Primary Installer

Only the primary installer is executed.

Supported primary file types:
• .msi
• .msp
• .exe
• .ps1
• .bat
• adobe*.zip (special handling; primary only)

You can supply arguments for the primary installer.

Additional Files

Additional files are placed in the working directory but are not executed automatically.

Typical uses:
• Transforms/configs (.mst, .cfg, .xml)
• Supporting content (.zip, .ini, etc.)
• Registry files (.reg)

If a secondary file must be executed, make the primary file a script and orchestrate everything from there.

Example using .mst:
https://vulndetect.org/topic/2382/foxit-phantompdf-to-foxit-pdf-editor-upgrade

File-Type Behaviour

MSI / MSP / EXE

Executed using the arguments you provide.
All standard environment variables behave as expected for the chosen context (SYSTEM/user).

Example:
https://vulndetect.org/topic/2540/openvpn-install-upgrade
https://vulndetect.org/topic/2382/foxit-phantompdf-to-foxit-pdf-editor-upgrade

Scripts (.ps1, .bat)

Executed as the primary installer.
Scripts run under PowerShell 5.1 or CMD.
If a restricted PowerShell language mode is enforced, execution will fail.

Example:
https://vulndetect.org/topic/2386/running-powershell-scripts

REG Files (.reg)

Automatically imported using:

reg import filename.reg

No additional processing is performed.

Example:
https://vulndetect.org/topic/2388/registry-files-and-the-custom-software-feature

ZIP Files

General ZIP Files
Extracted automatically into the working directory.
Nothing is executed automatically — your script/installer must make use of the extracted content.

Adobe ZIP Archives (adobe*.zip)
When the primary file matches adobe*.zip, the system will:
1. Extract the archive using 7-Zip
2. Locate the Adobe setup installer
3. Execute it automatically

The ZIP must be the unmodified package downloaded from the Adobe Creative Cloud portal.

Example:
https://vulndetect.org/topic/2385/adobe-creative-cloud-install-upgrade

Working Directory

All uploaded files — primary and additional — are placed in the same temporary folder.

Relative references such as:

myconfig.xml
.\transform.mst

work normally.

Subfolders are not created unless your installer or script creates them.

Example:
https://vulndetect.org/topic/2621/install-autocad-lt

Detection & Success Criteria

Custom Software
• Accepted success codes: 0, 3010, 1603
• No version-based detection
• Exit codes only determine whether a reboot is required

Advanced Customisation
• Version-based detection tied to the application’s Recommended Version
• Whitelisted success/reboot codes (varies per app)
• More reliable detection overall

Common Use Cases

MSI with transform/config

Primary: myapp.msi
Additional: custom.mst, config.xml
Arguments:

msiexec /i myapp.msi TRANSFORMS=custom.mst /qn

Script orchestrating secondary actions

Primary: install.ps1
Additional: payload.zip, settings.reg
The script handles extraction, registry import, and any secondary execution.

Adobe Creative Cloud package

Primary: adobe-designteam.zip
The ZIP is extracted automatically and the internal Adobe setup installer is executed.

Installer requiring bundled resources

Primary: setup.exe
Additional: resources.zip
The ZIP is extracted automatically; your installer must reference the extracted content.

Operational Notes
• Only the primary installer receives arguments.
• Use a script as the primary file for multi-step processes.
• Execution context provides standard environment variables (similar to Task Scheduler).
• PowerShell 5.1 is always available; restricted modes will break the wrapper.

Tom

Today we received a number of reports about issues with Adobe Acrobat / Reader DC Continuous about it failing to start with the error: “Acrobat failed to load its Core DLL” after updating to version 25.001.20982.

This is caused by a faulty Adobe update and is not related to VulnDetect.

Shortly after receiving the first report, we changed the Recommended version to the previous one, thus effectively stopping new update tasks from being created.

Based on customer feedback and claims on various forums, it seems that installing the same architecture of the Microsoft Visual C++ 2015–2022 Redistributable as the installed Adobe Acrobat / Reader fixes the issue (for most). There are also reports that a full uninstall and reinstall of the previous version is required.

If in doubt, deploy the VC++ package first - it solves the issue for the majority.

You can do both things using SecTeer VulnDetect by using Tags and Deployment Jobs.

Adobe Acrobat Reader DC Continuous (x32)
https://corporate.vulndetect.com/#/applications/hosts?channelTag=adobe.acrobatreaderdc.default&title=Adobe Acrobat Reader DC Continuous (x32)

Adobe Acrobat Reader DC Continuous (x64)
https://corporate.vulndetect.com/#/applications/hosts?channelTag=adobe.acrobat.reader.dc&title=Adobe Acrobat Reader DC Continuous (x64)

Adobe Acrobat DC Continuous
https://corporate.vulndetect.com/#/applications/hosts?channelTag=adobe.acrobat.default&title=Adobe Acrobat DC Continuous

Note: Due to the way we detected Reader vs. Acrobat initially, and the way Adobe decided to handle 64-bit Reader, we ended up with architecture-specific detections for Reader, whereas Acrobat still covers both 32/64-bit.

On each of these links, you should select the hosts you need to “fix” and click Manage Tags for Selected Hosts, then assign a new tag that indicates the need to install the Visual C++ 2015–2022 Redistributable.

Under Deployment:
https://corporate.vulndetect.com/#/deployment/create-job

You should select Microsoft Visual C++ 2015–2022 Redistributable as appropriate and click Configure Deployment Job With X Application, then Select Tags, Groups or Hosts, find the newly created tag, click Set Job Name, adjust as you see fit, and finally click Create Deployment Job.

To speed up the deployment, you may want to go to Tags:
https://corporate.vulndetect.com/#/tags

Then click X Hosts and select as many hosts as you wish to initiate deployment to immediately. Note that clicking Inspect and Update Selected Hosts will initiate the deployment on all online hosts within a few minutes.

If you need to roll back Adobe Acrobat / Reader, you can also use Tags in a similar way to create a Deployment Job that uninstalls Adobe Acrobat / Reader, and then create a new one which installs it. Ensure that the Uninstall Job is set to “Install or uninstall once” and that it is attempted before you assign the Install Job. The Install Job may be set to “Always install or uninstall.”

Once Adobe publishes a fixed build, we will set it as the Recommended version so upgrades resume automatically.

Tom

The release notes are out:
https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/continuous/dccontinuoussept2025qfe.html#dccontinuoussepttwentytwentyfiveqfe

This is the official fix for the printing issue:

4529876: Data loss in printing PDF on Reader and Acrobat

The packages for Acrobat/Reader in VulnDetect and PatchPro was released earlier this morning.

Tom

It appears that Adobe released version 25.001.20756 yesterday, however, it is not yet accompanied by release notes, we advice that you upgrade to 25.001.20756 on a few hosts and test this, before upgrading on a large scale.

We are currently testing this upgrade, and will release it once it passes the regular testing.

Tom

While reviewing detection for Avast Free Antivirus and Avast Business Security, we were unable to find reliable information confirming whether the following vulnerabilities have been fixed:

CVE-2025-3500
https://www.zerodayinitiative.com/advisories/ZDI-25-256/
This ZDI advisory specifies a fix; we have decided to rely on this information.

CVE-2024-7227
https://www.zerodayinitiative.com/advisories/ZDI-24-1003/
We have found no public documentation that this privilege-escalation vulnerability has been fixed.

Therefore, we have flagged both Avast Free Antivirus and Avast Business Security as Untracked. If no fixes are documented soon, we may escalate this status to Insecure / 0-day.

Tom

@OLLI_S This should have been solved on 2nd December, can you confirm?

And thank you for reporting it.

Tom

During testing of the Google Chrome 131.0.6778.109 MSI package, we found that it was broken, resulting in Exit Code 1603 after attempting to spawn a UAC prompt as the SYSTEM user.

This issue occurs both when upgrading via VulnDetect and Intune. In some cases, it even breaks the existing installation during rollback of the failed update.

As a result, we pulled the update before releasing it to customers.

Once Google has fixed the Enterprise "ready" MSI installer, we will update the package and make it available after thorough testing.

Please "upvote" the following post by Mikhail Gurin if you are affected by this and have a Google account. Hopefully, this will help make Google prioritize the fix: https://support.google.com/chrome/thread/311347547

For reference, we use the following installers:

https://dl.google.com/tag/s/dl/chrome/install/googlechromestandaloneenterprise.msi
https://dl.google.com/tag/s/dl/chrome/install/googlechromestandaloneenterprise64.msi

We also tested the EXE-based installers for offline deployment but found that these are incompatible with MSI-based installations.

It should be noted that the MSI works if launched interactively as a regular user who can approve the UAC prompt.

Tom

Can I uninstall the Agent using the Agent and Custom Software?

Yes, that is doable, although you won't be able to see the correct state in the Job Activity, because the system won't be able to report back to the backend.

Here is a PowerShell script that does that:

# Set environment variables for 32-bit and 64-bit Windows
$ProgramData = $env:ProgramData
$SecTeer = "SecTeer VulnDetect"
$myTaskPath = "\$SecTeer\"

if ($env:PROCESSOR_ARCHITECTURE -eq "x86") {
    $agentRegPath = 'Registry::HKLM\Software\SecTeer\Agent'
    $appRegPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*"
    $ProgramFiles = "${env:ProgramFiles}"
} else {
    $agentRegPath = 'Registry::HKLM\Software\WOW6432Node\SecTeer\Agent'
    $appRegPath = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
    $ProgramFiles = "${env:ProgramFiles(x86)}"
}

$SecTeerPath = Join-Path -Path $ProgramFiles -ChildPath $SecTeer

# Determine the uninstall method - prefer EXE uninstaller if available
$command = if (Test-Path -Path "$SecTeerPath\unins000.exe") {
    Join-Path -Path $SecTeerPath -ChildPath "unins000.exe"
} elseif (Test-Path -Path "$SecTeerPath\unins001.exe") {
    Join-Path -Path $SecTeerPath -ChildPath "unins001.exe"
} else {
    $null
}

# Launch the uninstaller if found, attempt MSI removal otherwise
if ($command) {
    try {
        $processSpecs = New-Object System.Diagnostics.ProcessStartInfo
        $processSpecs.FileName = $command
        $processSpecs.RedirectStandardError = $True
        $processSpecs.RedirectStandardOutput = $True
        $processSpecs.UseShellExecute = $False
        $processSpecs.Arguments = "/VERYSILENT /SUPPRESSMSGBOXES /FORCECLOSEAPPLICATIONS /NOCANCEL"
        $process = [System.Diagnostics.Process]::Start($processSpecs)
        $process.WaitForExit()
    } catch {
        Write-Warning "Failed to start the uninstaller process: $_"
    }
} else {
    try {
        Uninstall-Package -Name "$SecTeer" -Force -ErrorAction SilentlyContinue
    } catch {
        Write-Warning "Failed to uninstall the package: $_"
    }
}

# Remove all scheduled tasks related to SecTeer VulnDetect
$scheduleTasks = @(
    "SecTeer VulnDetect*",
    "SecTeerVulnDetectAgentStateMonitoring",
    "SecTeerVulnDetectMaintenance*"
)

foreach ($taskName in $scheduleTasks) {
    try {
        Get-ScheduledTask -TaskName $taskName -TaskPath "\" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$false
    } catch {
        Write-Warning "Failed to unregister task $taskName: $_"
    }
}

# Clear registry remnants in Add/Remove Programs
try {
    Get-ItemProperty "HKLM:\$appRegPath" | Where-Object { $_.DisplayName -like "$SecTeer*" } | Remove-Item -Force -ErrorAction SilentlyContinue
} catch {
    Write-Warning "Failed to remove registry remnants: $_"
}

# Purge leftover files and folders
try {
    $folderToRemove = Join-Path -Path $ProgramData -ChildPath $SecTeer
    Remove-Item -Path $folderToRemove -Recurse -Force -ErrorAction SilentlyContinue
} catch {
    Write-Warning "Failed to remove folder $folderToRemove: $_"
}

Write-Output "$SecTeer has been successfully removed."

Tom

Thank you for reporting this. I believe it is fixed now. But I failed to find an account that belongs to you with this app, so I didn't double check that it works.

Note that it requires a new inspection.

Tom

Version 3.4.0.0 is the latest Stable release.

It can be downloaded from here:
https://vulndetect.com/dl/agents/secteerSetup-3.4.0.0.exe
https://vulndetect.com/dl/agents/secteerSetup-3.4.0.0.msi

Global Moderators

Posts

Member List