Group Details Private

Global Moderators

Forum wide moderators

Member List
  • Uninstall SecTeer VulnDetect Agent

    Can I uninstall the Agent using the Agent and Custom Software?

    Yes, that is doable, although you won't be able to see the correct state in the Job Activity, because the system won't be able to report back to the backend.

    Here is a PowerShell script that does that:

    # Set environment variables for 32-bit and 64-bit Windows
    $ProgramData = $env:ProgramData
    $SecTeer = "SecTeer VulnDetect"
    $myTaskPath = "\$SecTeer\"
    
    if ($env:PROCESSOR_ARCHITECTURE -eq "x86") {
        $agentRegPath = 'Registry::HKLM\Software\SecTeer\Agent'
        $appRegPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*"
        $ProgramFiles = "${env:ProgramFiles}"
    } else {
        $agentRegPath = 'Registry::HKLM\Software\WOW6432Node\SecTeer\Agent'
        $appRegPath = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
        $ProgramFiles = "${env:ProgramFiles(x86)}"
    }
    
    $SecTeerPath = Join-Path -Path $ProgramFiles -ChildPath $SecTeer
    
    # Determine the uninstall method - prefer EXE uninstaller if available
    $command = if (Test-Path -Path "$SecTeerPath\unins000.exe") {
        Join-Path -Path $SecTeerPath -ChildPath "unins000.exe"
    } elseif (Test-Path -Path "$SecTeerPath\unins001.exe") {
        Join-Path -Path $SecTeerPath -ChildPath "unins001.exe"
    } else {
        $null
    }
    
    # Launch the uninstaller if found, attempt MSI removal otherwise
    if ($command) {
        try {
            $processSpecs = New-Object System.Diagnostics.ProcessStartInfo
            $processSpecs.FileName = $command
            $processSpecs.RedirectStandardError = $True
            $processSpecs.RedirectStandardOutput = $True
            $processSpecs.UseShellExecute = $False
            $processSpecs.Arguments = "/VERYSILENT /SUPPRESSMSGBOXES /FORCECLOSEAPPLICATIONS /NOCANCEL"
            $process = [System.Diagnostics.Process]::Start($processSpecs)
            $process.WaitForExit()
        } catch {
            Write-Warning "Failed to start the uninstaller process: $_"
        }
    } else {
        try {
            Uninstall-Package -Name "$SecTeer" -Force -ErrorAction SilentlyContinue
        } catch {
            Write-Warning "Failed to uninstall the package: $_"
        }
    }
    
    # Remove all scheduled tasks related to SecTeer VulnDetect
    $scheduleTasks = @(
        "SecTeer VulnDetect*",
        "SecTeerVulnDetectAgentStateMonitoring",
        "SecTeerVulnDetectMaintenance*"
    )
    
    foreach ($taskName in $scheduleTasks) {
        try {
            Get-ScheduledTask -TaskName $taskName -TaskPath "\" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$false
        } catch {
            Write-Warning "Failed to unregister task $taskName: $_"
        }
    }
    
    # Clear registry remnants in Add/Remove Programs
    try {
        Get-ItemProperty "HKLM:\$appRegPath" | Where-Object { $_.DisplayName -like "$SecTeer*" } | Remove-Item -Force -ErrorAction SilentlyContinue
    } catch {
        Write-Warning "Failed to remove registry remnants: $_"
    }
    
    # Purge leftover files and folders
    try {
        $folderToRemove = Join-Path -Path $ProgramData -ChildPath $SecTeer
        Remove-Item -Path $folderToRemove -Recurse -Force -ErrorAction SilentlyContinue
    } catch {
        Write-Warning "Failed to remove folder $folderToRemove: $_"
    }
    
    Write-Output "$SecTeer has been successfully removed."
    
    posted in [Corporate] Deployment -> Custom Software
  • RE: CrystaldiskInfo 9.4.4 detected as 9.1.1

    Thank you for reporting this. I believe it is fixed now. But I failed to find an account that belongs to you with this app, so I didn't double check that it works.

    Note that it requires a new inspection.

    posted in Detection Issues
  • RE: [RELEASE] SecTeer VulnDetect Agent v3.4.0.0 Recommended - 2024-07-10

    Version 3.4.0.0 is the latest Stable release.

    It can be downloaded from here:
    https://vulndetect.com/dl/agents/secteerSetup-3.4.0.0.exe
    https://vulndetect.com/dl/agents/secteerSetup-3.4.0.0.msi

    posted in Announcements
  • Updating SysInternals

    Based on customer requests we've examined ways to update Portable Apps, like apps form the SysInternals bundle.

    There are many ways to achieve this, but we wanted one that works well with the Custom Software feature in VulnDetect.

    We also wanted to avoid making one Config per App in the SysInternals bundle.

    And, since these files can live in various places, including folders that are writable by non-privileged users, we wanted to be careful not to overwrite the wrong files or follow symbolic links.

    The script will not overwrite files unless they have the company name specified in the $companyNameToCheck variable, it will also not touch files in the $excludedDirs.

    The combination of Custom Software and this script assumes that you add a ZIP archive as an Additonal File and that the ZIP archive contains a folder called "files" with all the SysInternal files you want to replace, e.g. the entire SysInternals bundle.
    5ab3afde-6712-4598-8609-b55043ba85fc-image.png

    You can also edit the $sourceDir variable if you want to use a different layout in your ZIP archive.

    The below script was created by ChatGPT (by OpenAI). It was created based on the above requirements and it has been reviewed and tested by SecTeer.

    Note: This script is intended to run in an automated fashion and with a sub folder of known trusted files. Executing this in the wrong location and altering variables and conditions may have unforeseen consequences, because the script overwrites files recursively.

    # Define the company name to check for
    $companyNameToCheck = "Sysinternals - www.sysinternals.com"
    
    # Get the current working directory and set the source directory to the "files" subfolder
    $sourceDir = Join-Path -Path (Get-Location) -ChildPath "files"
    $drive = "C:\"
    
    # List of directories to exclude (common shim file locations)
    $excludedDirs = @(
        "$env:SystemRoot\AppPatch",
        "$env:SystemRoot\System32\ShimCache"
    )
    
    # Function to get the latest file from a directory
    function Get-LatestFile {
        param (
            [string]$directory,
            [string]$fileName
        )
        $files = Get-ChildItem -Path $directory -Filter $fileName
        $latestFile = $files | Sort-Object LastWriteTime -Descending | Select-Object -First 1
        return $latestFile
    }
    
    # Function to check the "Company Name" and "Product Name" properties of a file
    function Get-FileProperties {
        param (
            [string]$filePath
        )
        $properties = Get-ItemProperty -Path $filePath -Name 'VersionInfo'
        return @{
            CompanyName = $properties.VersionInfo.CompanyName
            ProductName = $properties.VersionInfo.ProductName
        }
    }
    
    # Function to recursively replace files in the target directory with the latest from the source directory
    function Replace-Files {
        param (
            [string]$sourceDir,
            [string]$drive,
            [string]$companyNameToCheck
        )
    
        # Get the list of files in the source directory
        $sourceFiles = Get-ChildItem -Path $sourceDir
    
        # Iterate over each file in the source directory
        foreach ($sourceFile in $sourceFiles) {
            # Get the latest version of the source file
            $latestSourceFile = Get-LatestFile -directory $sourceDir -fileName $sourceFile.Name
    
            # Find matching files in the drive recursively, excluding the source directory and excluded directories
            $matchingFiles = Get-ChildItem -Path $drive -Filter $sourceFile.Name -Recurse -ErrorAction SilentlyContinue | Where-Object {
                $_.FullName -notlike "$sourceDir*" -and
                $excludedDirs -notcontains $_.DirectoryName
            }
    
            # Replace each matching file with the latest source file if the company name matches and it is not a Chocolatey shim file
            foreach ($targetFile in $matchingFiles) {
                $properties = Get-FileProperties -filePath $targetFile.FullName
                if ($properties.CompanyName -eq $companyNameToCheck -and $properties.ProductName -notlike "*Chocolatey Shim*") {
                    Copy-Item -Path $latestSourceFile.FullName -Destination $targetFile.FullName -Force
                    Write-Output "Replaced $($targetFile.FullName) with $($latestSourceFile.FullName)"
                } else {
                    Write-Output "Skipped $($targetFile.FullName) as it is either not from '$companyNameToCheck' or it is a Chocolatey shim file"
                }
            }
        }
    }
    
    # Call the function to replace files
    Replace-Files -sourceDir $sourceDir -drive $drive -companyNameToCheck $companyNameToCheck
    
    posted in [Corporate] Deployment -> Custom Software
  • RE: Microsoft PC Manager (Windows Installer) is EOL

    @OLLI_S There are a few users, yes.

    The website doesn't really state anything at all:
    https://pcmanager.microsoft.com/en-us

    I'll leave it as Untracked and Pre-release for now, do let me know if you see some official statement that I can link to and then we'll flag the EXE edition as EoL.

    posted in Detection Issues
  • RE: [Solved] Left Overs in WSCC

    @OLLI_S From what I can see, then detection of Rufus and SumatraPDf is working as expected. As you know, part of our detection relies on the original filenames, so when an app or user renames EXE files, it easily (and intentionally) bypasses our detection.

    posted in Solved Bundling Issues
  • RE: Cygwin Filezilla detected as Widnows Filezilla

    Is FileZilla a standard sub application of Cygwin?

    Perhaps we should bundle it?

    posted in Detection Issues
  • RE: Microsoft 365 Apps - No Longer Bundled

    @OLLI_S We actually stopped bundling it a long time ago. When I look at your results, then I see all the 365 Apps.

    There are two reasons we stopped bundling it. One is that Microsoft frequently releases unknown builds to a subset of systems, this breaks some logic that we rely upon. The other is that the Suite system doesn't support packages, so in order to support updating 365 Apps, we had to stop using the Suite bundle.

    We may change this eventually, but it's not on the roadmap at the moment.

    Btw. if some of your 365 Apps disappear, then it may be because you ran into one of those Unknown builds, please ping me directly, next time you only see some of them, then I can verify whether this is the reason.

    posted in Bundling Issues
  • RE: [Solved] FileZilla - No longer detected (Bug)

    @OLLI_S Yes, I can see they changed some properties. It should be fixed now.

    Thank you for reporting this.

    posted in Solved Detection Issues