Understanding how Recommendation Scan works

Product / Version includes:

Deep Security9.6 , Deep Security10.2 , Deep Security10.1 , Deep Security10.0 , Deep Security10.3

Last updated: 2021/08/28

Solution ID: KA-0008152

Category: SPEC

Summary

Some users may wonder how Deep Security Agent or Deep Security Virtual Appliance detects whether a software has been installed on Windows or Linux. In some cases, users may also ask if Deep Security can detect an application set to "Extract and Use" or "Compile and Use". Learn how Deep Security works to detect such scenarios.

Generally speaking, Deep Security runs Recommendation Scan by sending a scanning rule, which is hidden to customers, to the agent side (Deep Security Agent or virtual agent) in several batches. The detection rule greps the installed software information via registry for Windows, and RPM or DEB database for Linux systems.

In addition, there is also a deprecated legacy method that will check the following paths for installed binaries on Linux systems:

/sbin/
/bin/
/usr/sbin/
/usr/bin/
/usr/local/sbin/
/usr/local/bin/

This is the reason why Deep Security can still detect the "Extract and Use" or "Compile and Use" applications when you put their binary in the folders mentioned above. However, going through file system for binaries is quite expensive, so this method has been deprecated. It means that we cannot assure that this legacy method can still work correctly for all "Extract and Use" or "Compile and Use" application on all DPI rules. Also, the detection rule will not work if you put the binary into a folder not listed above.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Understanding how Recommendation Scan works

Understanding how Recommendation Scan works

Product / Version includes:

Summary