Some users may wonder how Deep Security Agent or Deep Security Virtual Appliance detects whether a software has been installed on Windows or Linux. In some cases, users may also ask if Deep Security can detect an application set to "Extract and Use" or "Compile and Use". Learn how Deep Security works to detect such scenarios.
Generally speaking, Deep Security runs Recommendation Scan by sending a scanning rule, which is hidden to customers, to the agent side (Deep Security Agent or virtual agent) in several batches. The detection rule greps the installed software information via registry for Windows, and RPM or DEB database for Linux systems.
In addition, there is also a deprecated legacy method that will check the following paths for installed binaries on Linux systems:
This is the reason why Deep Security can still detect the "Extract and Use" or "Compile and Use" applications when you put their binary in the folders mentioned above. However, going through file system for binaries is quite expensive, so this method has been deprecated. It means that we cannot assure that this legacy method can still work correctly for all "Extract and Use" or "Compile and Use" application on all DPI rules. Also, the detection rule will not work if you put the binary into a folder not listed above.