Under Review

Why this query doesn't work?

What's wrong with this query? Why it doesn't work? I know for a fact that there are files named "VIRUS.exe", and yet live discovery doesn't return any results.

SELECT
    path,
    directory,
    filename,
    device,
    size
FROM file
WHERE path LIKE '%VIRUS.exe%'

How to make a query that searches if a file with a given name exists? Thank you in advance.

Parents
  • File is an interesting table provided by OSQuery.  It has some logic to prevent it from consuming too much CPU on the device as it searches the entire file system.

    Try narrowing down the search area to a specific directory.  Also you will need to use %% to tell it to search for sub-directories.

    Something like this may work.

    SELECT
       path,
       directory,
       filename,
       device,
       size
    FROM file
    WHERE directory LIKE 'C:\users\%\desktop%%' AND filename = 'VIRUS.exe'

  • Thank you Karl, this works as expected. It seems the key was to specify the directory as well.

Comment Children
No Data