malware windows: Updated Sat, 01 Oct 2022 11:38:08 GMT

Malware file path

How is file location implying if a given file is possibly a malware or not? Example: Let's take windows wmiprvse.exe file. Web search results will often give you results similar to: "If this is under C:\WINDOWS\System32\Wbem then it is genuine, anywhere else it is malware"

So my question is- why such location of that file indicates it is not malicious, is it a matter of 'write' permissions to that path? What could stop me- an attacker- from naming my malicious file "wmiprvse.exe" and putting it in the \system32 location to make it look OK?

Solution

It isn't really that files in certain locations can't be malicious, it's that there are normally legitimate files that have specific locations. Finding "wmiprvse.exe" in \system32 is expected because that's where the legitimate "wmiprvse.exe" is supposed to be. Finding it anywhere else indicates that it is a malicious file "pretending" to be "wmiprvse.exe".

Yes, it is possible that an attacker replaced a legitimate file with a malicious version in the same location, but that might interfere with the system's normal operation.

Comments (1)

+0 – You may also be able to detect such modifications using sfc or other built-in mechanisms (unless those systems can be subverted as well) — Jul 28, 2022 at 16:55

References

https://security.stackexchange.com/questions/263696