https://github.com/osquery/osquery logo
Title
t

thor

04/04/2018, 3:33 PM
@Mustafa sorry for the delays, most people in this slack are PST 😉 As for the question about authenticode, try handing it a SQL glob -
C:\ProcessExplorer\%
m

Mustafa

04/05/2018, 1:30 PM
the query select * from authenticode path=‘c:\\ProcessExplorer\\%’; was resulted as “Error: near “=”: syntax error”
sorry… osquery> select * from authenticode where path=‘C:\\ProcessExplorer\\%’; W0405 16:35:31.970301 4996 authenticode.cpp:500] Failed to verify the Authenticode signature for the following file: C:\\ProcessExplorer\\%. Error: Failed to query the Authenticode signature information
m

manu

04/05/2018, 2:09 PM
path
here refers to
file
, u seem to be passing directory here. something like
select * from authenticode where path = "c:\windows\system32\kernel32.dll";
Or u could fetch the list of files in the directory as
files
via
file
table and do sort of
join
with authenticode to get it for all files in the directory. Some SQL expert might help in here, i don't really know much of SQL. https://osquery.io/schema/2.11.2#file
m

Mustafa

04/05/2018, 2:43 PM
@manu the path must provide a path or a directory. it’s indicated on the web site.
m

manu

04/05/2018, 2:58 PM
Can you try this ? I am also experimenting the same stuff.
select * from authenticode where path like 'C:\ProcessExplorer\%';
m

Mustafa

04/05/2018, 3:07 PM
yes I did but the result same