Environment
- Enterprise EDR Console: All versions
- Enterprise EDR Sensor: All versions
Symptoms
Go to investigate page; processes tab:
these queries return the expected results:
process_cmdline:c\:\\windows\\system32\\msiexec.exe
process_cmdline:c\:\\windows\\system32\\.exe (finds all *.exe processes as it should)
but the wildcard with process_cmdline is NOT returning any hits (no syntax error but no hits):
process_cmdline:c\:\\windows\\system32\\*.exe
process_cmdline:c\:\\windows\\system32\\\*.exe
process_cmdline:c\:\\windows\\system32\\msi*.exe
process_cmdline:c\:\\windows\\system32\\msi\*.exe
process_cmdline:c\:/\windows/\system32/\msi*.exe
Cause
This is issue LC-1075. "Due to specifics in parsing paths of "cmdline" queries wildcards are not always handled correctly."
Resolution
LC-1075 will be fixed in a future server-side version.
As a workaround until then, use escaped whitespace-s instead of path separators together with trailing wildcard only.
For example:
process_cmdline:c\:\ windows\ system32\ msiex*