[GetPendingUpdates_vbs.CMD]: GetPendingUpdates_vbs.CMD from Solarwinds

[umairqamar]

• Contributor Name:umairqamar
• *Application/Executable:GetPendingUpdates_vbs.CMD*
• *WTF Behavior Description:Ships with Solarwinds, has confusing double extensions.*
• *Link to Documentation of Behavior:https://twitter.com/cyb3rops/status/1396881013192671234*
• Please provide any images for additional evidence.

[mttaggart]

@umairqamar ,

Thank you for your submission!

This looks promising, but I think we need a little more info! For one thing, this Florian tweet does not provide enough detail to qualify as documentation. Additionally, I'd love to see some evidence from a SIEM or other logging source about what this command actually does, and what parent processes invoke it.

[xl-sec]

I'd propose that the whole of Solarwind deserve a WTFBIN mention, as they suggest to exclude the whole directory from AV. Unfortunately(?) I don't have a Solarwind installation so can't provide more info than this link

https://support.solarwinds.com/SuccessCenter/s/article/Files-and-directories-to-exclude-from-antivirus-scanning-for-Orion-Platform-products?language=en_US