Sign your name across my heart; vendor… use one name only…

June 29, 2019 in threat hunting

I have been looking at a data stored by vendors inside the VERSIONINFO structure for quite some time now. The TODO bit is one issue I described previously, but there are more.

One of the most annoying things is a crazy number of names that vendors use in a CompanyName field. This is of course kinda understandable – large companies have many departments and coding teams scattered across the whole world. It certainly looks like an impossible task to ensure all of them go through a single, bureaucratic office that will double-check if all of them use the very same vendor name. And perhaps there are other reasons too – I don’t know laws of all the countries of course, there could be a genuine need in some places to always use an official name of the company in that field(?). I really dunno.

In any case… From a threat hunting perspective, it complicates our life. For example, when you want to whitelist some of these vendor names you will always end up with a never-ending whack-a-mole game. In my experience, for every entry I add per vendor, there are another 1-5 out there that are very similar, and which I will add some time in the future. I don’t think there is any good solution for this today.

To demonstrate the issue, let’s have a look at common vendor names one can encounter…:


  • Hewlett Packard
  • Hewlett Packard Enterprise Company
  • Hewlett-Packard
  • Hewlett-Packard Company


  • Intel Corporation
  • Intel Corporation – Business Client Platform Division
  • Intel Corporation – Client Components Group
  • Intel Corporation – Client Connectivity Division
  • Intel Corporation – Embedded Subsystems and IP Blocks Group
  • Intel Corporation – Intel® Management Engine Firmware
  • Intel Corporation – Intel® Rapid Storage Technology
  • Intel Corporation – Mobile Wireless Group
  • Intel Corporation – pGFX
  • Intel Corporation – Rapid Storage Technology
  • Intel Corporation – Software and Firmware Products
  • Intel Corporation ? Non-Volatile Memory Solutions Group
  • Intel Corporation-Mobile Wireless Group
  • Intel Corporation-Wireless Connectivity Solutions
  • Intel MCG PIV Tablet Validation
  • Intel Technology Sdn. Bhd.
  • Intel Wireless Display
  • Intel(R) Baytrail Wintablet
  • Intel(R) CherryTrail Windows
  • Intel(R) CISD Software
  • Intel(R) Client Connectivity Division SW
  • Intel(R) CN
  • Intel(R) Embedded Subsystems and IP Blocks Group
  • Intel(R) Intel Network Drivers
  • Intel(R) Intel_ICG
  • Intel(R) INTELND1617
  • Intel(R) INTELND1617S2
  • Intel(R) INTELNPG1
  • Intel(R) Network Platform Group
  • Intel(R) NVMe Windows Driver
  • Intel(R) OWR
  • Intel(R) pGFX
  • Intel(R) Rapid Storage Technology
  • Intel(R) Rapid Storage Technology enterprise
  • Intel(R) Smart Connect software
  • Intel(R) Smart Sound Technology
  • Intel(R) Software
  • Intel(R) Software (Pre-release)
  • Intel(R) Software and Firmware Products
  • Intel(R) Software Development Products
  • Intel(R) Software Products
  • Intel(R) Update Manager
  • Intel(R) USB eXtensible Host Controller Drivers
  • Intel(R) Wireless Connectivity Solutions
  • Intel(R) Wireless Display
  • Intel® Identity Protection Technology Software
  • Intel® Rapid Storage Technology


  • Lenovo (Beijing) Limited
  • Lenovo (Beijing) Ltd.
  • Lenovo (Japan) Ltd
  • Lenovo (Japan) Ltd.
  • Lenovo Group Limited
  • Lenovo Information Products (Shenzhen) Co.
  • Lenovo Japan
  • Lenovo(Japan)Ltd.
  • Lenovo.Ltd
  • LenovoEMC Products USA


  • Microsoft Corporation
  • Microsoft Corporation (Europe)
  • Microsoft Dynamic Code Publisher
  • Microsoft Mobile Device Privileged Component Update Publisher
  • Microsoft Windows
  • Microsoft Windows 2000 Publisher
  • Microsoft Windows 2000 Publisher (Europe)
  • Microsoft Windows Component Publisher
  • Microsoft Windows Hardware Compatibility Publisher
  • Microsoft Windows Publisher
  • Microsoft Windows XP Publisher


  • Apple Computer
  • Apple Inc.


  • Google
  • Google Inc


  • Dell Computer Corporation
  • Dell Inc
  • Dell Inc.
  • Dell Incorporated

Alcor Mirco:

  • Alcor Micro
  • AlcorMicro


  • Baidu (China) Co.
  • Baidu Online Network Technology (Beijing) Co.
  • Beijing baidu Netcom science and technology
  • BeiJing Baidu Netcom Science Technology Co.

ASIX Electronics:

  • ASIX Electronics Corp.
  • ASIX Electronics Corp.<blank character>


  • IBM
  • IBM (China) Investment Company Limited
  • IBM Corporation
  • IBM Japan
  • IBM UK Ltd
  • IBM United Kingdom Limited
  • IBMUK Ltd


  • Wacom Co.
  • Wacom Technology Corp.
  • Wacom Technology Corporation

As we can see, lots of typos, single letter differences – a full stop, a hyphen, a blank character, lots of cosmetic issues, etc.

Whack-a-mole is the name of the game.

Comments are closed.