Not installing the installers, part 3

With file handlers being yet again a topic du jour it was only natural to try answering a question — how many file protocols are really out there?

I tried to answer this question before, but it was focused on built-in, ‘native’ protocol handlers only. What about we add the ones that are installed by the third parties? While the final list (or two) is far from being complete, it’s definitely a step forward.

So, how do we find these?

If we are lucky, we can parse our EDR logs (ideally, if you are a vendor). If we are not – we don’t have many choices really… we can google around for existing research, we can parse available source code, we can even sandbox files and parse their reports, and so on and so forth. It’s slow, and mundane. I would know, because I was there.

Luckily to us, installers often include list of Registry entries that are being added during the installation process and removed when application is uninstalled. The protocol handlers are easy to spot as installers push the ‘Url protocol’ value to the Registry to indicate the entry of interest, so a few parsed installer scripts later we come up with a short list.

The other avenue we can pursue is to look at a database of HijackThis log reports. This is of far poorer quality, but allows us to nail down a very long list of candidate entries for the ‘O18 – Protocol’ class – you can download it here.