[BUG] Windows Driver Load Non-Standard Path: Missing volume/drive letter in MS Defender path

[vvlier]

In Windows Driver Load Non-Standard Path detection, the regex to ignore well-known standard paths for driver does not match correctly for MS Defender.
The regex match "\ProgramData\Microsoft\Windows Defender\Definition Updates" without the volume/drive letter in front.

Regex in windows_driver_load_non_standard_path.yml should be:
| regex ImagePath!="(?i)^(\w:\\Windows\\|\w:\\Program\sFile|\\systemroot\\|%SystemRoot%|system32\\|\w:\\ProgramData\\Microsoft\\Windows\sDefender\\Definition\sUpdates\\)"

[nasbench]

Thanks for reporting this @vvlier a PR #3691 has been created to address this small bug.

[vvlier]

Hi Naserddine, I checked the updated version and I am afraid it would not work. - The regex is now on multiple lines, probably because the SPL formatting did not see that the | were inside a string. This put newlines and extra whitespaces in the pattern of the regex and completely mess it up- The parenthesis around x86 are not escaped- There is an extra | at the end after %SystemRoot% so the regex will match any empty string- \\\\systemroot\\\\ was removed from the list- It is better to use \s to match a whitespace character than using a space In my opinion the right regex should be:  | regex ImagePath = "(?i)^(\w:\\\\Program\sFiles\\\\|\w:\\\\Program\sFiles\s\\(x86\\)\\\\|\w:\\\\Windows\\\\System32\\\\|\w:\\\\Windows\\\\SysWOW64\\\\|\w:\\\\ProgramData\\\\Microsoft\\\\Windows\sDefender\\\\Definition\sUpdates\\\\|\w:\\\\ProgramData\\\\Microsoft\\\\Windows\sDefender\\\\Platform\\\\|\\\\systemroot\\\\|%SystemRoot%)" Best regards, Vincent Le mardi 23 septembre 2025 à 12:17:01 UTC+2, Nasreddine Bencherchali ***@***.***> a écrit : nasbench left a comment (splunk/security_content#3690) Thanks for reporting this @vvlier a PR #3691 has been created to address this small bug. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

[nasbench]

Hey, thanks for checking this, I'll sort this out, but the space usage is intentional instead of the \s to avoid FN with fake dirs.