Charles Leaver – To Easily Find Superfish Use The Ziften App For Splunk

Written By Ryan Hollman And Presented By Charles Leaver CEO Ziften


Background Info: Lenovo confessed to pre installing the Superfish adware on some client PCs, and unhappy customers are now dragging the business to court on the matter said PCWorld. A proposed class action suit was filed late the previous week against Lenovo and Superfish, which charges both businesses with “deceptive” commercial practices and of making Lenovo PCs prone from man in the middle attacks by pre loading the adware.

Having issues finding Superfish throughout your business? With the Ziften App for Splunk, you can find infected endpoints with a simple Splunk search. Merely search your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish


The following image shows the outcomes you would see in your Ziften App for Splunk if systems were contaminated. In this particular circumstance, we discovered numerous systems contaminated with Superfish.





The above results also refer to the binary “VirtualDiscovery.exe”. As it ends up, this is the core procedure responsible for the infections. In addition to the Superfish root certificate and VirtualDiscovery.exe binary, this software also puts down the following to the system:

A windows registry entry in:


INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be done on an endpoint directly from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is infected with Superfish, you will see outcomes just like the following image. If the system is tidy, you will see no outcomes.




Some analysts have mentioned that you can simply remove Superfish by removing the root certificate revealed above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal procedure does not continue throughout reboots. Merely removing the root cert does not work as VirtualDiscovery.exe will re-install the root cert after a system reboot.

The most basic method to get rid of Superfish from your system is to upgrade Microsoft’s built in AV product Windows Defender. Quickly after the public became aware of Superfish, Microsoft updated Windows Defender to remediate Superfish.

Other removal techniques exist, but updating Windows Defender is by far the simplest method.