Our IT Security lead asked me today how many people had installed "DropBox" (a file sharing/syncing app). So I pulled up my Add/Remove programs report, plugged in "%Drop%Box%" as a search term, and promptly was given "No results". "GREAT!" I thought, "another potential data leakage source not being exploited!" But then I got to thinking (which I do now and again...). So I went to www.dropbox.com and installed the app, then checked the Add/Remove Programs applet in Control Panel and saw Dropbox listed there. Then I reran Software Inventory to update the Add/Remove Programs inventory on my machine. I was rather surprised to discover that Dropbox did not show up in my inventory, even after purging the local .bak files. On some deeper digging I checked the registry and found that the Uninstall info for this app actually lives under the HKEY_CURRENT_USER key (or HKEY_USERS to be more precise, at HKEY_USERS\S-1-5-21-....\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox). I also found a module for our Cisco desktop conferencing application, and Google Chrome living in this little less-frequented-corner of the registry, both of which also do not show up in the AeX_OS_Add_Remove_Programs dataclass! Running a seach of Inv_AeX_SW_Audit_Software turned up quite a few instances of dropbox.exe with a ProductName of Dropbox, and all of them living happily in C:\Documents and Settings\<userid>\Application Data!
So now what? Well in the short term I tell my IT Security Lead that in fact we do have quite a few installs of this app in our environment. In the long-term, I wonder why Symantec doesn't inventory this section of the registry which seems to be targeted more and more by sneaky applications trying to by-pass restricted user rights, and add to my task list developing a little script to augment the built-in Add/Remove Programs inventory by also parsing the user-specific uninstall keys for each user and insert those into the existing AeX OS Add Remove Programs.nsi file prior to posting it back to the NS. If and when I get around to writing that, I'll be sure to post it back here to Connect to help out the rest of you.