Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe

Hunt Hypothesis

The detection identifies the presence of the VisualDiscovery.exe file, a known component of the Lenovo Superfish SSL Interceptor, which could indicate unauthorized SSL interception capabilities. SOC teams should proactively hunt for this file in Azure Sentinel to identify potential covert surveillance or data exfiltration activities that may evade traditional detection methods.

YARA Rule

rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
	meta:
		description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
		author = "Florian Roth / improved by kbandla"
		reference = "https://twitter.com/4nc4p/status/568325493558272000"
		date = "2015/02/19"
		hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
		hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
		hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
		hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
	strings:
		$mz = { 4d 5a }
		//$s1 = "VisualDiscovery.exe" fullword wide
		$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
		$s3 = "GetPCProxyHandler" fullword ascii
		$s4 = "StartPCProxy" fullword ascii
		$s5 = "SetPCProxyHandler" fullword ascii
	condition:
		( $mz at 0 ) and filesize < 2MB and all of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://twitter.com/4nc4p/status/568325493558272000
• Source Rule

False Positive Guidance

• Scenario: Legitimate VisualDiscovery.exe from Lenovo Endpoint Security Tools
  Description: The file VisualDiscovery.exe is part of Lenovo’s endpoint security or management tools used for device inventory and compliance.
  Filter/Exclusion: Check the file’s full path against known Lenovo tool directories (e.g., C:\Program Files\Lenovo\). Use a filter like:

  file.path != "C:\Program Files\Lenovo\*"

• Scenario: Scheduled System Maintenance Task Using VisualDiscovery.exe
  Description: A scheduled task runs VisualDiscovery.exe as part of routine system health checks or updates.
  Filter/Exclusion: Filter by process owner or task name:

  process.owner == "SYSTEM" or process.name == "TaskScheduler"

• Scenario: Admin Task to Inventory System Assets
  Description: An administrator manually runs VisualDiscovery.exe to gather system inventory for auditing or reporting.
  Filter/Exclusion: Filter by user context:

  user.name == "Administrator" or user.name == "root"

• Scenario: VisualDiscovery.exe Used by a Third-Party Management Tool
  Description: A third-party IT management tool (e.g., Microsoft Intune, Jamf) may include VisualDiscovery.exe as part of its integration with Lenovo devices.
  Filter/Exclusion: Check for associated parent processes or command-line arguments:

  parent.process.name == "IntuneAgent.exe" or parent.process.name == "jamfHelper.exe"

• Scenario: VisualDiscovery.exe in a Test or Development Environment
  Description: The file is present in a test or dev environment where it’s used for simulation or testing purposes.
  Filter/Exclusion: Filter