Lansweeper Detection of OneLaunch

We've seen a huge uptick from our EDR about detections of OneLaunch this last week. We thought it was gone, but thankfully our EDR catches it every time someone's browser tries to download the installer.

I went through a bunch of old forum posts and it doesn't look like LanSweeper allows for wildcards to find the file where it would be installed (for instance all users' %LOCALAPPDATA%\OneLaunch\*\OneLaunch.exe)

If your LanSweeper scanner is not set to do so, you may want to enable "SOFTWAREMSSTOREAPPS" in your Scanned Item Interval as well to see if it shows up in the Installed Programs, as it can be added via APPX/Microsoft Store. I know that this is against their best practices for performance, but it may be helpful in this scenario.

You could also run a deploy job with a custom Powershell script to look for the file and write it a file to a static location, then use the File Scan to report on that value. 

Change the "$OutFile" variable to reference a place on the PC (something outside the normal file stack, so you don't have to worry about it getting deleted by anything else.)

Enable File Scan in the Scanned Item Interval (if it's not there already) and add the File Path to the scanned items. After the deploy job has run and all has been scanned, click the "Report" button next to the file scan, and it will bring up the report.

Example code below - I have not tested this on OneLaunch, but in theory it should still work:

$OutFile = "C:\Some\Literal\CanaryPath\On\ThePC\filename.txt"
$parent = Get-Childitem "c:\users" -Directory
$found = $false
foreach($user in $parent){
    try {
        $item = Get-ChildItem -Path "$($user.FullName)\AppData\Local" -Recurse -filter "OneLaunch.exe" -File
        if ($item.Exists) {
            $found = $true;
        }
    }
    catch {
    $error[0].exception.message | Out-Null
    }
}
if ($found -eq $true) {
    "Found" | Out-File -FilePath $OutFile -Force
} else {
    Remove-Item $OutFile
}