Portable Executable rules list
This page lists all supported Portable Executable analysis rules.
| ID | Description | Level | Category |
|---|---|---|---|
| PE001 | COFF or MPDB debug directory is present | WARNING | Security |
| PE002 | Debug directory is present | INFO | Security |
| PE003 | MPX debug directory is present | INFO | Configuration |
| PE004 | Export library name mismatch | INFO | Configuration |
| PE005 | Non-DLL executable exports symbols | INFO | Configuration |
| PE006 | EXE file has DLL flag set | WARNING | Configuration |
| PE007 | Relocations are absent | ERROR | Security |
| PE008 | Relocations section is not discardable | WARNING | Optimization |
| PE009 | SAFESEH is disabled | ERROR | Security |
| PE010 | RWX section is present | CRITICAL | Security |
| PE011 | WX section is present | ERROR | Security |
| PE012 | SW section is present | WARNING | Security |
| PE013 | Security cookie is absent | CRITICAL | Security |
| PE014 | Security cookie is absent for some object files | ERROR | Security |
| PE015 | Security cookie value is not system default | ERROR | Security |
| PE016 | Not marked as large address aware | WARNING | Security |
| PE017 | Executable is not signed | ERROR | Security |
| PE018 | High entropy ASLR compatibility disabled, not large address aware | WARNING | Security |
| PE019 | DEP disabled | CRITICAL | Security |
| PE020 | CF guard is disabled | ERROR | Security |
| PE021 | Signature check is not enforced | WARNING | Security |
| PE022 | ASLR compatibility mode is active | ERROR | Security |
| PE023 | Dynamic load library does not have DLL flag set | WARNING | Configuration |
| PE024 | Version info is absent | WARNING | Configuration |
| PE025 | The file version structure was created dynamically | ERROR | Configuration |
| PE026 | The file is marked as a development version, not a commercially released product | WARNING | Configuration |
| PE027 | The file is marked as non-standard release (private build) | WARNING | Configuration |
| PE028 | Version info fixed file info key mismatch across resources | WARNING | Configuration |
| PE029 | Version info string presence mismatch across resources | WARNING | Configuration |
| PE030 | Invalid version info translation format | CRITICAL | Format |
| PE031 | Invalid version info resource format | CRITICAL | Format |
| PE032 | Duplicate version info resource block | CRITICAL | Format |
| PE033 | Duplicate version info translations | CRITICAL | Format |
| PE034 | Version info lacks string file info | ERROR | Configuration |
| PE035 | Version info StringFileInfo block language does not match resource language | WARNING | Configuration |
| PE036 | Version info VarFileInfo block lacks translation info | ERROR | Configuration |
| PE037 | Version info VarFileInfo block translation language does not match resource language | WARNING | Configuration |
| PE038 | Version info StringFileInfo block languages do not match VarFileInfo translation languages | WARNING | Configuration |
| PE039 | Multiple VERSIONINFO resources and multiple VERSIONINFO translations at the same time | WARNING | Configuration |
| PE040 | Version info string mismatch across resources | WARNING | Configuration |
| PE041 | Duplicate version info string keys | CRITICAL | Format |
| PE042 | Required StringFileInfo string is absent | WARNING | Configuration |
| PE043 | Required StringFileInfo string is empty | WARNING | Configuration |
PE044 | Fixed product version info mismatch across executables | WARNING | Configuration |
| PE045 | Version info translations mismatch across executables | WARNING | Configuration |
| PE046 | Version info string mismatch across executables | WARNING | Configuration |
| PE047 | Security directory format error | ERROR | Format |
| PE048 | Authenticode signature format error | ERROR | Format |
| PE049 | Version info StringFileInfo lacks PrivateBuild string | WARNING | Configuration |
| PE050 | Version info StringFileInfo lacks SpecialBuild string | WARNING | Configuration |
| PE051 | Version info StringFileInfo has PrivateBuild string | WARNING | Configuration |
| PE052 | Version info StringFileInfo has SpecialBuild string | WARNING | Configuration |
| PE053 | Version info fixed file version does not match StringFileInfo file version | WARNING | Configuration |
| PE054 | Version info fixed product version does not match StringFileInfo product version | WARNING | Configuration |
| PE055 | Profile-guided optimization is not finalized | WARNING | Optimization |
| PE056 | Dynamic base is disabled | ERROR | Security |
| PE057 | High entropy ASLR compatibility disabled | WARNING | Security |
| PE058 | RF guard is enabled | INFO | Security |
| PE059 | CF guard is enabled, but delay load IAT is not protected | WARNING | Security |
| PE060 | Delay load IAT is protected by CF guard, but is not marked as being in the separate section | INFO | Security |
| PE061 | Delay load IAT is protected by CF guard, but is not in the separate section | INFO | Security |
| PE062 | XF guard is disabled | INFO | Security |
| PE063 | CF guard is enabled, but dynamic base is disabled | ERROR | Security |
| PE064 | EH guard is disabled | WARNING | Security |
| PE065 | The file is marked as a debug version | WARNING | Configuration |
| PE066 | Version info StringFileInfo version string does not have standard format | INFO | Configuration |
| PE067 | Version info StringFileInfo version string has suffix | INFO | Configuration |
| PE068 | Version info string presence mismatch across StringFileInfo blocks | WARNING | Configuration |
| PE069 | Version info string mismatch across StringFileInfo blocks | WARNING | Configuration |
| PE070 | Duplicate version info string languages | CRITICAL | Format |
| PE071 | Invalid version info string languages | CRITICAL | Format |
| PE072 | Invalid version info block format | CRITICAL | Format |
| PE073 | Application icon is absent | INFO | Configuration |
| PE074 | Application icon height and width are different | ERROR | Configuration |
| PE075 | Application icon group contains identical icons | ERROR | Configuration |
| PE076 | Application icon does not have all recommended sizes | WARNING | Configuration |
| PE077 | High resolution application icon have low bit count | WARNING | Configuration |
| PE078 | Application icon is multilingual | WARNING | Configuration |
| PE079 | Application icon format error | CRITICAL | Format |
| PE080 | CET stack protection is not enabled | WARNING | Security |
| PE081 | Potentially insecure WinAPI import | WARNING | Security |
| PE082 | Deprecated WinAPI import | WARNING | System |
| PE083 | Insecure WinAPI import | ERROR | Security |
| PE084 | Internal WinAPI import | ERROR | System |
| PE085 | Potentially insecure WinAPI delay import | WARNING | Security |
| PE086 | Deprecated WinAPI delay import | WARNING | System |
| PE087 | Insecure WinAPI delay import | ERROR | Security |
| PE088 | Internal WinAPI delay import | ERROR | System |
| PE089 | XBox-only WinAPI import | ERROR | System |
| PE090 | XBox-only WinAPI delay import | ERROR | System |
| PE091 | ANSI WinAPI import | WARNING | System |
| PE092 | ANSI WinAPI delay import | WARNING | System |
| PE093 | Executable export directory | ERROR | Security |
| PE094 | Writable export directory | WARNING | Security |
| PE095 | Executable import directory | ERROR | Security |
| PE096 | Writable import directory | WARNING | Security |
| PE097 | Executable exceptions directory | ERROR | Security |
| PE098 | Writable exceptions directory | WARNING | Security |
| PE099 | Executable is not terminal server aware | INFO | Configuration |
| PE100 | Incorrect version info file type | WARNING | Configuration |
| PE101 | Executable relocation directory | ERROR | Security |
| PE102 | Writable relocation directory | WARNING | Security |
| PE103 | Executable debug directory | ERROR | Security |
| PE104 | Writable debug directory | WARNING | Security |
| PE105 | Executable TLS directory | ERROR | Security |
| PE106 | Writable TLS directory | WARNING | Security |
| PE107 | Executable load configuration directory | ERROR | Security |
| PE108 | Writable load configuration directory | WARNING | Security |
| PE109 | Executable bound import directory | ERROR | Security |
| PE110 | Writable bound import directory | WARNING | Security |
| PE111 | Executable delay import directory | ERROR | Security |
| PE112 | Writable delay import directory | WARNING | Security |
| PE113 | Executable IAT directory | ERROR | Security |
| PE114 | Writable entry point | ERROR | Security |
| PE115 | Absent checksum | WARNING | Security |
| PE116 | Incorrect checksum | CRITICAL | Security |
| PE117 | Writable .rdata section | WARNING | Security |
| PE118 | Executable .rdata section | ERROR | Security |
| PE119 | Potentially preview toolchain version used | INFO | Security |
| PE120 | Preview toolchain version used | WARNING | Security |
| PE121 | Too old toolchain version used | WARNING | Security |
| PE122 | Version info StringFileInfo is likely default | ERROR | Configuration |
| PE123 | EH Guard continuation table not readonly | ERROR | Security |
| PE124 | CF Guard function table not readonly | ERROR | Security |
| PE125 | CF Guard address taken IAT entry table not readonly | ERROR | Security |
| PE126 | CF Guard long jump target table not readonly | ERROR | Security |
| PE127 | Retpoline guard is not enabled | INFO | Security |
| PE128 | Manifest does not exist | ERROR | Configuration |
| PE129 | Manifest exists, but the image is marked non-isolated | ERROR | System |
| PE130 | Both embedded and external manifests exist | WARNING | Configuration |
| PE131 | UAC virtualization is enabled | INFO | System |
| PE132 | Latest Windows version is not supported | WARNING | System |
| PE133 | Manifest has gaps in supported OS list | WARNING | System |
| PE134 | Segment Heap is not used | INFO | Optimization |
| PE135 | Executable is not long path aware | INFO | System |
| PE136 | Unknown heap type is used | INFO | Optimization |
| PE137 | Supported OS list is absent | WARNING | System |
| PE138 | Printer driver isolation is not specified | INFO | System |
| PE139 | Auto-elevate option is specified | INFO | System |
| PE140 | Unable to load image | CRITICAL | Format |
| PE141 | Image loaded with warnings | WARNING | Format |
| PE142 | Executable is not DPI aware | INFO | System |
| PE143 | Executable is not DPI aware, but scales GDI | INFO | System |
| PE144 | Executable is not PerMonitorV2 DPI aware | INFO | System |
| PE145 | Manifest load error | ERROR | Format |
| PE146 | Manifest format error | ERROR | Format |
| PE147 | Process heap is always executable | ERROR | Security |
| PE148 | Global flags overridden | WARNING | Security |
| PE149 | Unsupported Application manifest element | WARNING | Format |
| PE150 | Unsupported Assembly manifest element | WARNING | Format |
| PE151 | .NET header format error | ERROR | Format |
| PE152 | Debug directory format error | ERROR | Format |
| PE153 | Import directory format error | ERROR | Format |
| PE154 | Delay import directory format error | ERROR | Format |
| PE155 | Export directory format error | ERROR | Format |
| PE156 | Load configuration directory format error | ERROR | Format |
| PE157 | Load configuration structure size does not match specific version | INFO | Format |
| PE158 | Resource directory format error | ERROR | Format |
| PE159 | Resource directory has loops | WARNING | Format |
| PE160 | Executable with UI access is not signed | ERROR | System |
| PE161 | /sdl switch is not always used | WARNING | Security |
| PE162 | Pre-C++11 object files are used | WARNING | Security |
| PE163 | Manifest assembly version does not match file/product version | WARNING | Configuration |
| PE164 | Version info OriginalFileName does not match executable file name | INFO | Configuration |
| PE165 | Incorrect Authenticode image hash value | CRITICAL | Security |
| PE166 | Authenticode certificate store format warning | WARNING | Format |
| PE167 | Incorrect Authenticode image page hashes | CRITICAL | Security |
| PE168 | Absent Authenticode image page hashes | WARNING | Optimization |
| PE169 | Authenticode image page hashes check error | CRITICAL | Format |
| PE170 | Incorrect Authenticode message digest | CRITICAL | Security |
| PE171 | Weak Authenticode image hash algorithm | ERROR | Security |
| PE172 | Unable to check Authenticode image signature | CRITICAL | Security |
| PE173 | Weak Authenticode signature RSA key size | ERROR | Security |
| PE174 | Weak Authenticode signature ECDSA curve | ERROR | Security |
| PE175 | Incorrect Authenticode image signature | CRITICAL | Security |
| PE176 | Absent Authenticode timestamp counter-signature | WARNING | Security |
| PE177 | Incorrect Authenticode timestamp counter-signature digest | CRITICAL | Security |
| PE178 | Weak Authenticode timestamp counter-signature digest algorithm | ERROR | Security |
| PE179 | Weak Authenticode timestamp counter-signature imprint digest algorithm | ERROR | Security |
| PE180 | Incorrect Authenticode timestamp counter-signature | CRITICAL | Security |
| PE181 | Absent Authenticode timestamp counter-signature signing time | CRITICAL | Security |
| PE182 | Authenticode signature check error | CRITICAL | Format |
| PE183 | Imported DLL name and the actual DLL file name have different case | WARNING | Configuration |
| PE184 | Authenticode test signature | WARNING | Security |
| PE185 | Authenticode signing certificate empty subject DN | ERROR | Format |
| PE186 | Authenticode signing certificate subject DN missing attributes | INFO | Format |
| PE187 | Authenticode signing certificate subject DN invalid attributes | CRITICAL | Format |
| PE188 | Delay-imported DLL name and the actual DLL file name have different case | WARNING | Configuration |
| PE189 | Signed executable imports unsigned DLL | ERROR | Security |
| PE190 | Signed executable delay-imports unsigned DLL | ERROR | Security |
Loading...
Unable to load this documentation page.