Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
MS SysInternals SysMon. Malware blocking.
Message
<blockquote data-quote="Victor M" data-source="post: 1048141" data-attributes="member: 96560"><p>Sysmon is a free malware monitoring tool by MS SysInternals. <a href="https://download.sysinternals.com/files/Sysmon.zip" target="_blank">https://download.sysinternals.com/files/Sysmon.zip</a> . It reveals things like executable file creation, browser created downloads (DriveBy Downloads, I presume) and named pipe creation. The executable file creation detection is a new feature of ver 15.</p><p></p><p>For non-malware analysts, our focus is on stopping malware, and not just detection. For that, there is a trapped event named FileBlockExecutable. Sysmon logs this in Event Viewer and blocks executable file creation. That will stop hackers installing their tools.</p><p></p><p>The rules are made in xml format and installed using the command line. Sysmon installs with the command "sysmon64 -i <rules file>". And the command "sysmon64 -c <rules file>" changes the rules. Just using the "-c" without any rules file displays the configured rules.</p><p></p><p>This command empties the rules "sysmon64 -c --". We have to use this command before we do Windows Update, or else the updates will never install properly. Also you have to use this before downloading any installer.exe and running any installer.</p><p></p><p>Remember that FileBlockExecutable will block any exe file creation, and on my old laptop, it is noticed that it blocks "mscorsvw.exe" from creating some exe's and dll's. (not during Windows Update) Upon googling, it reveals that it is part of ". NET Framework Optimization Service." The name 'optimization' suggest to me that Windows will still run without it functioning. So it's up to you whether you deploy this or not. It is suggested that you test and monitor Event Viewer for while.</p><p></p><p>Here is the rules file containing just the rule for executable file creation blocking:</p><p></p><p></p><p><Sysmon schemaversion="4.90"></p><p> <!-- Capture all hashes --></p><p> <HashAlgorithms>MD5,SHA256</HashAlgorithms></p><p> <EventFiltering></p><p> <!-- Block executable file creations --></p><p> <FileBlockExecutable onmatch="include"></p><p> <TargetFilename condition="begin with">C:</TargetFilename></p><p> </FileBlockExecutable></p><p> </EventFiltering></p><p></Sysmon></p><p></p><p>Here is the page containing all the tags and event IDs you can trap for: <a href="https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-filtering-entries" target="_blank">Sysmon - Sysinternals</a></p><p></p><p>The Event Viewer path is "Application and Services Logs > Microsoft > Windows > Sysmon > Operational".</p></blockquote><p></p>
[QUOTE="Victor M, post: 1048141, member: 96560"] Sysmon is a free malware monitoring tool by MS SysInternals. [URL]https://download.sysinternals.com/files/Sysmon.zip[/URL] . It reveals things like executable file creation, browser created downloads (DriveBy Downloads, I presume) and named pipe creation. The executable file creation detection is a new feature of ver 15. For non-malware analysts, our focus is on stopping malware, and not just detection. For that, there is a trapped event named FileBlockExecutable. Sysmon logs this in Event Viewer and blocks executable file creation. That will stop hackers installing their tools. The rules are made in xml format and installed using the command line. Sysmon installs with the command "sysmon64 -i <rules file>". And the command "sysmon64 -c <rules file>" changes the rules. Just using the "-c" without any rules file displays the configured rules. This command empties the rules "sysmon64 -c --". We have to use this command before we do Windows Update, or else the updates will never install properly. Also you have to use this before downloading any installer.exe and running any installer. Remember that FileBlockExecutable will block any exe file creation, and on my old laptop, it is noticed that it blocks "mscorsvw.exe" from creating some exe's and dll's. (not during Windows Update) Upon googling, it reveals that it is part of ". NET Framework Optimization Service." The name 'optimization' suggest to me that Windows will still run without it functioning. So it's up to you whether you deploy this or not. It is suggested that you test and monitor Event Viewer for while. Here is the rules file containing just the rule for executable file creation blocking: <Sysmon schemaversion="4.90"> <!-- Capture all hashes --> <HashAlgorithms>MD5,SHA256</HashAlgorithms> <EventFiltering> <!-- Block executable file creations --> <FileBlockExecutable onmatch="include"> <TargetFilename condition="begin with">C:</TargetFilename> </FileBlockExecutable> </EventFiltering> </Sysmon> Here is the page containing all the tags and event IDs you can trap for: [URL='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-filtering-entries']Sysmon - Sysinternals[/URL] The Event Viewer path is "Application and Services Logs > Microsoft > Windows > Sysmon > Operational". [/QUOTE]
Insert quotes…
Verification
Post reply
Top