Hey Endpoint Security vendors - does anyone compare against known good file names and hashes? E.g. FALLCHILL comes in named REGSVR32.EXE, but it: 1. Doesn't match any known good hash for REGSVR32.EXE 2. isn't digitally signed 3. isn't in the right directory
-
-
Replying to @sawaba
We do quite a bit of heuristics related to 2. and 3. Not sure how much we do about 1. because you’d be surprised by the amount of unique builds of simple EXEs that Microsoft can churn out, so the risk of FPs would likely be too high ...
3 replies 1 retweet 2 likes -
Replying to @lehtior2
Well, but in this case, any given install of Windows should only have one or two (at most) versions of REGSVR32.EXE, and we should be able to baseline that it's safe, right?
1 reply 1 retweet 2 likes -
Known good hashes are a hard problem. Every patch tuesday replaces hundreds of exes and dlls, changing their hashes. Very few outside Mucrosoft have a repository of all exes and dlls to make this kind of dataset.
5 replies 6 retweets 16 likes
Microsoft needs to make that dataset public. Failure to do so means their platform is a virus-infested joke.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.