From efae210556d1ed6f9b2efa5390c26f8550730e60 Mon Sep 17 00:00:00 2001 From: GelosSnake Date: Wed, 8 Jul 2020 16:44:41 +0300 Subject: [PATCH 1/2] adding google chrome to FP list legitimate errors generated by Google Chrome are reported often. Official google standpoint on this: https://support.google.com/chrome/a/thread/15440066?hl=en --- rules/windows/builtin/win_user_driver_loaded.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index 9d3ae187f..804564c70 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -32,6 +32,7 @@ detection: - '*\procexp.exe' - '*\procmon64.exe' - '*\procmon.exe' + - '*\Google\Chrome\Application\chrome.exe condition: selection_1 and not selection_2 falsepositives: - Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers. From e3734aaa275d25b254bd1a45361c43dde36a9344 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 8 Jul 2020 15:53:04 +0200 Subject: [PATCH 2/2] fix: missing upper tick --- rules/windows/builtin/win_user_driver_loaded.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index 804564c70..c64a039a5 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -32,7 +32,7 @@ detection: - '*\procexp.exe' - '*\procmon64.exe' - '*\procmon.exe' - - '*\Google\Chrome\Application\chrome.exe + - '*\Google\Chrome\Application\chrome.exe' condition: selection_1 and not selection_2 falsepositives: - Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.