security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2460 from phantinuss/master

Browse Source 
fix: FP in Aviar installer
This commit is contained in:
Florian Roth
2021-12-17 19:55:02 +01:00
committed by GitHub
parent 859816695a 4cdb23598f
commit 45253c6253
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/process_creation_susp_non_exe_image.yml
+3 -1
View File
@@ -17,8 +17,10 @@ detection:
Image|endswith: '.exe'
filter_null:
Image: null
filter_msi:
filter_starts:
Image|startswith: 'C:\Windows\Installer\MSI'
filter_pstarts:
ParentImage|startswith: 'C:\ProgramData\Avira\'
filter_avira:
Image|startswith: 'C:\Windows\Temp\'
Image|endswith: '\avira_speedup_setup_update.tmp'