Jump to content

Notification of firewall rule-protection alerts


Recommended Posts

I ran FRST.exe today and noticed that EAM pops up an alert when FRST is reading (at least I hope that's all it was doing) the defined WF firewall rules. 

I'm wondering if the API, that apps like FRST use, allows them to distinguish between reading a set of rules, and actually attempting to modify them.  The alert describes what FRST was doing as an attempted modification.   Maybe FRST hasn't been coded appropriately?   Or does the API only allow full access?    

Also the alert itself said: "Behavior Blocker detected suspicious behavior  "FirewallModification" of "C:\Users\userid\Desktop\FRST64.exe".    To my mind it would be better if that said ... /by/ program, because FRST was the program attempting to make the modification, not the thing that might have been modified.

Link to comment
Share on other sites

  • 2 weeks later...
On 10/2/2017 at 11:32 AM, JeremyNicoll said:

Also the alert itself said: "Behavior Blocker detected suspicious behavior  "FirewallModification" of "C:\Users\userid\Desktop\FRST64.exe".    To my mind it would be better if that said ... /by/ program, because FRST was the program attempting to make the modification, not the thing that might have been modified.

Are you referring to this notification, or do you have EAM configured to show alerts rather than take automatic action?

Firewall_Rule_Modification_Notification.png

Link to comment
Share on other sites

Not that pane, and yes - I do show alerts.    But, ahem, I just retried it and the alert text isn't as I reported.  Hmm.

However, I remember that I wrote these questions after the event, and maybe I did that based on the log texts?    Yes...    In the Forensic log the entry for the alert reads:

17/10/2017 10:09:02
Behavior Blocker detected suspicious behavior "FirewallModification" of "C:\Users\XXXXXXXXXXXX\Desktop\FRST64.exe"

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...