JeremyNicoll

Notification of firewall rule-protection alerts

Recommended Posts

I ran FRST.exe today and noticed that EAM pops up an alert when FRST is reading (at least I hope that's all it was doing) the defined WF firewall rules. 

I'm wondering if the API, that apps like FRST use, allows them to distinguish between reading a set of rules, and actually attempting to modify them.  The alert describes what FRST was doing as an attempted modification.   Maybe FRST hasn't been coded appropriately?   Or does the API only allow full access?    

Also the alert itself said: "Behavior Blocker detected suspicious behavior  "FirewallModification" of "C:\Users\userid\Desktop\FRST64.exe".    To my mind it would be better if that said ... /by/ program, because FRST was the program attempting to make the modification, not the thing that might have been modified.

Share this post


Link to post
Share on other sites
On 10/2/2017 at 11:32 AM, JeremyNicoll said:

Also the alert itself said: "Behavior Blocker detected suspicious behavior  "FirewallModification" of "C:\Users\userid\Desktop\FRST64.exe".    To my mind it would be better if that said ... /by/ program, because FRST was the program attempting to make the modification, not the thing that might have been modified.

Are you referring to this notification, or do you have EAM configured to show alerts rather than take automatic action?

Firewall_Rule_Modification_Notification.png
Download Image

Share this post


Link to post
Share on other sites

Not that pane, and yes - I do show alerts.    But, ahem, I just retried it and the alert text isn't as I reported.  Hmm.

However, I remember that I wrote these questions after the event, and maybe I did that based on the log texts?    Yes...    In the Forensic log the entry for the alert reads:

17/10/2017 10:09:02
Behavior Blocker detected suspicious behavior "FirewallModification" of "C:\Users\XXXXXXXXXXXX\Desktop\FRST64.exe"

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.