Jump to content

Notification of firewall rule-protection alerts


Recommended Posts

I ran FRST.exe today and noticed that EAM pops up an alert when FRST is reading (at least I hope that's all it was doing) the defined WF firewall rules. 

I'm wondering if the API, that apps like FRST use, allows them to distinguish between reading a set of rules, and actually attempting to modify them.  The alert describes what FRST was doing as an attempted modification.   Maybe FRST hasn't been coded appropriately?   Or does the API only allow full access?    

Also the alert itself said: "Behavior Blocker detected suspicious behavior  "FirewallModification" of "C:\Users\userid\Desktop\FRST64.exe".    To my mind it would be better if that said ... /by/ program, because FRST was the program attempting to make the modification, not the thing that might have been modified.

Link to comment
Share on other sites

  • 2 weeks later...
On 10/2/2017 at 11:32 AM, JeremyNicoll said:

Also the alert itself said: "Behavior Blocker detected suspicious behavior  "FirewallModification" of "C:\Users\userid\Desktop\FRST64.exe".    To my mind it would be better if that said ... /by/ program, because FRST was the program attempting to make the modification, not the thing that might have been modified.

Are you referring to this notification, or do you have EAM configured to show alerts rather than take automatic action?

Firewall_Rule_Modification_Notification.png

Link to comment
Share on other sites

Not that pane, and yes - I do show alerts.    But, ahem, I just retried it and the alert text isn't as I reported.  Hmm.

However, I remember that I wrote these questions after the event, and maybe I did that based on the log texts?    Yes...    In the Forensic log the entry for the alert reads:

17/10/2017 10:09:02
Behavior Blocker detected suspicious behavior "FirewallModification" of "C:\Users\XXXXXXXXXXXX\Desktop\FRST64.exe"

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...