What would mitigate the situation whereby a malicious process attempts to spoof or mimic another process?
So for example, you have added vmms.exe as a low-risk process and have added it to the relevant OAS low-risk processes policy with no exclusions defined, in other words that process has free rein over any activity.
Then, subsequently a malicious process pretends to be vmms.exe and attempts to wreak havoc?
How far would such a process likely get and what can be done to mitigate against this, assuming we have VSE only, no HIPS or ENS?
FYI - the following VSE AP Rules are all disabled in the customer's environment:
Prevent common programs from running files from the Temp folder
Prevent svchost executing non-Windows executables
Prevent programs registering to autorun
Prevent Windows Process spoofing (Anti-virus Standard Protection: Prevent Windows Process spoofing)
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.