What would mitigate the situation whereby a malicious process attempts to spoof or mimic another process?
So for example, you have added vmms.exe as a low-risk process and have added it to the relevant OAS low-risk processes policy with no exclusions defined, in other words that process has free rein over any activity.
Then, subsequently a malicious process pretends to be vmms.exe and attempts to wreak havoc?
How far would such a process likely get and what can be done to mitigate against this, assuming we have VSE only, no HIPS or ENS?
FYI - the following VSE AP Rules are all disabled in the customer's environment:
Prevent common programs from running files from the Temp folder
Prevent svchost executing non-Windows executables
Prevent programs registering to autorun
Prevent Windows Process spoofing (Anti-virus Standard Protection: Prevent Windows Process spoofing)