there are several actions connected with svchost.exe and some would be blocked by the acces protections rule. One of them is in the picture below but the question is: How can I allow specific processparts startet with svchost without allowing everything for "svchost.exe". You may correct me if I get this wrong but allowing everything for svchost.exe could lead to an undedected infection or could be "misused"? This is more a question than a conclusion.
We are testing the whole bunch of rules in Access Protection and are going to start over with a more complex set after testing period is done.
Thanks in advance
Another example of a harmless but "would be blocked if active" action:
So far no one have a clue? Would this be worth a try for a product enhancement request? Or at last is it just me who would like to set "a handful of normal operations" on ignore to have more time investigating the "unknown" ones?
Good Idea, but how do you envision implementing this?
SvcHost.exe is a Generic run of other .dll software as a process. (And Unknown is 'Unknown' and could be dangerous.)
Well known SvcHost runs are already included in the defaults. I suppose it depends on what is calling upon SvcHost to run a .dll. This is what needs to be blocked or accepted. It is based not on SvcHost, but on the behavior of what is calling SvcHost.
Another approach that might be more helpful, would be to split up the protection into High/Low/Default-Risk Processes. This allows you to configure known safe processes that you deem safe to make these calls (placed in the Low-Risk category), but block things like Internet Explorer (placed in the High-Risk category) making these calls.
Of course this too requires a great deal of testing in your environment.
I hope this is helpful.
I have a similar question.
The access protection rules monitor this specific process "svchost" and I get the *all* events related to this process, however in the process of tweaking to avoid the database of filling up with non-threat events, how can I create a rule to monitor the process / specific process behavior?
The threat target file path is \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters ? and "kerberos\parameter".
Is there a way to log only events that envolve this process but are a threat?
Thank you so much for your attention.
my understanding with Access Protectios is that this protection is useful because it does not depend on signatures. This means that it will protect in the case of unknown threats as well as known ones but for legitim actions to happen we need to tweak the rules that we enable until normal operation ensues. We can also disable certain rules deciding not to monitor that particular action.
There is currently no middle way or fuzzy logic so we block certain processes "when and if" only.