Closed hz-kelpie closed 2 years ago
"advised to run it along with MS Defender"
Hey @hz-kelpie,
When I say "it is advised to run with MS Defender", I mean that you can use it to alert whenever MS Defender detects a threat. Indeed WHIDS does not embeds any binary analysis/scanning engine and you can use Microsoft Defender (which is pretty good) for that purpose.
When a threat is detected, MS Defender generates some ETW events in provider "Microsoft-Windows-Windows Defender". There is no special code needed for this, the only thing you need is to have "Microsoft-Windows-Windows Defender" provider configured in WHIDS configuration file (which is the default, so you should not have anything to do). The other thing you need is to have is a rule to raise an alert on MS Defender events, which is provided by the open-source rules in this directory https://github.com/0xrawsec/gene-rules/tree/master/rules/defender.
Hope you manage to make it run as you want !
thx for your patience!
I cant fount any code for MS Defender, But I want use whids with MS Defender.