With the current implementation, any malware named wininit.exe or winlogon.exe (at the time of opening this issue, these were the only 2 entries in the allow list) will result in BOOL isallowlisted to return True.
It will be more prudent to match the entire file path of these EXEs instead.
With the current implementation, any malware named
wininit.exeorwinlogon.exe(at the time of opening this issue, these were the only 2 entries in the allow list) will result inBOOL isallowlistedto returnTrue.It will be more prudent to match the entire file path of these EXEs instead.
Documentation suggests a way to get the full file path - https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/ns-tlhelp32-processentry32