With the current implementation, any malware named wininit.exe or winlogon.exe (at the time of opening this issue, these were the only 2 entries in the allow list) will result in BOOL isallowlisted to return True.
It will be more prudent to match the entire file path of these EXEs instead.
With the current implementation, any malware named
wininit.exe
orwinlogon.exe
(at the time of opening this issue, these were the only 2 entries in the allow list) will result inBOOL isallowlisted
to returnTrue
.It will be more prudent to match the entire file path of these EXEs instead.
Documentation suggests a way to get the full file path - https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/ns-tlhelp32-processentry32