Hi.
I noticed that every single analysis, even on an "empty sample" (like http://nonexistent-domain.local/) returns scores of about 5.6 in my setup. I started digging a bit into configuration as well as the test machinery and found that signatures/windows/volatility_sig.py contains three volatility_svcscan tests which check for specific services states. The problem is that Shared Access service does not normally work if you have only one network interface. And even then it's a service which as far as I remember is not present in more modern windows. The Application Layer Gateway service on the other hand is by default installed with manual start mode so it's quite common that it's stopped and it's not an indicator of any malicious behaviour.
I've yet to verify the security center service check.
Hi. I noticed that every single analysis, even on an "empty sample" (like http://nonexistent-domain.local/) returns scores of about 5.6 in my setup. I started digging a bit into configuration as well as the test machinery and found that signatures/windows/volatility_sig.py contains three volatility_svcscan tests which check for specific services states. The problem is that Shared Access service does not normally work if you have only one network interface. And even then it's a service which as far as I remember is not present in more modern windows. The Application Layer Gateway service on the other hand is by default installed with manual start mode so it's quite common that it's stopped and it's not an indicator of any malicious behaviour. I've yet to verify the security center service check.