Yaw-Dev
commented
4 months ago This seems like a good idea however I'm a bit dubious on whether or not that hash is and will remain the same for every fake file scarecrow creates.
Closed falkla closed 4 months ago
Yaw-Dev
commented
4 months ago This seems like a good idea however I'm a bit dubious on whether or not that hash is and will remain the same for every fake file scarecrow creates.
falkla
commented
4 months ago Fair point, although same could be argued with paths and registry keys, to be fair when v4 gets released they'll probably be going through all the code anyway. Also, yes, every hash right now is the same
Yaw-Dev
commented
4 months ago If you are confident that every hash is the same then I guess there is no point in not adding this. However I find checking the files in blacklisted_files for that hash is a bit redundant. Although upon second though it doesn't really hurt us in any way and the increase in running time is minimal. I'm just a bit worried because with the new stuff @iCronic added the time it takes for protections to run is getting kinda annoying.
Yaw-Dev
commented
4 months ago But the mouse sync thing and rdtsc might get removed since they seem to be getting triggered on my real machine.
falkla
commented
4 months ago Eh, If you want me to remove the checks for the blacklisted processes I can.
Yaw-Dev
commented
4 months ago That's fine, thanks for the contribution.
Added protection against scarecrows process spoofing, especially considering that the file detection might not work due to their new option in the installer to change where scarecrow is installed