search

spyre-project / spyre

simple YARA-based IOC scanner
GNU Lesser General Public License v3.0
164 stars 27 forks source link

Option to exclude vmtoolsd.exe Process from procscan #44

Closed anna-g-arbeiter closed 4 years ago

anna-g-arbeiter commented 4 years ago

If you copy&paste procscan.yar and filescan.yar into a VMWare VM, then all procscan rules will match on vmtoolsd.exe process.

anna-g-arbeiter commented 4 years ago

There are also a lot of matches on the explorer.exe parent process of vmtoolsd.exe

hillu commented 4 years ago

Good idea. Of course, we wouldn't want to hard-code process exclude lists into Spyre, but rather offer a user option to specify such lists.

hillu commented 4 years ago

Closed via bb546fae685d7212b65314cb2cb2de130fe881a1, --proc-ignore switch