Ticket #131 (new issue)

Opened 8 months ago

We now need Capture to support process exclusion based on parent

Reported by: xkovah Assigned to: xkovah
Priority: normal Milestone: 1.1
Component: HoneyClient::Agent::Integrity Version: none
Severity: major Keywords:
Cc:

Description

It was known that the parent field of the exclusion list for processes doesn't actually do anything. However, we now need it, because when we have capture running and we resume a VM, we see the following two entries: 

          'processes' => [
                           {
                             'pid' => '180',
                             'parent_name' => 'C:\\Program Files\\VMware\\VMware Tools\\VMwareService.exe',
                             'file_system' => [],
                             'registry' => [],
                             'name' => 'C:\\WINDOWS\\system32\\cmd.exe',
                             'parent_pid' => '1932',
                             'created_time' => '2008-01-02 17:07:34.66',
                             'terminated_time' => '2008-01-02 17:07:48.19'
                           },
                           {
                             'pid' => '1992',
                             'parent_name' => 'C:\\WINDOWS\\system32\\cmd.exe',
                             'file_system' => [],
                             'registry' => [],
                             'name' => 'C:\\Program Files\\VMware\\VMware Tools\\VMip.exe',
                             'parent_pid' => '180',
                             'created_time' => '2008-01-02 17:07:45.956',
                             'terminated_time' => '2008-01-02 17:07:47.878'
                           }
                         ]

And for the first entry we literally have to whitelist anything opening cmd.exe in order to exclude it, which is unacceptable.

Attachments

Add/Change #131 (We now need Capture to support process exclusion based on parent)




Change Properties
Action