Issue
In this document, the settings required to use Microsoft SysInternals System Monitor (SYSMON) are described along with Padvish.
SYSMON software is a Windows service and driver that can be activated easily after downloading. This service has the ability to log the activity of all processes, network connections, registry changes, etc.
In case of activation of this service, it is necessary to set a file with xml extension, which includes the basic settings of this service. Settings in which you specify that some activities in the system are not logged or, on the contrary, only some activities are logged. The use of these settings becomes important when, if you have not set any conditions for SYSMON, all the activities of the processes will be logged, which creates a large number of logs per second, and this issue can affect the performance of the systems. put One of the things that should be introduced as an exception in the SYSMON settings is the anti-malware process, because due to its nature, the antivirus is accessing many processes and files at the moment, and it is even possible SYSMON will cause a loop when trying to log unwanted antivirus operations. This issue creates many logs in SYSMON that do not have useful information.
Method
In order to prevent the creation of these logs in SYSMON, settings must be applied.
Required settings when using an antivirus product:
<ProcessAccess onmatch=”exclude”>
<SourceImage condition=”contains all”>C:\Program Files;\Padvish AV\APCcSvc.exe</SourceImage>
</ProcessAccess>
<RuleGroup groupRelation=”and”>
<ProcessAccess onmatch=”exclude”>
<SourceImage condition=”is”>C:\Windows\system32\svchost.exe</SourceImage>
<TargetImage condition=”contains all”>C:\Program Files;\Padvish AV\APCcSvc.exe</TargetImage>
</ProcessAccess>
</RuleGroup>
<RuleGroup groupRelation=”and”>
<ImageLoad onmatch=”exclude”>
<Image condition=”contains all”>C:\Program Files;\Padvish AV\APCcSvc.exe</Image>
<ImageLoaded condition=”contains all”>C:\Program Files;\Padvish AV\</ImageLoaded>
</ImageLoad>
</RuleGroup>
<RuleGroup groupRelation=”and”>
<FileCreate onmatch=”exclude”>
<Image condition=”contains all”>C:\Program Files;\Padvish AV\APCcSvc.exe</Image>
<TargetFilename condition=”contains all”>C:\Program Files;\Padvish AV\</TargetFilename>
</FileCreate>
</RuleGroup>
<RuleGroup groupRelation=”and”>
<RegistryEvent onmatch=”exclude”>
<Image condition=”contains all”>C:\Program Files;\Padvish AV\APCcSvc.exe</Image>
<TargetObject condition=”contains all”>\SOFTWARE\;\AmnPardaz\Padvish\</TargetObject>
</RegistryEvent>
</RuleGroup>
Required settings if using the AntiCrypto product:
<ProcessAccess onmatch=”exclude”>
<SourceImage condition=”contains all”>C:\Program Files;\Padvish AntiCrypto\AntiCrypto.exe</SourceImage>
</ProcessAccess>
<RuleGroup groupRelation=”and”>
<ProcessAccess onmatch=”exclude”>
<SourceImage condition=”is”>C:\Windows\system32\svchost.exe</SourceImage>
<TargetImage condition=”contains all”>C:\Program Files;\Padvish AntiCrypto\AntiCrypto.exe</TargetImage>
</ProcessAccess>
</RuleGroup>
<RuleGroup groupRelation=”and”>
<ImageLoad onmatch=”exclude”>
<Image condition=”contains all”>C:\Program Files;\Padvish AntiCrypto\AntiCrypto.exe</Image>
<ImageLoaded condition=”contains all”>C:\Program Files;\Padvish AntiCrypto\</ImageLoaded>
</ImageLoad>
</RuleGroup>
<ImageLoad onmatch=”exclude”>
<Image condition=”contains all”>C:\Program Files;\Padvish AntiCrypto\;\APBak.exe</Image>
</ImageLoad>
<RuleGroup groupRelation=”and”>
<RegistryEvent onmatch=”exclude”>
<Image condition=”contains all”>C:\Program Files;\Padvish AntiCrypto\AntiCrypto.exe</Image>
<TargetObject condition=”contains”>\System\CurrentControlSet\services\</TargetObject>
</RegistryEvent>
</RuleGroup>
Logs that will not be registered due to the exceptions mentioned are logs that do not have useful information and by applying these settings, important logs that can be effective in the forensic process will not be lost.