August 20, 2022
Microsoft’s latest Sysmon 14 provides a unique security feature that helps users block the creation of malicious executables.
Sysmon or System Monitor is a free Microsoft Sysinternals tool that can monitor systems for malicious activity and log events in the Windows Event Log.
The feature known as “FileBlockExecutable,” designed for system administrators, allows them to block the creation of executable files based on various data criteria such as the file path, whether they match certain hashes or are deleted from certain executable files.
The current Sysmon schema, which includes the ‘FileBlockExecutables’ configuration, is version 4.82. To prevent Microsoft Office applications from creating new executables, users are advised to check Olaf Hartong’s writeup on the latest version of Sysmon.
The writeup identify the rule needed to block executables. Users will need to execute the sysmon – 1 command and pass the configuration file’s name. Once started, Sysmon installs its driver and starts quietly gathering data in the background.
It is important to note that the security feature is not 100% secure, as it has already been bypassed by security expert Adam Chester, so users are advised not to rely on it as their only protection.
To see how to use instructions to block malware, administrators can read the premade Sysmon configuration files from Florian Roth and SwiftOnSecurity.
The sources for this piece include an article in BleepingComputer.
