alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent? (Used in Malware Anti-Debugging)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:!"|0d 0a|x-avast"; http_header; file_data; content:"IsDebuggerPresent"; classtype:misc-activity; sid:2015744; rev:4;)

Added 2015-05-06 19:59:16 UTC

Might I suggest a suppression for Microsoft and Windows update, as all the Windows Machines hit on this error.

pcre:'/^((?!\.windowsupdate\.com|\.microsoft\.com).)*$/im'

-- CarlvanEijk - 2017-02-01

We're going to modify the POLICY signature to negate windowsupdate, however we don't typically modify INFO signatures because they are purely meant to provide you with the most information. I would suggest that you modify this locally or don't run this signature (it's super noisy).

-- DarienH - 2017-02-01


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent? (Used in Malware Anti-Debugging)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"IsDebuggerPresent"; classtype:misc-activity; sid:2015744; rev:2;)

Added 2012-09-28 00:08:33 UTC


Topic revision: r3 - 2017-02-01 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats