@Mister X or this... C:\Program Files\Excubits\cmdScanner\Admin Tool.exe>* C:\Program Files\Excubits\cmdScanner\Tray.exe>* C:\Windows\explorer.exe>"C:\Program Files\Excubits\cmdScanner\Tray.exe"* C:\Windows\explorer.exe>"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\cmdscanner.ini* C:\Windows\explorer.exe>"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\cmdscanner.log* C:\Windows\System32\svchost.exe>"C:\Program Files\Excubits\cmdScanner\Admin Tool.exe"* (not sure if a space is allowed between " and *) C:\Windows\*cmd.exe>\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 C:\Windows\*cmd.exe>net start cmdScanner* C:\Windows\*cmd.exe>net stop cmdScanner* C:\Windows\*cmd.exe>sc query cmdScanner* C:\Windows\*net.exe>C:\Windows\system32\net1 stop cmdScanner* C:\Program Files\Windows Defender\MsMpEng.exe>"c:\windows\system32\\svchost.exe"
He didn't include it. And I didn't ask... its OK to keep it if you want your screensaver to work by default.
Maybe I didn't explained myself correctly. What I need is the driver to write its log file to another location other than <system> drive, that is, to another partition.
Can be a little bit risky, if * is used at the beginning. Theoretically files from temporary directories, C:\Windows\Temp\MalwareTray.exe or other "unwanted executables" can be executed and can stop the service. It's unlikely, but you never know Code: *Tray.exe>*Admin*.exe" stop-driver* *net.exe>*net1 stop cmd* *svchost.exe>*Admin*.exe" stop-driver*
For logging purposes i can recommend NoVirusthanks Process Logger Service No GUI, it is running as a service and is doing its job silently in the background. It also can log Process Terminations and more information about launched processes. To find something in the ERP-logfile is a pain, the output of the above service is much "cleaner".
@Mister X I am noticing a couple of things with cmdScanner as a logging service: 1. It will not always capture command lines for processes that are blocked by AppGuard 2. It causes MicrosoftEdge to connect to the network very slowly on some tabs The SpyShelter command line logging service captures all command lines - even for processes blocked by AppGuard - and it doesn't cause any issues with processes. I tried NVT Process Logger Service, but the publicly available version from June 2016 did not log on Windows 10; Andreas stated he needed to make a minor fix for it to work. There is Windows' built-in Auditpol.exe that can be configured on some systems to log command lines and there is SysInternals' SysMon, but they both require configuration. However, I find both are a inconvenient. There are also utilities out there, like LOG-MD from Malware Archeology, but I haven't tried them. System Explorer can be configured to save command lines to a log via its History function, but it requires manual management. So far the SpyShelter command line logger has proven most reliable.
No. It is built-in to SpyShelter Premium and Firewall. Both are paid products - annual subscription. There is no more lifetime license for either. Perhaps the freeware version will work for just logging. I haven't used the freeware version in many years. It is no longer supported by Datpol as they killed-off the freeware version.
Nice find, but for some reason I can't seem to download this from NVT site, though it does download from MajorGeeks ... But not sure I want to try it in light of @Lockdown's assertion it does not log on Win 10, even though it is meant to be compatible with Win 10 according to the site. Hope Andreas fixes it. Anyway OT, back to CommandLineScanner ...
I just re-tested it and it isn't logging on my test system - not even with everything else disabled. Andreas says he recently tested it and it is working in a VM. Others say it works OK on their W10 systems. Anyway I produced a few videos that clearly show it not logging and Andreas now has them.
Here's a thread I opened yesterday if you want to discuss anything about it... https://www.wilderssecurity.com/threads/process-logger-service.392757/
1. I thinks this depends on priority of driver. If AppGuard comes before CMDScanner in kernel then it cannot log because process is then already out to reach for CMDScanner. You could mention this to developer, maybe he changes order so it is before AppGuard. I use CMDScanner for a long time now and on my systems it logs a lot of interesting things (surprising what Microsoft does call in the background - telemetry stuff, URLs etc. even on a clean Windows install). 2. what tabs? fresh created, a tab opened by link... mybe we can track this down and see. annual subscription: understandable its more than just a logging tool but for me not the way to go.
Have you see this from excubits's recent blog post (link was there): https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon very interesting, there are a lot of rules can be used with CMDScanner also. Cant use them directly, need to modify but I thinks some of them are hot candidats to be used to reduce risk.
That was my thought too. AG is blocking it very early, not even Applocker "noticed" the blocked process. If the SpyShelter command line logging service can log it, then it must have indeed a higher priority. But i don't think that other programs are "overlooking" something. If nothing was actually executed then there is nothing to log
