Microsoft's latest Sysmon 14.0 could help block dangerous malware

No malware

Microsoft, yesterday, released its Sysinternals Suite 2022.08.16. The new release brings with it Sysmon v14.0, AccessEnum v1.34, and Coreinfo v3.53. Find the details here. The newest version of Sysmon adds a new feature that can block processes from creating EXE or similar executable files.

The release notes for Sysmon v14.0 says:

This major update to Sysmon, an advanced host monitoring tool, adds a new event type, FileBlockExecutable that prevents processes from creating executable files in specified locations. It also includes several performance improvements and bug fixes.

Sysmon GitHub repo maintainer Olaf Hartong has explained that such a feature can help to prevent the creation of malicious files or downloading of secondary malicious payloads by malware droppers like those used in Macros, among others. He says:

Sysmon now impedes executables, based on the file header from being written to the filesystem according to the filtering criteria. This can be a very powerful feature into blocking certain programs writing malicious files to disk.

A demonstration using a simple example was also given to show how it works. In this case, Sysmon was used to block downloads:

Sysmon 140 malware block demo

As you can see in the image below, the downloads for all the PE files failed due to Sysmon blocking them:

Sysmon 140 download block demo

You can find more details on Olaf Hartong write-up here.

Report a problem with article
Streaming services on a TV
Next Article

TV viewers watched more on streaming services than on cable TV in July 2022

Accenture and Facebook logos
Previous Article

Facebook contractors told they would soon have their work taken away from them

2 Comments - Add comment