LoFP LoFP / applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.

Techniques

Sample rules

Potential Antivirus Software DLL Sideloading

Description

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec…etc

Detection logic

condition: (selection_bitdefender and not 1 of filter_log_dll_*) or (selection_fsecure
  and not filter_fsecure) or (selection_mcafee and not filter_mcafee) or (selection_cyberark
  and not filter_cyberark) or (selection_avast and not 1 of filter_wsc_dll_*) or (selection_titanium
  and not filter_titanium) or (selection_eset_deslock and not filter_eset_deslock)
filter_cyberark:
  ImageLoaded|startswith:
  - C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\
  - C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\
filter_eset_deslock:
  ImageLoaded|startswith:
  - C:\program Files\ESET
  - C:\program Files (x86)\ESET
filter_fsecure:
  ImageLoaded|startswith:
  - C:\Program Files\F-Secure\Anti-Virus\
  - C:\Program Files (x86)\F-Secure\Anti-Virus\
filter_log_dll_avast:
  ImageLoaded:
  - C:\Program Files\AVAST Software\Avast\log.dll
  - C:\Program Files (x86)\AVAST Software\Avast\log.dll
filter_log_dll_avg:
  ImageLoaded:
  - C:\Program Files\AVG\Antivirus\log.dll
  - C:\Program Files (x86)\AVG\Antivirus\log.dll
filter_log_dll_bitdefender:
  ImageLoaded|startswith:
  - C:\Program Files\Bitdefender Antivirus Free\
  - C:\Program Files (x86)\Bitdefender Antivirus Free\
filter_log_dll_canon:
  ImageLoaded|startswith: C:\Program Files\Canon\MyPrinter\
filter_log_dll_dell_sar:
  Image: C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe
  ImageLoaded:
  - C:\Program Files\Dell\SARemediation\plugin\log.dll
  - C:\Program Files\Dell\SARemediation\audit\log.dll
filter_mcafee:
  ImageLoaded|startswith:
  - C:\Program Files\McAfee\
  - C:\Program Files (x86)\McAfee\
filter_titanium:
  ImageLoaded|startswith:
  - C:\program Files\Trend Micro\Titanium\
  - C:\program Files (x86)\Trend Micro\Titanium\
filter_wsc_dll_avast:
  ImageLoaded|startswith:
  - C:\program Files\AVAST Software\Avast\
  - C:\program Files (x86)\AVAST Software\Avast\
filter_wsc_dll_avg:
  ImageLoaded|startswith:
  - C:\Program Files\AVG\Antivirus\
  - C:\Program Files (x86)\AVG\Antivirus\
selection_avast:
  ImageLoaded|endswith: \wsc.dll
selection_bitdefender:
  ImageLoaded|endswith: \log.dll
selection_cyberark:
  ImageLoaded|endswith: \vftrace.dll
selection_eset_deslock:
  ImageLoaded|endswith: \DLPPREM32.dll
selection_fsecure:
  ImageLoaded|endswith: \qrt.dll
selection_mcafee:
  ImageLoaded|endswith:
  - \ashldres.dll
  - \lockdown.dll
  - \vsodscpl.dll
selection_titanium:
  ImageLoaded|endswith: \tmdbglog.dll