LoFP LoFP / applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.

Techniques

Sample rules

Potential Antivirus Software DLL Sideloading

Description

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec…etc

Detection logic

condition: (selection_bitdefender and not 1 of filter_log_dll_*) or (selection_fsecure
  and not filter_fsecure) or (selection_mcafee and not filter_mcafee) or (selection_cyberark
  and not filter_cyberark) or (selection_avast and not filter_avast) or (selection_titanium
  and not filter_titanium) or (selection_eset_deslock and not filter_eset_deslock)
filter_avast:
  ImageLoaded|startswith:
  - C:\program Files\AVAST Software\Avast\
  - C:\program Files (x86)\AVAST Software\Avast\
filter_cyberark:
  ImageLoaded|startswith:
  - C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\
  - C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\
filter_eset_deslock:
  ImageLoaded|startswith:
  - C:\program Files\ESET
  - C:\program Files (x86)\ESET
filter_fsecure:
  ImageLoaded|startswith:
  - C:\Program Files\F-Secure\Anti-Virus\
  - C:\Program Files (x86)\F-Secure\Anti-Virus\
filter_log_dll_bitdefender:
  ImageLoaded|startswith:
  - C:\Program Files\Bitdefender Antivirus Free\
  - C:\Program Files (x86)\Bitdefender Antivirus Free\
filter_log_dll_canon:
  ImageLoaded|startswith: C:\Program Files\Canon\MyPrinter\
filter_log_dll_dell_sar:
  Image: C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe
  ImageLoaded:
  - C:\Program Files\Dell\SARemediation\plugin\log.dll
  - C:\Program Files\Dell\SARemediation\audit\log.dll
filter_mcafee:
  ImageLoaded|startswith:
  - C:\Program Files\McAfee\
  - C:\Program Files (x86)\McAfee\
filter_titanium:
  ImageLoaded|startswith:
  - C:\program Files\Trend Micro\Titanium\
  - C:\program Files (x86)\Trend Micro\Titanium\
selection_avast:
  ImageLoaded|endswith: \wsc.dll
selection_bitdefender:
  ImageLoaded|endswith: \log.dll
selection_cyberark:
  ImageLoaded|endswith: \vftrace.dll
selection_eset_deslock:
  ImageLoaded|endswith: \DLPPREM32.dll
selection_fsecure:
  ImageLoaded|endswith: \qrt.dll
selection_mcafee:
  ImageLoaded|endswith:
  - \ashldres.dll
  - \lockdown.dll
  - \vsodscpl.dll
selection_titanium:
  ImageLoaded|endswith: \tmdbglog.dll