From 7988dae6bf0ce970832c5219bc817afdf684f098 Mon Sep 17 00:00:00 2001
From: netero1010 <netero1010@netero1010-securitylab.com>
Date: Tue, 2 Jan 2024 18:02:49 +0800
Subject: [PATCH] Update to include Cisco Secure Endpoint (credit
 @logdumpster). Also, removed CrowdStrike from the supporting list as blocking
 its service process is insufficient. Require further testing

---
 EDRSilencer.c | 18 +++++++++---------
 README.md     |  1 -
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/EDRSilencer.c b/EDRSilencer.c
index 1e5a730..b099216 100644
--- a/EDRSilencer.c
+++ b/EDRSilencer.c
@@ -16,9 +16,6 @@ char* edrProcess[] = {
     "xagt.exe",
 // Qualys EDR
     "QualysAgent.exe",
-// CrowdStrike
-    "CSFalconService.exe",
-    "CSFalconContainer.exe",
 // SentinelOne
     "SentinelAgent.exe",
     "SentinelAgentWorker.exe",
@@ -54,7 +51,9 @@ char* edrProcess[] = {
     "CyveraService.exe",
     "CyvrFsFlt.exe",
 // FortiEDR
-    "fortiedr.exe"
+    "fortiedr.exe",
+// Cisco Secure Endpoint (Formerly Cisco AMP)
+    "sfc.exe"
 };
 
 BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE };
@@ -327,15 +326,16 @@ void UnblockWfpFilter(UINT64 filterId) {
 }
 
 void PrintHelp() {
-    printf("Usage: EDROutBlock.exe <blockedr/block/unblockall/unblock>\n");
+    printf("Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>\n");
+    printf("Version: 1.1\n");
     printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n");
-    printf("  EDROutBlock.exe blockedr\n\n");
+    printf("  EDRSilencer.exe blockedr\n\n");
     printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n");
-    printf("  EDROutBlock.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n");
+    printf("  EDRSilencer.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n");
     printf("- Remove all WFP filters applied by this tool:\n");
-    printf("  EDROutBlock.exe unblockall\n\n");
+    printf("  EDRSilencer.exe unblockall\n\n");
     printf("- Remove a specific WFP filter based on filter id:\n");
-    printf("  EDROutBlock.exe unblock <filter id>");
+    printf("  EDRSilencer.exe unblock <filter id>");
 }
 
 int main(int argc, char *argv[]) {
diff --git a/README.md b/README.md
index 1d5cb64..20b7642 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,6 @@ The tool currently supports the following EDRs:
 - Elastic EDR
 - Trellix EDR
 - Qualys EDR
-- CrowdStrike
 - SentinelOne
 - Cylance
 - Cybereason