Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3ed563836615b557cfc34e29c9146c9e8346a4ed
wavestone-cdt-edrsandblast/EDRSandblast/Utils/IsEDRChecks.c
T
nuts7 3ed5638366 New EDR drivers 
This commit add some EDR drivers: BDSandBox.sys (BitDefender), MfeEEFF.sys mfprom.sys hdlpflt.sys (McAfee Inc.), TmFileEncDmk.sys (Trend Micro Inc.), psepfilter.sys (Absolute Software), cve.sys (Absolute Software Corp.), medlpflt.sys dsfa.sys cposfw.sys (Check Point Software), cpbak.sys (Checkpoint Software), SISIPSFileFilter.sys (Symantec Corp.), cbstream.sys cbk7.sys (Carbon Black) and dgdmk.sys (Verdasys Inc)
2023-09-22 16:14:11 +02:00

1791 lines
41 KiB
C
Raw Blame History

#include "../EDRSandblast.h"
#include "IsEDRChecks.h"
/*
* Primitives to check if a binary or driver belongs to an EDR product.
*/
// List of keywords matching EDR companies as employed for binary digitial signatures.
// TODO : enrich this list
TCHAR const* EDR_SIGNATURE_KEYWORDS[] = {
_T("CarbonBlack"),
_T("CrowdStrike"),
_T("Cylance Smart Antivirus"),
_T("Elastic Endpoint Security"),
_T("FireEye"),
_T("Kaspersky"),
_T("McAfee"),
_T("SentinelOne"),
_T("Sentinel Labs"),
_T("Symantec")
};
// List of binaries belonging to EDR products.
TCHAR const* EDR_BINARIES[] = {
// Microsoft
_T("HealthService.exe"),
_T("MonitoringHost.exe"),
_T("MpCmdRun.exe"),
_T("MsMpEng.exe"),
_T("MsSense.exe"),
_T("SenseCncProxy.exe"),
_T("SenseIR.exe"),
// SentinelOne
_T("LogCollector.exe"),
_T("SentinelAgent.exe"),
_T("SentinelAgentWorker.exe"),
_T("SentinelBrowserNativeHost.exe"),
_T("SentinelHelperService.exe"),
_T("SentinelMemoryScanner.exe"),
_T("SentinelRanger.exe"),
_T("SentinelRemediation.exe"),
_T("SentinelRemoteShellHost.exe"),
_T("SentinelScanFromContextMenu.exe"),
_T("SentinelServiceHost"),
_T("SentinelStaticEngine.exe"),
_T("SentinelStaticEngineScanner.exe"),
_T("SentinelUI.exe"),
};
// List of EDR drivers for which Kernel callbacks will be impacted.
// Source: https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes
// Includes all FSFilter Anti-Virus and Activity Monitor drivers.
// and : https://github.com/SadProcessor/SomeStuff/blob/master/Invoke-EDRCheck.ps1
TCHAR const* EDR_DRIVERS[] = {
/*
* FSFilter Anti-Virus - BEGIN
*/
// 360 Software (Beijing)
_T("360qpesv.sys"),
// 5nine Software Inc.
_T("5nine.cbt.sys"),
// Ahkun Co.
_T("AhkSvPro.sys"),
_T("AhkUsbFW.sys"),
_T("AhkAMFlt.sys"),
// Ahnlab
_T("V3MifiNt.sys"),
_T("V3Ift2k.sys"),
_T("V3IftmNt.sys"),
_T("ArfMonNt.sys"),
_T("AhnRghLh.sys"),
_T("AszFltNt.sys"),
_T("OMFltLh.sys"),
_T("V3Flu2k.sys"),
_T("AdcVcsNT.sys"),
// AhnLab Inc.
_T("TfFregNt.sys"),
// AhnLab, Inc.
_T("SMDrvNt.sys"),
_T("ATamptNt.sys"),
_T("V3Flt2k.sys"),
// Alwil
_T("aswmonflt.sys"),
// Anvisoft
_T("avfsmn.sys"),
// Arcdo
_T("ANVfsm.sys"),
_T("CDrRSFlt.sys"),
// Ashampoo GmbH & Co. KG
_T("AshAvScan.sys"),
// Australian Projects
_T("ZxFsFilt.sys"),
// Authentium
_T("avmf.sys"),
// AVG Grisoft
_T("avgmfx86.sys"),
_T("avgmfx64.sys"),
_T("avgmfi64.sys"),
_T("avgmfrs.sys"),
// Avira GmbH
_T("avgntflt.sys"),
// AVNOS
_T("kavnsi.sys"),
// AvSoft Technologies
_T("strapvista.sys"),
_T("strapvista64.sys"),
// AxBx
_T("vk_fsf.sys"),
// Baidu (beijing)
_T("BDFileDefend.sys"),
// Baidu (Hong Kong) Limited
_T("Bfilter.sys"),
// Baidu online network technology (beijing)Co.
_T("BDsdKit.sys"),
_T("bd0003.sys"),
// Beijing Kingsoft
_T("ksfsflt.sys"),
// Beijing Majorsec
_T("majoradvapi.sys"),
// Beijing Rising Information Technology Corporation Limited
_T("HookSys.sys"),
// Beijing Venus
_T("TxFileFilter.sys"),
_T("VTSysFlt.sys"),
// Binary Defense Systems
_T("Osiris.sys"),
// Bit9 Inc
_T("b9kernel.sys"),
// Bitdefender
_T("bdsvm.sys"),
// BitDefender SRL
_T("hbflt.sys"),
_T("vlflt.sys"),
_T("gzflt.sys"),
_T("bddevflt.sys"),
_T("ignis.sys"),
_T("AVCKF.SYS"),
_T("gemma.sys"),
_T("Atc.sys"),
_T("AVC3.SYS"),
_T("TRUFOS.SYS"),
_T("BDSandBox.sys"),
// Bkav Corporation
_T("BkavAutoFlt.sys"),
_T("BkavSdFlt.sys"),
// BLACKFORT SECURITY
_T("bSyirmf.sys"),
_T("bSysp.sys"),
_T("bSydf.sys"),
_T("bSywl.sys"),
_T("bSyrtm.sys"),
_T("bSyaed.sys"),
_T("bSyar.sys"),
// BullGuard
_T("BdFileSpy.sys"),
// C-NetMedia Inc
_T("antispyfilter.sys"),
// CheckMAL Inc
_T("AppCheckD.sys"),
// Cheetah Mobile Inc.
_T("wdocsafe.sys"),
_T("lbprotect.sys"),
// Cisco Systems
_T("csaav.sys"),
_T("CiscoSAM.sys"),
_T("immunetselfprotect.sys"),
_T("immunetprotect.sys"),
_T("CiscoAMPCEFWDriver.sys"),
_T("CiscoAMPHeurDriver.sys"),
// CJSC Returnil Software
_T("rvsmon.sys"),
// CodeProof Technologies Inc
_T("CpAvFilter.sys"),
_T("CpAvKernel.sys"),
// Comodo Group Inc.
_T("cmdccav.sys"),
_T("cmdguard.sys"),
// Computer Assoc
_T("caavFltr.sys"),
_T("ino_fltr.sys"),
// ConeSecurity Inc
_T("CSFlt.sys"),
// Confluera Inc
_T("tbmninifilter.sys"),
// Coranti Inc.
_T("crnsysm.sys"),
_T("crncache32.sys"),
_T("crncache64.sys"),
// CoreTrace Corporation
_T("bouncer.sys"),
// CrowdStrike Ltd.
_T("csagent.sys"),
// Dakota State University
_T("EdnemFsFilter.sys"),
// Deep Instinct
_T("DeepInsFS.sys"),
// Deep Instinct Ltd.
_T("DeepInsFS.sys"),
// Digitalonnet
_T("ADSpiderDoc.sys"),
// Doctor Web
_T("drwebfwft.sys"),
_T("DwShield.sys"),
_T("DwShield64.sys"),
_T("dwprot.sys"),
// Doctor Web Ltd.
_T("Spiderg3.sys"),
// DriveSentry Inc
_T("drivesentryfilterdriver2lite.sys"),
// EasyAntiCheat Solutions
_T("easyanticheat.sys"),
// eEye Digital Security
_T("eeyehv.sys"),
_T("eeyehv64.sys"),
// Egnyte Inc
_T("egnfsflt.sys"),
// EMC
_T("ECATDriver.sys"),
// Emsi Software GmbH
_T("a2ertpx86.sys"),
_T("a2ertpx64.sys"),
_T("a2gffx86.sys"),
_T("a2gffx64.sys"),
_T("a2gffi64.sys"),
_T("a2acc.sys"),
_T("a2acc64.sys"),
// EnigmaSoft
_T("EnigmaFileMonDriver.sys"),
// ESET, spol. s r.o.
_T("eamonm.sys"),
// ESTsecurity Corp
_T("RSRtw.sys"),
_T("RSPCRtw.sys"),
// ESTsoft
_T("AYFilter.sys"),
_T("Rtw.sys"),
// ESTsoft corp.
_T("EstRkmon.sys"),
_T("EstRkr.sys"),
// ETRI
_T("vrSDetri.sys"),
_T("vrSDetrix.sys"),
// Everyzone
_T("TvMFltr.sys"),
// EveryZone Inc.
_T("IProtect.sys"),
// EveryZone INC.
_T("TvFiltr.sys"),
_T("TvDriver.sys"),
_T("TvSPFltr.sys"),
_T("TvPtFile.sys"),
// f-protect
_T("fpav_rtp.sys"),
// f-secure
_T("fsgk.sys"),
// Filseclab
_T("fildds.sys"),
// Fortinet Inc.
_T("FortiAptFilter.sys"),
_T("fortimon2.sys"),
_T("fortirmon.sys"),
_T("fortishield.sys"),
// Fujitsu Social Science
_T("wscm.sys"),
// FXSEC LTD
_T("pfkrnl.sys"),
// G Data
_T("HookCentre.sys"),
_T("PktIcpt.sys"),
_T("MiniIcpt.sys"),
// GAS Tecnologia
_T("GbpKm.sys"),
// Greatsoft Corp.Ltd
_T("vcdriv.sys"),
_T("vcreg.sys"),
_T("vchle.sys"),
// GRGBanking Equipment
_T("SECOne_USB.sys"),
_T("SECOne_Proc10.sys"),
_T("SECOne_REG10.sys"),
_T("SECOne_FileMon10.sys"),
// GridinSoft LLC
_T("gtkdrv.sys"),
// HAURI
_T("VrARnFlt.sys"),
_T("VrBBDFlt.sys"),
_T("vrSDfmx.sys"),
_T("vrSDam.sys"),
_T("VrAptDef.sys"),
_T("VrSdCore.sys"),
_T("VrFsFtM.sys"),
_T("VrFsFtMX.sys(AMD64)"),
_T("vradfil2.sys"),
// HAURI Inc.
_T("VRAPTFLT.sys"),
// Hidden Reflex
_T("epicFilter.sys"),
// Hitachi Solutions
_T("hsmltwhl.sys"),
_T("hssfwhl.sys"),
// HSM IT-Services Gmbh
_T("oavfm.sys"),
// Huorong Security
_T("sysdiag.sys"),
// IBM
_T("issregistry.sys"),
// IKARUS Security
_T("ntguard.sys"),
// Imperva Inc.
_T("mfdriver.sys"),
// INCA Internet Co.
_T("npxgd.sys"),
_T("npxgd64.sys"),
_T("tkpl2k.sys"),
_T("tkpl2k64.sys"),
_T("GKFF.sys"),
_T("GKFF64.sys"),
_T("tkdac2k.sys"),
_T("tkdacxp.sys"),
_T("tkdacxp64.sys"),
_T("tksp2k.sys"),
_T("tkspxp.sys"),
_T("tkspxp64.sys"),
// INCA Internet Co., Ltd
_T("tkfsft.sys"),
_T("tkfsft64.sys"),
_T("tkfsavxp.sys"),
_T("tkfsavxp64.sys"),
// Individual developer (Soft3304)
_T("AntiLeakFilter.sys"),
// IObit Information Tech
_T("IMFFilter.sys"),
// ISS
_T("issfltr.sys"),
// K7 Computing Private Ltd.
_T("K7Sentry.sys"),
// Kaspersky
_T("klbg.sys"),
_T("kldback.sys"),
_T("kldlinf.sys"),
_T("kldtool.sys"),
_T("klif.sys"),
// Kaspersky Lab
_T("klam.sys"),
_T("klif.sys"),
// KINGSOFT
_T("dgsafe.sys"),
// knowwheresoft Ltd
_T("securoFSD_x64.sys"),
// Komoku Inc.
_T("kmkuflt.sys"),
// Lavasoft AB
_T("lbd.sys"),
// Leith Bade
_T("cwdriver.sys"),
// Lenovo
_T("lnvscenter.sys"),
// Lightspeed Systems Inc.
_T("SAFsFilter.sys"),
// Malwarebytes Corp.
_T("FlightRecorder.sys"),
_T("mbam.sys"),
// MastedCode Ltd
_T("fsfilter.sys"),
// Max Secure Software
_T("MaxProc64.sys"),
_T("MaxProtector.sys"),
_T("maxcryptmon.sys"),
_T("SDActMon.sys"),
// McAfee Inc.
_T("epdrv.sys"),
_T("mfencoas.sys"),
_T("mfehidk.sys"),
_T("swin.sys"),
_T("MfeEEFF.sys"),
_T("mfprom.sys"),
_T("hdlpflt.sys"),
// Meidensha Corp
_T("WhiteShield.sys"),
// Microsoft
_T("WdFilter.sys"),
_T("mpFilter.sys"),
_T("SysmonDrv.sys"),
// MicroWorld Software Services Pvt. Ltd.
_T("mwfsmfltr.sys"),
// NeoAutus
_T("NeoKerbyFilter"),
// Netlor SAS
_T("KUBWKSP.sys"),
// NetSecurity Corp
_T("trfsfilter.sys"),
// NHN
_T("nsminflt.sys"),
_T("nsminflt64.sys"),
// Norman
_T("nvcmflt.sys"),
// Norman ASA
_T("nprosec.sys"),
_T("nregsec.sys"),
// Novatix Corporation
_T("NxFsMon.sys"),
// NPcore Ltd
_T("FileScan.sys"),
// Odyssey Cyber Security
_T("ODFsFimFilter.sys"),
_T("ODFsTokenFilter.sys"),
_T("ODFsFilter.sys"),
// OKUMA Corp
_T("ospfile_mini.sys"),
// OnMoon Company LLC
_T("acdrv.sys"),
// Palo Alto Networks
_T("CyvrFsfd.sys"),
// Panda Security
_T("PSINPROC.SYS"),
_T("PSINFILE.SYS"),
_T("amfsm.sys"),
_T("amm8660.sys"),
_T("amm6460.sys"),
// Panda Software
_T("NanoAVMF.sys"),
_T("shldflt.sys"),
// Panzor Cybersecurity
_T("pavdrv.sys"),
// Paretologic
_T("PLGFltr.sys"),
// PC Tools Pty. Ltd.
_T("PCTCore64.sys"),
_T("PCTCore.sys"),
_T("ikfilesec.sys"),
// Perfect World Co. Ltd
_T("PerfectWorldAntiCheatSys.sys"),
// PerfectWorld Ltd
_T("PWProtect.sys"),
// PerSystems SA
_T("pervac.sys"),
// Pooyan System
_T("RanPodFS.sys"),
// PWI, Inc.
_T("pwipf6.sys"),
// Qihoo 360
_T("dsark.sys"),
_T("360avflt.sys"),
// Quick Heal Technologies Pvt. Ltd.
_T("snsrflt.sys"),
_T("bdsflt.sys"),
_T("arwflt.sys"),
// Quick Heal TechnologiesPvt. Ltd.
_T("ggc.sys"),
_T("catflt.sys"),
// ReaQta Ltd.
_T("reaqtor.sys"),
// Redstor Limited
_T("RsFlt.sys"),
// refractionPOINT
_T("hcp_kernel_acq.sys"),
// REVE Antivirus
_T("ReveFltMgr.sys"),
_T("ReveProcProtection.sys"),
// S.N.Safe&Software
_T("snscore.sys"),
// Sangfor Technologies
_T("sfavflt.sys"),
// Savant Protection, Inc.
_T("savant.sys"),
// Scargo Inc
_T("si32_file.sys"),
_T("si64_file.sys"),
// SECUI Corporation
_T("sciptflt.sys"),
_T("scifsflt.sys"),
// SecuLution GmbH
_T("ssvhook.sys"),
// SecureAge Technology
_T("sascan.sys"),
// SecureBrain Corporation
_T("mscan-rt.sys"),
// SecureLink Inc.
_T("zwPxeSvr.sys"),
_T("zwASatom.sys"),
// Securitas Technologies,Inc.
_T("NovaShield.sys"),
// SecurityCoverage, Inc.
_T("SCFltr.sys"),
// Segira LLC
_T("SegiraFlt.sys"),
// Segurmatica
_T("SegMD.sys"),
_T("SegMP.sys"),
_T("SegF.sys"),
// Sequretek IT
_T("KawachFsMinifilter.sys"),
// SGA
_T("EPSMn.sys"),
// SGRI Co., LTD.
_T("vcMFilter.sys"),
// SheedSoft Ltd
_T("SheedAntivirusFilterDriver.sys"),
// Shenzhen Tencent Computer Systems Company Limited
_T("TSysCare.sys"),
_T("TFsFlt.sys"),
// Softwin
_T("bdfsfltr.sys"),
_T("bdfm.sys"),
// Sophos
_T("SophosED.sys"),
_T("SAVOnAccess.sys"),
_T("savonaccess.sys"),
_T("sld.sys"),
// SpellSecurity
_T("spellmon.sys"),
// Sybonic Systems Inc
_T("THFilter.sys"),
// symantec
_T("eeCtrl.sys"),
_T("eraser.sys"),
_T("SRTSP.sys"),
_T("SRTSPIT.sys"),
_T("SRTSP64.SYS"),
// Symantec
_T("VirtualAgent.sys"),
// Tall Emu
_T("OADevice.sys"),
// Technology Nexus AB
_T("SE46Filter.sys"),
// TEHTRI-Security
_T("egambit.sys"),
// Tencent
_T("TesMon.sys"),
_T("QQSysMonX64.sys"),
_T("QQSysMon.sys"),
// Teramind
_T("tmfsdrv2.sys"),
// TRAPMINE A.S.
_T("trpmnflt.sys"),
// Trend
_T("tmpreflt.sys"),
// Trend Micro Inc.
_T("TmKmSnsr.sys"),
_T("fileflt.sys"),
_T("TmEsFlt.sys"),
_T("TmEyes.sys"),
_T("tmevtmgr.sys"),
_T("TmFileEncDmk.sys"),
// Verdasys Inc
_T("STKrnl64.sys"),
// VisionPower Co.,Ltd.
_T("PZDrvXP.sys"),
// VMware, Inc.
_T("vsepflt.sys"),
_T("VFileFilter.sys(renamed)"),
// WardWiz
_T("WrdWizSecure64.sys"),
_T("wrdwizscanner.sys"),
// Webroot Inc.
_T("WRAEKernel.sys"),
_T("WRKrn.sys"),
_T("WRCore.sys"),
// Webroot Software, Inc.
_T("ssfmonm.sys"),
// White Cloud Security
_T("WCSDriver.sys"),
// WidgetNuri Corp
_T("SoftFilterxxx.sys"),
_T("RansomDefensexxx.sys"),
// WINS CO. LTD
_T("agentrtm64.sys"),
_T("rswmon.sys"),
// Yoggie
_T("UFDFilter.sys"),
// ZhengYong InfoTech LTD.
_T("Zyfm.sys"),
/*
* FSFilter Anti-Virus - END
*/
/*
* FSFilter Activity Monitor - BEGIN
*/
// (c)SMS
_T("isafermon"),
// 1mill
_T("FSMon.sys"),
// 360 Software (Beijing)
_T("AtdrAgent.sys"),
_T("AtdrAgent64.sys"),
_T("Qutmdrv.sys"),
// Absolute Software
_T("cbfsfilter2017.sys"),
_T("psepfilter.sys"),
// Absolute Software Corp.
_T("cve.sys"),
// Acronis
_T("NgScan.sys"),
// Actifio Inc
_T("aaf.sys"),
// Adaptiva
_T("AdaptivaClientCache32.sys"),
_T("AdaptivaclientCache64.sys"),
// Adtrustmedia
_T("browserMon.sys"),
// AhnLab, Inc.
_T("VPDrvNt.sys"),
// AI Consulting
_T("aictracedrv_am.sys"),
// Airlock Digital Pty Ltd
_T("alcapture.sys"),
// AIRWare Technology Ltd
_T("airship-filter.sys"),
// Alfa
_T("AlfaFF.sys"),
// Aliaksander Lebiadzevich
_T("SDDrvLdr.sys"),
// AlphaAntiLeak
_T("AALProtect.sys"),
// ALPS SYSTEM INTERGRATION CO.
_T("ISIRMFmon.sys"),
// Altaro Ltd.
_T("altcbt.sys"),
// ALWIL Software
_T("aswFsBlk.sys"),
// Amazon Web Services Inc
_T("AmznMon.sys"),
// Analytik Jena AG
_T("ajfsprot.sys"),
// ApexSQL LLC
_T("ApexSqlFilterDriver.sys"),
// AppGuard LLC
_T("AGSysLock.sys"),
_T("AGSecLock.sys"),
// AppiXoft
_T("axfsysmon.sys"),
_T("scensemon.sys"),
// AppSense Ltd
_T("DataNow_Driver.sys"),
_T("UcaFltDriver.sys"),
// AppStream, Inc.
_T("rflog.sys"),
// ApSoft
_T("CwMem2k64.sys"),
// Aqua Security
_T("ContainerMonitor.sys"),
// Arcserve
_T("xoiv8x64.sys"),
// Arkoon Network Security
_T("heimdall.sys"),
// Ashampoo Development
_T("IFS64.sys"),
// AsiaInfo Technologies
_T("kFileFlt.sys"),
// Aternity Ltd
_T("AternityRegistryHook.sys"),
// Atlansys Software
_T("atflt.sys"),
_T("amfd.sys"),
// Avanite Limited
_T("AvaPsFD.sys"),
// Avast Software
_T("aswSP.sys"),
// AVG Technologies CZ
_T("avgtpx86.sys"),
_T("avgtpx64.sys"),
// Avira GmbH
_T("avipbb.sys"),
// AvSoft Technologies
_T("strapvista.sys"),
// Axact Pvt Ltd
_T("axfltdrv.sys"),
// Axur Information Sec.
_T("amsfilter.sys"),
// Backup Systems Ltd
_T("cbfltfs4.sys"),
// Baidu (beijing)
_T("BdRdFolder.sys"),
// Baidu (Hong Kong) Limited
_T("Bfmon.sys"),
// Baidu Online Network
_T("bdsysmon.sys"),
// Barkly Protects Inc.
_T("BOsCmFlt.sys"),
_T("BOsFsFltr.sys"),
// Basein Networks
_T("cbfsfilter2017.sys"),
// BattlEye Innovations
_T("BEDaisy.sys"),
// Beijing CA-JinChen Software Co.
_T("kfac.sys"),
// Beijing QiAnXin Tech.
_T("QmInspec.sys"),
// Beijing Qihoo Technology Co.
_T("360fsflt.sys"),
// Beijing Shu Yan Science
_T("GagSecurity.sys"),
// Beijing Zhong Hang Jiaxin Computer Technology Co.,Ltd.
_T("filefilter.sys"),
// Best Security
_T("rpwatcher.sys"),
// BeyondTrust Inc.
_T("BlackbirdFSA.sys"),
// BicDroid Inc.
_T("QDocumentREF.sys"),
// Bit9 Inc.
_T("CarbonBlackK.sys"),
// BitArmor Systems, Inc
_T("bapfecpt.sys"),
_T("bamfltr.sys"),
// Bitdefender SRL
_T("edrsensor.sys"),
_T("bdprivmon.sys"),
// bitFence Inc.
_T("bfaccess.sys"),
// BiZone LLC
_T("bzsenyaradrv.sys"),
_T("bzsenspdrv.sys"),
_T("bzsenth.sys"),
// Blue Ridge Networks
_T("BrnFileLock.sys"),
_T("BrnSecLock.sys"),
// Bluzen Inc
_T("ipcomfltr.sys"),
// Broadcom
_T("symevnt.sys"),
_T("symevnt32.sys"),
// Bromium Inc
_T("brfilter.sys"),
_T("BrCow_x_x_x_x.sys"),
_T("BemK.sys"),
// ByStorm
_T("BssAudit.sys"),
// C-DAC Hyderabad
_T("pecfilter.sys"),
// CA
_T("xomfcbt8x64.sys"),
_T("KmxAgent.sys"),
_T("KmxFile.sys"),
_T("KmxSbx.sys"),
// Carbonite Inc
_T("MozyNextFilter.sys"),
_T("MozyCorpFilter.sys"),
_T("MozyEntFilter.sys"),
_T("MozyOEMFilter.sys"),
_T("MozyEnterpriseFilter.sys"),
_T("MozyProFilter.sys"),
_T("MozyHomeFilter.sys"),
_T("BDSFilter.sys"),
_T("CSBFilter.sys"),
// cEncrypt
_T("dsflt.sys"),
// Centennial Software Ltd
_T("msiodrv4.sys"),
// Centre for Development of Advanced Computing
_T("USBPDH.SYS"),
// Centrify Corp
_T("CentrifyFSF.sys"),
// Certero
_T("cmflt.sys"),
// Chaewool
_T("cFSfdrv"),
// Check Point Software
_T("epregflt.sys"),
_T("epklib.sys"),
_T("medlpflt.sys"),
_T("dsfa.sys"),
_T("cposfw.sys"),
// Checkpoint Software
_T("cpepmon.sys"),
_T("cpbak.sys"),
// ChemoMetec
_T("ChemometecFilter.sys"),
// Cigent Technology Inc
_T("Spotlight.sys"),
// Cigital, Inc.
_T("fmdrive.sys"),
// Cisco Systems
_T("csaam.sys"),
// Citrix Systems
_T("srminifilterdrv.sys"),
// Clonix Co
_T("rsfdrv.sys"),
// Clumio Inc
_T("ClumioChangeBlockMf.sys"),
// Code42
_T("Code42Filter.sys"),
// ColorTokens
_T("FFDriver.sys"),
// Comae Tech
_T("windd.sys"),
// CommVault Systems, Inc.
_T("CVCBT.sys"),
// Comodo Security Solutions Inc.
_T("CmdCwagt.sys"),
_T("cfrmd.sys"),
// ComTrade
_T("ctamflt.sys"),
// Comtrue Technology
_T("shdlpSf.sys"),
_T("ctrPAMon.sys"),
_T("shdlpMedia.sys"),
// Conduant Corporation
_T("ConduantFSFltr.sys"),
// Condusiv Technologies
_T("hiofs.sys"),
// CondusivTechnologies
_T("vintmfs.sys"),
_T("intmfs.sys"),
_T("excfs.sys"),
// Confio
_T("IridiumSwitch.sys"),
// CONNECT SHIFT LTD
_T("DTPL.sys"),
// CoSoSys
_T("cssdlp.sys"),
// Crawler Group
_T("tbrdrv.sys"),
// Credant Technologies
_T("XendowFLT.sys"),
// CristaLink
_T("mtsvcdf.sys"),
// CRU Data Security Group
_T("CdsgFsFilter.sys"),
// CyberArk Software
_T("vfpd.sys"),
_T("CybKernelTracker.sys"),
// CyberSight Inc
_T("csmon.sys"),
// Cygna Labs
_T("FileMonitor.sys"),
// Cylance Inc.
_T("CyOptics.sys"),
_T("CyProtectDrv32.sys"),
_T("CyProtectDrv64.sys"),
// Cytrence Inc
_T("cytmon.sys"),
// Datacloak Tech
_T("dcfsgrd.sys"),
// DataGravity Inc.
_T("dgfilter.sys"),
// Datto Inc
_T("DattoFSF.sys"),
// Dell Secureworks
_T("groundling32.sys"),
_T("groundling64.sys"),
// Dell Software Inc.
_T("DgeDriver.sys"),
// DELL Technologies
_T("DTDSel.sys"),
// Dell Technologies
_T("NWEDriver.sys"),
// derivo GmbH
_T("bbfilter.sys"),
// Digitalsense Co
_T("dsfltfs.sys"),
// Diskeeper Corporation
_T("nowonmf.sys"),
_T("dktlfsmf.sys"),
_T("DKDrv.sys"),
_T("DKRtWrt.sys"),
_T("HBFSFltr.sys"),
// Dmitry Stefankov
_T("WinTeonMiniFilter.sys"),
_T("wiper.sys"),
_T("DevMonMiniFilter.sys"),
// Doctor Web
_T("Drwebfwflt.sys"),
_T("EventMon.sys"),
// Douzone Bizon Co
_T("rswctrl.sys"),
_T("mcstrg.sys"),
_T("fmkkc.sys"),
_T("nmlhssrv01.sys"),
// DreamCrafts
_T("SaMFlt.sys"),
// Dtex Systems
_T("dnaFSMonitor.sys"),
// EaseVault Technologies Inc.
_T("EaseFlt.sys"),
// Egis Technology Inc.
_T("eLock2FSCTLDriver.sys"),
// Egnyte Inc
_T("egnfsflt.sys"),
// eIQnetworks Inc.
_T("FIM.sys"),
// Elex Tech Inc
_T("iSafeKrnl.sys"),
_T("iSafeKrnlMon.sys"),
// eMingSoftware Inc
_T("NetPeeker.sys"),
// Encourage Technologies
_T("asiofms.sys"),
// Enterprise Data Solutions, Inc.
_T("edsigk.sys"),
// Entrust Inc.
_T("eetd32.sys"),
_T("eetd64.sys"),
// ESET, spol. s r.o.
_T("ehdrv.sys"),
// ESTsoft corp.
_T("EstPrmon.sys"),
_T("Estprp.sys"),
_T("EstRegmon.sys"),
_T("EstRegp.sys"),
// F-Secure
_T("fshs.sys"),
_T("fsatp.sys"),
// Faronics Corporation
_T("AeFilter.sys"),
// FastTrack Software ApS
_T("AbrPmon.sys"),
// FFC Limited
_T("FFCFILT.SYS"),
// FileTek, Inc.
_T("TrustedEdgeFfd.sys"),
// FireEye Inc
_T("WFP_MRT.sys"),
// FireEye Inc.
_T("FeKern.sys"),
// Fitsec Ltd
_T("kconv.sys"),
_T("trace.sys"),
_T("SandDriver.sys"),
// Flexera Software Inc.
_T("ISRegFlt.sys"),
_T("ISRegFlt64.sys"),
// ForcePoint LLC.
_T("fpepflt.sys"),
// Fujian Shen Kong
_T("wats_se.sys"),
// FUJITSU ENGINEERING
_T("ibr2fsk.sys"),
// FUJITSU LIMITED
_T("FJGSDis2.sys"),
_T("FJSeparettiFilterRedirect.sys"),
_T("Fsw31rj1.sys"),
_T("da_ctl.sys"),
// FUJITSU SOCIAL SCIENCE
_T("secure_os.sys"),
// FUJITSU SOFTWARE
_T("PsAcFileAccessFilter.sys"),
// Fusion-io
_T("fiometer.sys"),
_T("dcSnapRestore.sys"),
// Futuresoft
_T("PointGuardVistaR32.sys"),
_T("PointGuardVistaR64.sys"),
_T("PointGuardVistaF.sys"),
_T("PointGuardVista64F.sys"),
// G Data Software AG
_T("gddcv.sys"),
// GameHi Co.
_T("Codex.sys"),
// GemacmbH
_T("GcfFilter.sys"),
// Glarysoft Ltd.
_T("GUMHFilter.sys"),
// Google, Inc.
_T("MRxGoogle.sys"),
// Gorizonty Rosta Ltd
_T("GoFSMF.sys"),
// GrammaTech, Inc.
_T("drvhookcsmf.sys"),
_T("drvhookcsmf_amd64.sys"),
// Group-IB LTD
_T("gibepcore.sys"),
// HA Unix Pt
_T("hafsnk.sys"),
// Hangzhou Yifangyun
_T("fangcloud_autolock_driver.sys"),
// HAURI
_T("secure_os_mf.sys"),
// Hauri Inc
_T("VrVBRFsFilter.sys"),
_T("VrExpDrv.sys"),
// HAVELSAN A.
_T("HVLMinifilter.sys"),
// HEAT Software
_T("SK.sys"),
// Heilig Defense LLC
_T("HDRansomOffDrv.sys"),
_T("HDCorrelateFDrv.sys"),
_T("HDFileMon.sys"),
// HeroBravo Technology
_T("sysdiag.sys"),
// Hexis Cyber Solutions
_T("HexisFSMonitor.sys"),
// HFN Inc.
_T("RGNT.sys"),
// Hitachi Solutions
_T("hsmltmon.sys"),
// Honeycomb Technologies
_T("dskmn.sys"),
// HP
_T("hpreg.sys"),
// i-Guard SAS
_T("iGuard.sys"),
// I-O DATA DEVICE
_T("sConnect.sys"),
// IBM
_T("NmpFilter.sys"),
_T("FsMonitor.sys"),
// Idera
_T("IderaFilterDriver.sys"),
// Idera Software
_T("SQLsafeFilterDriver.sys"),
// IGLOO SECURITY, Inc.
_T("kmNWCH.sys"),
// IKARUS Security
_T("Sonar.sys"),
// Immidio B.V.
_T("immflex.sys"),
// in-soft Kft.
_T("LmDriver.sys"),
// INCA Internet Co.
_T("GKPFCB.sys"),
_T("GKPFCB64.sys"),
// INCA Internet Co.,Ltd.
_T("TkPcFtCb.sys"),
_T("TkPcFtCb64.sys"),
// Industrial Technology
_T("icrlmonitor.sys"),
// InfoCage
_T("IccFilterSc.sys"),
// Informzaschita
_T("SnDacs.sys"),
_T("SnExequota.sys"),
// Infotecs
_T("filenamevalidator.sys"),
_T("KC3.sys"),
// InfoWatch
_T("iwhlp2.sys"),
_T("iwhlpxp.sys"),
_T("iwhlp.sys"),
_T("iwdmfs.sys"),
// Initech Inc.
_T("INISBDrv64.sys"),
// Int3 Software AB
_T("equ8_helper.sys"),
// Intel Corporation
_T("ielcp.sys"),
_T("IESlp.sys"),
_T("IntelCAS.sys"),
// Intercom Inc.
_T("tsifilemon.sys"),
_T("MarSpy.sys"),
// Interset Inc.
_T("WDCFilter.sys"),
// Intronis Inc
_T("VHDTrack.sys"),
// Invincea
_T("InvProtectDrv.sys"),
_T("InvProtectDrv64.sys"),
// Ionx Solutions LLP
_T("AuditFlt.sys"),
// ioScience
_T("iothorfs.sys"),
// iSecure Ltd.
_T("isecureflt.sys"),
// ITsMine
_T("imfilter.sys"),
// ITSTATION Inc
_T("aUpDrv.sys"),
// Ivanti
_T("IvAppMon.sys"),
// J's Communication Co.
_T("RevoNetDriver.sys"),
// Jinfengshuntai
_T("IPFilter.sys"),
// JiranData Co. Ltd
_T("JDPPWF.sys"),
_T("JDPPSF.sys"),
// Jiransoft Co., Ltd
_T("offsm.sys"),
_T("xkfsfd.sys"),
_T("JKPPOB.sys"),
_T("JKPPXK.sys"),
_T("JKPPPF.sys"),
_T("JKPPOK.sys"),
_T("pcpifd.sys"),
// k4solution Co.
_T("zsfprt.sys"),
// Kalpataru
_T("GPMiniFIlter.sys"),
// Kaspersky Lab
_T("klboot.sys"),
_T("klfdefsf.sys"),
_T("klrsps.sys"),
_T("klsnsr.sys"),
_T("klifks.sys"),
_T("klifaa.sys"),
_T("Klifsm.sys"),
// KEBA AG
_T("KeWF.sys"),
// Kenubi
_T("boxifier.sys"),
// Keysight Technologies
_T("KtFSFilter.sys"),
// kingsoft
_T("Kisknl.sys"),
// Kits Ltd.
_T("cbfsfilter2017.sys"),
// KnowledgeTree Inc.
_T("ktsyncfsflt.sys"),
// Koby Kahane
_T("NpEtw.sys"),
// Ladislav Zezula
_T("MSpy.sys"),
// LANDESK Software
_T("LDSecDrv.sys"),
// Lenovo Beijing
_T("slb_guard.sys"),
_T("lrtp.sys"),
// LINK co.
_T("NetAccCtrl.sys"),
_T("NetAccCtrl64.sys"),
// Livedrive Internet Ltd
_T("LivedriveFilter.sys"),
// Logichron Inc
_T("CatMF.sys"),
// LogRhythm Inc.
_T("LRAgentMF.sys"),
// Lovelace Network Tech
_T("MPKernel.sys"),
// Lumension
_T("eps.sys"),
// Magic Softworks, Inc.
_T("MagicBackupMonitor.sys"),
// magrasoft Ltd
_T("zqFilter.sys"),
// MailRu
_T("mracdrv.sys"),
// Malwarebytes
_T("mbamshuriken.sys"),
// Man Technology Inc
_T("bsrfsflt.sys"),
_T("fsrfilter.sys"),
_T("vollock.sys"),
_T("drbdlock.sys"),
// ManageEngine Zoho
_T("DFMFilter.sys"),
_T("DCFAFilter.sys"),
_T("RMPHVMonitor.sys"),
_T("FAPMonitor.sys"),
_T("MEARWFltDriver.sys"),
// ManTech
_T("topdogfsfilt.sys"),
// March Hare Software Ltd
_T("evscase.sys"),
_T("inuse.sys"),
_T("cvsflt.sys"),
// McAfee
_T("mfencfilter.sys"),
// McAfee Inc.
_T("mfeaskm.sys"),
// Micro Focus
_T("FilrDriver.sys"),
// Microsoft
_T("DhWatchdog.sys"),
_T("mssecflt.sys"),
_T("Backupreader.sys"),
_T("MsixPackagingToolMonitor.sys"),
_T("AppVMon.sys"),
_T("DpmFilter.sys"),
_T("Procmon11.sys"),
_T("minispy.sys"),
_T("fdrtrace.sys"),
_T("filetrace.sys"),
_T("uwfreg.sys"),
_T("uwfs.sys"),
_T("locksmith.sys"),
_T("winload.sys"),
_T("CbSampleDrv.sys"),
_T("simrep.sys"),
_T("change.sys"),
_T("delete_flt.sys"),
_T("SmbResilFilter.sys"),
_T("usbtest.sys"),
_T("NameChanger.sys"),
_T("failMount.sys"),
_T("failAttach.sys"),
_T("stest.sys"),
_T("cdo.sys"),
_T("ctx.sys"),
_T("fmm.sys"),
_T("cancelSafe.sys"),
_T("message.sys"),
_T("passThrough.sys"),
_T("nullFilter.sys"),
_T("ntest.sys"),
_T("iiscache.sys"),
_T("wrpfv.sys"),
_T("msnfsflt.sys"),
// Mobile Content Mgmt
_T("cbfsfilter2017.sys"),
// MRY Inc.
_T("drsfile.sys"),
// NanJing Geomarking
_T("MagicProtect.sys"),
_T("cbfsfilter2017.sys"),
_T("cbfsfilter2020.sys"),
// NEC Corporation
_T("UVMCIFSF.sys"),
// NEC Soft
_T("flyfs.sys"),
_T("serfs.sys"),
_T("hdrfs.sys"),
// NEC System Technologies
_T("IccFilterAudit.sys"),
// NEC System Technologies,Ltd.
_T("ICFClientFlt.sys"),
_T("IccFileIoAd.sys"),
// Neowiz Corporation
_T("MWatcher.sys"),
// NetIQ
_T("CGWMF.sys"),
// NetLib
_T("nlcbhelpx86.sys"),
_T("nlcbhelpx64.sys"),
_T("nlcbhelpi64.sys"),
// NetVision, Inc.
_T("nvmon.sys"),
// Network Appliance
_T("flashaccelfs.sys"),
_T("changelog.sys"),
// NetworkProfi Ltd
_T("laFS.sys"),
// New Net Technologies Limited
_T("NNTInfo.sys"),
// NewSoftwares.net,Inc.
_T("WinFLAHdrv.sys"),
_T("WinFLAdrv.sys"),
_T("WinDBdrv.sys"),
_T("WinFLdrv.sys"),
_T("WinFPdrv.sys"),
// NEXON KOREA
_T("BlackCat.sys"),
// NextLabs
_T("nxrmflt.sys"),
// Niriva LLC
_T("VHDDelta.sys"),
_T("FSTrace.sys"),
// Nomadesk
_T("cbfltfs4.sys"),
// Novell
_T("zesfsmf.sys"),
// NTP Software
_T("ntps_fa.sys"),
// Nurd Yazilim A.S.
_T("edrdrv.sys"),
// NURILAB
_T("pfracdrv.sys"),
_T("nrcomgrdki.sys"),
_T("nrcomgrdka.sys"),
_T("nrpmonki.sys"),
_T("nrpmonka.sys"),
_T("nravwka.sys"),
_T("bhkavki.sys"),
_T("bhkavka.sys"),
_T("docvmonk.sys"),
_T("docvmonk64.sys"),
// NVELO Inc.
_T("SamsungRapidFSFltr.sys"),
// OCZ Storage
_T("OczMiniFilter.sys"),
// OnGuard Systems LLC
_T("NlxFF.sys"),
// OpenText Corp
_T("enmon.sys"),
// OPSWAT Inc.
_T("libwamf.sys"),
// ORANGE WERKS Inc
_T("wgfile.sys"),
// PA File Sight
_T("FileSightMF.sys"),
// Packeteer
_T("mblmon.sys"),
// Palo Alto Networks
_T("tedrdrv.sys"),
// PHD Virtual Tech Inc.
_T("phdcbtdrv.sys"),
// PJSC KP VTI
_T("RW7FsFlt.sys"),
// PolyLogyx LLC
_T("vast.sys"),
// Positive Technologies
_T("mpxmon.sys"),
// Protected Networks
_T("minitrc.sys"),
// Qihoo 360
_T("360box.sys"),
// Qingdao Ruanmei Network Technology Co.
_T("RMDiskMon.sys"),
_T("diskactmon.sys"),
// Quality Corporation
_T("qfmon.sys"),
// Qualys Inc.
_T("QMON.sys"),
_T("qfimdvr.sys"),
// Quantum Corporation.
_T("cvofflineFlt32.sys"),
_T("cvofflineFlt64.sys"),
// Quest Software
_T("QFAPFlt.sys"),
// Quest Software Inc.
_T("BWFSDrv.sys"),
_T("CAADFlt.sys"),
// Quick Heal Technologies Pvt. Ltd.
_T("sieflt.sys"),
_T("cssdlp.sys"),
_T("fam.sys"),
// Quorum Labs
_T("qfilter.sys"),
// Rackware
_T("rwchangedrv.sys"),
// Redstor Limited
_T("RsFlt.sys"),
// RES Software
_T("FileGuard.sys"),
_T("NetGuard.sys"),
_T("RegGuard.sys"),
_T("ImgGuard.sys"),
_T("AppGuard.sys"),
// Resplendence Software Projects
_T("mmPsy32.sys"),
_T("mmPsy64.sys"),
_T("rrMon32.sys"),
_T("rrMon64.sys"),
// rhipe Australia Pty
_T("SeRdr.sys"),
// Rubrik Inc
_T("RubrikFileAudit.sys"),
_T("FileSystemCBT.sys"),
// rubysoft
_T("IronGateFD.sys"),
// RuiGuard Ltd
_T("RuiMinispy.sys"),
_T("RuiFileAccess.sys"),
_T("RuiEye.sys"),
_T("RuiMachine.sys"),
_T("RuiDiskFs.sys"),
// RUNEXY
_T("ruaff.sys"),
_T("mlsaff.sys"),
// SAFE-Cyberdefense
_T("SAFE-Agent.sys"),
// Safend
_T("Sahara.sys"),
_T("Santa.sys"),
// SaferZone Co.
_T("SZEDRDrv.sys"),
_T("szardrv.sys"),
_T("szpcmdrv.sys"),
_T("szdfmdrv.sys"),
_T("szdfmdrv_usb.sys"),
_T("sprtdrv.sys"),
// Samsung SDS Ltd
_T("SGResFlt.sys"),
// SanDisk Inc.
_T("fiopolicyfilter.sys"),
// Sandoll Communication
_T("SfdFilter.sys"),
// SC ODEKIN SOLUTIONS SRL
_T("ospmon.sys"),
// Scalable Software Inc.
_T("PkgFilter.sys"),
// ScriptLogic
_T("FSAFilter.sys"),
// Secdo
_T("SecdoDriver.sys"),
// SecureAxis
_T("usbl_ifsfltr.sys"),
// SecureAxis Software
_T("llfilter.sys"),
// Secured Globe Inc.
_T("fltRs329.sys"),
// SecureLink Inc.
_T("CBFSFilter2017.sys"),
// Security Code LLC
_T("ScAuthFSFlt.sys"),
_T("ScAuthIoDrv.sys"),
// SentinelOne
_T("SentinelMonitor.sys"),
// Sevtechnotrans
_T("uamflt.sys"),
// Shanghai YiCun Network Tech Co. Ltd
_T("AccessValidator.sys"),
// SharpCrafters
_T("psisolator.sys"),
// SheedSoft Ltd
_T("SheedSelfProtection.sys"),
// SheedSoft Ltd.
_T("arta.sys"),
// Shenzhen CloudRiver
_T("CrUnCopy.sys"),
// SHENZHEN UNNOO Information Techco.
_T("RyGuard.sys"),
_T("FileShareMon.sys"),
_T("ryfilter.sys"),
// Shenzhen Unnoo LTD
_T("secufile.sys"),
_T("XiaobaiFs.sys"),
_T("XiaobaiFsR.sys"),
// ShinNihonSystec Co
_T("sagntflt.sys"),
// Simopro Technology
_T("CbFltFs4.sys"),
// SK Infosec Co
_T("PLPOffDrv.sys"),
_T("ISFPDrv.sys"),
_T("ionmonwdrv.sys"),
// Sky Co., LTD.
_T("SkyRGDrv.sys"),
_T("SkyAMDrv.sys"),
// Sky Co.,Ltd.
_T("SkyWPDrv.sys"),
// SmartFile LLC
_T("FileHubAgent.sys"),
// SMTechnology Co.
_T("storagedrv.sys"),
// SN Systems Ltd
_T("cbfilter20.sys"),
_T("cbfsfilter2017.sys"),
// SnoopWall LLC
_T("SWCommFltr.sys"),
// SODATSW
_T("sodatpfl.sys"),
// SODATSW spol. s r.o.
_T("sodatpfl.sys"),
_T("fcontrol.sys"),
// SoftCamp Co.
_T("scred.sys"),
// Softnext Technologies
_T("snimg.sys"),
// SoftPerfect Research
_T("fsnk.sys"),
// Software Pursuits Inc.
_T("SPIMiniFilter.sys"),
// Sogou Ltd.
_T("SCAegis.sys"),
// Solarwinds LLC
_T("SWFsFltrv2.sys"),
_T("SWFsFltr.sys"),
// Soliton Systems
_T("it2reg.sys"),
_T("it2drv.sys"),
_T("solitkm.sys"),
// Soliton Systems K.K.
_T("SDVFilter.sys"),
// Solusseum Inc
_T("Sefo.sys"),
// Soluto LTD
_T("PDGenFam.sys"),
// Somma Inc
_T("MonsterK.sys"),
// SonicWall Inc
_T("SFPMonitor.sys"),
// Sophos
_T("SophosED.sys"),
// Sophos Plc
_T("soidriver.sys"),
// SoulFrost
_T("sfac.sys"),
// SPEKNET EOOD
_T("Asgard.sys"),
// Spharsoft Technologies
_T("SvCBT.sys"),
// Squadra Technologies
_T("secRMM.sys"),
// Stegosystems Inc
_T("StegoProtect.sys"),
// StorageCraft Tech
_T("stcvsm.sys"),
// Stormshield
_T("EsProbe.sys"),
// Sumitomo Electric Ltd.
_T("MCFileMon64.sys"),
_T("MCFileMon32.sys"),
// Sun&Moon Rise
_T("ntfsf.sys"),
// Symantec
_T("pgpwdefs.sys"),
_T("GEProtection.sys"),
_T("sysMon.sys"),
_T("ssrfsf.sys"),
_T("emxdrv2.sys"),
_T("reghook.sys"),
_T("spbbcdrv.sys"),
_T("bhdrvx86.sys"),
_T("bhdrvx64.sys"),
_T("SISIPSFileFilter"),
_T("symevent.sys"),
// Symantec Corp.
_T("diflt.sys"),
_T("SISIPSFileFilter.sys"),
// Syncopate
_T("thetta.sys"),
// Systemneeds, Inc
_T("Snilog.sys"),
// TaaSera Inc.
_T("AwareCore.sys"),
// Tanium
_T("TaniumRecorderDrv.sys"),
// TCXA Ltd.
_T("fcnotify.sys"),
// Tech Research
_T("FASDriver"),
// TechnoKom Ltd.
_T("agfsmon.sys"),
// Telefnica Digital
_T("path8flt.sys"),
// Temasoft S.R.L.
_T("filemon.sys"),
// Tencent (Shenzhen)
_T("QQProtect.sys"),
_T("QQProtectX64.sys"),
// Tencent Technology
_T("TenRSafe2.sys"),
_T("tesxporter.sys"),
_T("tesxnginx.sys"),
// Tetraglyph Technologies
_T("TGFSMF.sys"),
// ThinAir Labs Inc
_T("taobserveflt.sys"),
// ThinScale Tech
_T("TSTFsReDir.sys"),
_T("TSTRegReDir.sys"),
_T("TSTFilter.sys"),
// Third Brigade
_T("tbfsfilt.sys"),
// Threat Stack
_T("ThreatStackFIM.sys"),
// Tiversa Inc
_T("tss.sys"),
// Topology Ltd
_T("dsfemon.sys"),
// Tranxition Corp
_T("regmonex.sys"),
_T("TXRegMon.sys"),
// Trend Micro Inc.
_T("TMUMS.sys"),
_T("hfileflt.sys"),
_T("TMUMH.sys"),
// Trend Micro, Inc.
_T("AcDriver.sys"),
_T("SakFile.sys"),
_T("SakMFile.sys"),
// Tritium Inc.
_T("Tritiumfltr.sys"),
// Trustware Ltd
_T("Redlight.sys"),
// Trustwave
_T("TWBDCFilter.sys"),
// UpGuard
_T("UpGuardRealTime.sys"),
// Varlook Ltd.
_T("varpffmon.sys"),
// Varonis Ltd
_T("VrnsFilter.sys"),
// Veramine Inc
_T("phantomd.sys"),
// Vidder Inc.
_T("vidderfs.sys"),
// Viewfinity
_T("vfdrv.sys"),
// Vision Solutions
_T("repdrv.sys"),
_T("repmon.sys"),
// VMware, Inc.
_T("VMWVvpfsd.sys"),
_T("RTOLogon.sys"),
// VoodooSoft
_T("VSScanner.sys"),
// WaikatoLink Ltd
_T("proggerdriver.sys"),
// WardWiz
_T("WRDWIZFILEPROT.SYS"),
_T("WRDWIZREGPROT.SYS"),
// Warp Disk Software
_T("DsDriver.sys"),
// Weing Co.,Ltd.
_T("pscff.sys"),
// Wellbia.com
_T("xhunter64.sys"),
_T("uncheater.sys"),
// Wellbiacom
_T("xhunter1.sys"),
// Whitebox Security
_T("wbfilter.sys"),
// WhiteCell Software Inc.
_T("EGMinFlt.sys"),
// WidgetNuri Corp
_T("wsafefilter.sys"),
_T("RansomDetect.sys"),
// Winicssec Ltd
_T("wlminisecmod.sys"),
_T("WntGPDrv.sys"),
// X-Cloud Systems
_T("xcpl.sys"),
// Xacti
_T("stflt.sys"),
// Yahoo Japan Corporation
_T("YahooStorage.sys"),
// Yandex LLC
_T("bmregdrv.sys"),
_T("bmfsdrv.sys"),
// YATEM Co. Ltd.
_T("LCmPrintMon.sys"),
_T("LCgAdMon.sys"),
_T("LCmAdMon.sys"),
_T("LCgFileMon.sys"),
_T("LCmFile.sys"),
_T("LCgFile.sys"),
_T("LCmFileMon.sys"),
// Yokogawa Corpration
_T("YFSD2.sys"),
// Yokogawa R&L Corp
_T("YFSDR.SYS"),
_T("YFSD.SYS"),
_T("YFSRD.sys"),
_T("psgfoctrl.sys"),
_T("psgdflt.sys"),
// Zampit
_T("zampit_ml.sys"),
// ZenmuTech Inc.
_T("mumdi.sys"),
// Zhuan Zhuan Jing Shen
_T("zzpensys.sys"),
// ZoneFox
_T("KernelAgent32.sys"),
/*
* FSFilter Activity Monitor - END
*/
/*
* Invoke-EDRCheck.ps1 - BEGIN
* Duplicates from previous source are removed.
*/
// Altiris Symantec
_T("atrsdfw.sys"),
// Avast
_T("naswSP.sys"),
// Carbon Black
_T("CbELAM.sys"),
_T("ctifile.sys"),
_T("ctinet.sys"),
_T("parity.sys"),
_T("cbstream.sys"),
_T("cbk7.sys"),
// Cisco
_T("csacentr.sys"),
_T("csaenh.sys"),
_T("csareg.sys"),
_T("csascr.sys"),
// CJSC Returnil Software
_T("rvsavd.sys"),
// Comodo Security
_T("CmdMnEfs.sys"),
_T("MyDLPMF.sys"),
// CrowdStrike
_T("im.sys"),
_T("CSDeviceControl.sys"),
_T("CSFirmwareAnalysis.sys"),
// Cybereason
_T("CRExecPrev.sys"),
// Endgame
_T("esensor.sys"),
// ESET
_T("edevmon.sys"),
// F-Secure
_T("xfsgk.sys"),
// Malwarebytes
_T("mbamwatchdog.sys"),
// Microsoft Defender
_T("MpKslDrv.sys"),
// Palo Alto Networks - Cortex XDR
_T("cyverak.sys"),
_T("cyvrlpc.sys"),
_T("cyvrmtgn.sys"),
_T("tdevflt.sys"),
// Raytheon Cyber Solutions
_T("eaw.sys"),
// Symantec
_T("vxfsrep.sys"),
_T("VirtFile.sys"),
_T("SymAFR.sys"),
_T("symefasi.sys"),
_T("symefa.sys"),
_T("symefa64.sys"),
_T("SymHsm.sys"),
_T("evmf.sys"),
_T("GEFCMP.sys"),
_T("VFSEnc.sys"),
_T("pgpfs.sys"),
_T("fencry.sys"),
_T("symrg.sys"),
// Verdasys Inc
_T("ndgdmk.sys"),
_T("dgdmk.sys"),
/*
* Invoke-EDRCheck.ps1 - END
*/
/*
* User contributions
*/
// Tehtris
_T("egfilterk.sys"),
// Sophos
_T("SophosDt2.sys"),
_T("SophosSupport.sys"),
// Cisco AMP
_T("ExPrevDriver.sys"),
};
BOOL isFileSignatureMatchingEDR(TCHAR* filePath) {
SignatureOpsError returnValue;
TCHAR* signers = NULL;
size_t szSigners = 0;
returnValue = GetFileSigners(filePath, signers, &szSigners);
// Expected if the file is signed, first call will return the needed buffer size.
if (returnValue == E_INSUFFICIENT_BUFFER) {
signers = calloc(szSigners, sizeof(TCHAR));
if (!signers) {
_tprintf_or_not(TEXT("[!] Couldn't allocate memory for Signers information for binary \"%s\"\n"), filePath);
return FALSE;
}
returnValue = GetFileSigners(filePath, signers, &szSigners);
}
// If the file is not signed, it's unlikely to be linked to an EDR product.
if (returnValue == E_NOT_SIGNED) {
// _tprintf_or_not(TEXT("[*] File \"%s\" is not signed.\n"), binaryPath);
return FALSE;
}
if (returnValue == E_FILE_NOT_FOUND) {
_tprintf_or_not(TEXT("[!] Couldn't locate file \"%s\" to retrieve certificate information.\n"), filePath);
return FALSE;
}
if ((returnValue != E_SUCCESS) || !signers) {
_tprintf_or_not(TEXT("[!] An error occurred while retrieving certificate information for file \"%s\"\n"), filePath);
return FALSE;
}
// Iterates over each keywords in EDR_SIGNATURE_KEYWORDS and return TRUE if a match is found.
for (int i = 0; i < _countof(EDR_SIGNATURE_KEYWORDS); ++i) {
if (_tcsstr(signers, EDR_SIGNATURE_KEYWORDS[i])) {
free(signers);
return TRUE;
}
}
free(signers);
return FALSE;
}
BOOL isBinaryNameMatchingEDR(TCHAR* binaryName) {
for (int i = 0; i < _countof(EDR_BINARIES); ++i) {
if (_tcscmp(binaryName, EDR_BINARIES[i]) == 0) {
return TRUE;
}
}
return FALSE;
}
BOOL isBinaryPathMatchingEDR(TCHAR* binaryPath) {
for (int i = 0; i < _countof(EDR_BINARIES); ++i) {
if (_tcsstr(binaryPath, EDR_BINARIES[i])) {
return TRUE;
}
}
return FALSE;
}
BOOL isDriverNameMatchingEDR(TCHAR* driverName) {
for (int i = 0; i < _countof(EDR_DRIVERS); ++i) {
if (_tcscmp(driverName, EDR_DRIVERS[i]) == 0) {
return TRUE;
}
}
return FALSE;
}
BOOL isDriverPathMatchingEDR(TCHAR* driverPath) {
for (int i = 0; i < _countof(EDR_DRIVERS); ++i) {
if (_tcsstr(driverPath, EDR_DRIVERS[i])) {
return TRUE;
}
}
return FALSE;
}
// TODO : create an API to check, with only the name of a loaded driver, if it an EDR (check its name against the hardcoded list of names, automatically find its path on disk and check the file signature)
Reference in New Issue View Git Blame Copy Permalink