Re: [ossec-list] Re: windows malware detection

And, my agent is w7. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit

Re: [ossec-list] Re: windows malware detection

This code is my win_malware_rcl.txt: [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:\Users\agent05\AppData\Local\Temp\AcroRD32.exe; r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft\Windows\CurrentVersion\Run -> Acroread-> r:AcroRD32.exe;

Re: [ossec-list] Re: windows malware detection

This code is my win_malware_rcl.txt: [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:\Users\agent05\AppData\Local\Temp\AcroRD32.exe; r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft \Windows\CurrentVersion\Run -> Acroread -> r:AcroRD32.exe;

Re: [ossec-list] Re: windows malware detection

This code is my win_malware_rcl.txt: [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:\Users\agent05\AppData\Local\Temp\AcroRD32.exe; r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft \Windows\CurrentVersion\Run -> Acroread -> r:AcroRD32.exe;

Re: [ossec-list] Re: windows malware detection

Where are you including the configuration? That should go in the file: /var/ossec/etc/shared/win_malware_rcl.txt Please paste the contents of that file. Thank you On Mon, Mar 14, 2016 at 11:12 PM, 林威任 wrote: > sorry,this email is google apps for education. > About my

Re: [ossec-list] Re: windows malware detection

sorry,this email is google apps for education. About my email,I use hnagouts to send you, is it ok? And,This is my agent's log file: 016/03/15 14:07:44 ossec-agent: INFO: Started (pid: 3760). 2016/03/15 14:07:45 ossec-agent(4102): INFO: Connected to the server ( 192.168.164.142:1514

Re: [ossec-list] Re: windows malware detection

your emails are very difficult to understand. Please explain better and give some more context. Thank you On Mon, Mar 14, 2016 at 8:59 PM, 林威任 wrote: > Excuse me, > (Windows Malware: Trojan Dropper. > File: C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe. Reference: >

Re: [ossec-list] Re: windows malware detection

Excuse me, (Windows Malware: Trojan Dropper. File: C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe. Reference: 0A37D49E798F50C8F1010D5CFDE0E851 ) After I edited win_malware_rcl.txt , this code didn't appear. However,which aspect haven't I done? thank you!!! -- --- You received this message

Re: [ossec-list] Re: windows malware detection

It looks like the configuration for rootcheck doesn't have the right format. I think you are inserting some extra line breaks. It should look like this: [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:\Users\IEUser\AppData\Local\Temp\AcroRD32.exe;

Re: [ossec-list] Re: windows malware detection

Excuse me, I want to ask something. Why it don't appear ideal result after I input the code ? code: [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:\Users\agent05\AppData\Local\Temp\AcroRD32.exe; r:HKEY_USERS\S-1-5-21-3463664321-2923530833-3546627382-1000\Software\Microsoft

Re: [ossec-list] Re: windows malware detection

Excuse me, I want to ask something. Why it don't appear ideal result after I input the code ? code: [Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] f:C:UsersIEUserAppDataLocalTempAcroRD32.exe; r:HKEY_USERSS-1-5-21-3463664321-2923530833-3546627382-1000 SoftwareMicrosoftWin$

Re: [ossec-list] Re: windows malware detection

Thank you very much!!! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit

Re: [ossec-list] Re: windows malware detection

Here you go (just created the github repo) https://github.com/santiago-bassett/malware-samples/blob/master/0A37D49E798F50C8F1010D5CFDE0E851.zip Password: "malware" On Sun, Mar 13, 2016 at 10:20 PM, wrote: > I really need it. > How can I get it ? for email? > > -- > >

Re: [ossec-list] Re: windows malware detection

I really need it. How can I get it ? for email? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options,

Re: [ossec-list] Re: windows malware detection

Hi, are you looking fore the malware sample I used in the presentation? (hash 0A37D49E798F50C8F1010D5CFDE0E851) I still have it if you need it. Best On Tue, Mar 8, 2016 at 10:37 PM, wrote: > I has written this code so far. > > [Trojan Downloader] [all]

[ossec-list] Re: windows malware detection

I has written this code so far. [Trojan Downloader] [all] [016eb36cc03a562545f0b3bed36f49a6] f:C:%WINDIR%\System32\trojan\trojan12.exe; r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; p:r:trojan12.exe; -- --- You received this message because you are subscribed to the

[ossec-list] Re: Windows Malware Detection

ok, I will try this method and watch this website.Thank you very much. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to

[ossec-list] Re: Windows Malware Detection

Hi, if you want to use Sysmon + OSSEC, here you have decoders for every Sysmon event: - Event ID 1: Process Created - Event ID 2: A process changed a file creation time - Event ID 3:

[ossec-list] Re: Windows Malware Detection

http://santi-bassett.blogspot.com/2014/09/osseccon-2014-malware-detection-with.html Another option would be to glean the SHA1 values of malware, and create and use the Sysmon blacklist. But automating a blacklist of SHA1 values for malware, using Sysmon and a CDB list in OSSEC would be a