From 5b423a8e33de4082ae0945f58483c81ce365c265 Mon Sep 17 00:00:00 2001 From: iserrano76 Date: Thu, 25 Jan 2024 13:49:24 +0100 Subject: [PATCH 1/4] Adding new files to allow dlls --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 062dab1a86..4c7930e7e6 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -326,6 +326,7 @@ while ($currentDiff -gt 0) { $ModuleAllowList.add("ManagedBlingSigned.dll") $ModuleAllowList.add("l3codecp.acm") $ModuleAllowList.add("System.IdentityModel.Tokens.jwt.dll") + $ModuleAllowList.add("prxyqry.DLL") # Oracle modules associated with 'Outside In® Technology' $ModuleAllowList.add("wvcore.dll") $ModuleAllowList.add("sccut.dll") @@ -341,6 +342,7 @@ while ($currentDiff -gt 0) { $ModuleAllowList.add("SCCOLE2.dll") $ModuleAllowList.add("SCCSD.dll") $ModuleAllowList.add("SCCXT.dll") + $ModuleAllowList.add("vshtml.dll") # cSpell:enable Write-SimpleLogFile -string ("Allow List Module Count: " + $ModuleAllowList.count) -LogFile $LogFileName From 652dcc46b7a88d34f35a7382f7d72f322cc92a45 Mon Sep 17 00:00:00 2001 From: iserrano76 Date: Thu, 25 Jan 2024 19:06:17 +0100 Subject: [PATCH 2/4] Exlude all Oracle files on FIP-FS --- .../AVTester/Test-ExchAVExclusions.ps1 | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 4c7930e7e6..a4495adff6 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -327,22 +327,6 @@ while ($currentDiff -gt 0) { $ModuleAllowList.add("l3codecp.acm") $ModuleAllowList.add("System.IdentityModel.Tokens.jwt.dll") $ModuleAllowList.add("prxyqry.DLL") - # Oracle modules associated with 'Outside In® Technology' - $ModuleAllowList.add("wvcore.dll") - $ModuleAllowList.add("sccut.dll") - $ModuleAllowList.add("sccfut.dll") - $ModuleAllowList.add("sccfa.dll") - $ModuleAllowList.add("sccfi.dll") - $ModuleAllowList.add("sccch.dll") - $ModuleAllowList.add("sccda.dll") - $ModuleAllowList.add("sccfmt.dll") - $ModuleAllowList.add("sccind.dll") - $ModuleAllowList.add("sccca.dll") - $ModuleAllowList.add("scclo.dll") - $ModuleAllowList.add("SCCOLE2.dll") - $ModuleAllowList.add("SCCSD.dll") - $ModuleAllowList.add("SCCXT.dll") - $ModuleAllowList.add("vshtml.dll") # cSpell:enable Write-SimpleLogFile -string ("Allow List Module Count: " + $ModuleAllowList.count) -LogFile $LogFileName @@ -362,6 +346,9 @@ while ($currentDiff -gt 0) { # Remove Microsoft modules $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation." -and $_.FileVersionInfo.CompanyName -ne "Microsoft" -and $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation" } + # Remove Oracle modules on FIPS + $ProcessModules = $ProcessModules | Where-Object { (($_.FileName -notlike "*\FIP-FS\Bin\*" -and $_.FileVersionInfo.CompanyName -ne "Oracle Corporation")) } + # Clear out modules from the allow list foreach ($module in $ModuleAllowList) { $ProcessModules = $ProcessModules | Where-Object { $_.ModuleName -ne $module -and $_.ModuleName -ne $($module.Replace(".dll", ".ni.dll")) } From 8a31ae05a93b5bae65b3d17c8372e6d97474b21a Mon Sep 17 00:00:00 2001 From: iserrano76 Date: Tue, 30 Jan 2024 13:35:12 +0100 Subject: [PATCH 3/4] Fix condition for FIP and Oracle --- Diagnostics/AVTester/Test-ExchAVExclusions.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index a4495adff6..259aa0824b 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -347,7 +347,7 @@ while ($currentDiff -gt 0) { $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation." -and $_.FileVersionInfo.CompanyName -ne "Microsoft" -and $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation" } # Remove Oracle modules on FIPS - $ProcessModules = $ProcessModules | Where-Object { (($_.FileName -notlike "*\FIP-FS\Bin\*" -and $_.FileVersionInfo.CompanyName -ne "Oracle Corporation")) } + $ProcessModules = $ProcessModules | Where-Object { (-not($_.FileName -like "*\FIP-FS\Bin\*" -and $_.FileVersionInfo.CompanyName -eq "Oracle Corporation")) } # Clear out modules from the allow list foreach ($module in $ModuleAllowList) { From 311604948a6ef6afa86938aba2f0da2e7477a979 Mon Sep 17 00:00:00 2001 From: iserrano76 Date: Tue, 30 Jan 2024 17:51:11 +0100 Subject: [PATCH 4/4] Add Filter to Exchange Processes --- .../AVTester/Test-ExchAVExclusions.ps1 | 48 +++++++++---------- 1 file changed, 22 insertions(+), 26 deletions(-) diff --git a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 index 259aa0824b..1643a9489c 100644 --- a/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 +++ b/Diagnostics/AVTester/Test-ExchAVExclusions.ps1 @@ -301,13 +301,13 @@ Write-SimpleLogFile -String "Analyzing Exchange Processes" -LogFile $LogFileName while ($currentDiff -gt 0) { if ($firstExecution) { # Test Exchange Processes for unexpected modules - $ProcessList = Get-ExchAVExclusionsProcess -ExchangePath $ExchangePath -MsiProductMinor ([byte]$serverExchangeInstallDirectory.MsiProductMinor) + $ExchangeProcessList = Get-ExchAVExclusionsProcess -ExchangePath $ExchangePath -MsiProductMinor ([byte]$serverExchangeInstallDirectory.MsiProductMinor) # Include w3wp process in the analysis - $ProcessList += (Join-Path $env:SystemRoot '\System32\inetSrv\W3wp.exe') + $ExchangeProcessList += (Join-Path $env:SystemRoot '\System32\inetSrv\W3wp.exe') - # Gather all processes on the computer - $ServerProcess = Get-Process | Sort-Object -Property ProcessName + # Gather all processes on the computer and filter by the Exchange Process List + $ServerProcess = Get-Process | Where-Object { $ExchangeProcessList -contains $_.path } | Sort-Object -Property ProcessName # Module allow list $ModuleAllowList = New-Object Collections.Generic.List[string] @@ -337,32 +337,28 @@ while ($currentDiff -gt 0) { Write-Progress -Activity "Checking Exchange Processes" -CurrentOperation "$currentDiff More Seconds" -PercentComplete ((($initialDiff - $currentDiff) / $initialDiff) * 100) -Status " " [int]$currentDiff = (New-TimeSpan -End $StartDate.AddMinutes($WaitingTimeForAVAnalysisInMinutes) -Start (Get-Date)).TotalSeconds - # Determine if it is a known exchange process - if ($ProcessList -contains $process.path ) { + # Gather all modules + [array]$ProcessModules = $process.modules - # Gather all modules - [array]$ProcessModules = $process.modules + # Remove Microsoft modules + $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation." -and $_.FileVersionInfo.CompanyName -ne "Microsoft" -and $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation" } - # Remove Microsoft modules - $ProcessModules = $ProcessModules | Where-Object { $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation." -and $_.FileVersionInfo.CompanyName -ne "Microsoft" -and $_.FileVersionInfo.CompanyName -ne "Microsoft Corporation" } + # Remove Oracle modules on FIPS + $ProcessModules = $ProcessModules | Where-Object { (-not($_.FileName -like "*\FIP-FS\Bin\*" -and $_.FileVersionInfo.CompanyName -eq "Oracle Corporation")) } - # Remove Oracle modules on FIPS - $ProcessModules = $ProcessModules | Where-Object { (-not($_.FileName -like "*\FIP-FS\Bin\*" -and $_.FileVersionInfo.CompanyName -eq "Oracle Corporation")) } - - # Clear out modules from the allow list - foreach ($module in $ModuleAllowList) { - $ProcessModules = $ProcessModules | Where-Object { $_.ModuleName -ne $module -and $_.ModuleName -ne $($module.Replace(".dll", ".ni.dll")) } - } + # Clear out modules from the allow list + foreach ($module in $ModuleAllowList) { + $ProcessModules = $ProcessModules | Where-Object { $_.ModuleName -ne $module -and $_.ModuleName -ne $($module.Replace(".dll", ".ni.dll")) } + } - if ($ProcessModules.count -gt 0) { - foreach ($module in $ProcessModules) { - $OutString = ("PROCESS: $($process.ProcessName) PID($($process.Id)) UNEXPECTED MODULE: $($module.ModuleName) COMPANY: $($module.Company)`n`tPATH: $($module.FileName)") - Write-SimpleLogFile -string "[FAIL] - $OutString" -LogFile $LogFileName -OutHost - if ($process.MainModule.ModuleName -eq "W3wp.exe") { - $SuspiciousW3wpProcessList += $OutString - } else { - $SuspiciousProcessList += $OutString - } + if ($ProcessModules.count -gt 0) { + foreach ($module in $ProcessModules) { + $OutString = ("PROCESS: $($process.ProcessName) PID($($process.Id)) UNEXPECTED MODULE: $($module.ModuleName) COMPANY: $($module.Company)`n`tPATH: $($module.FileName)") + Write-SimpleLogFile -string "[FAIL] - $OutString" -LogFile $LogFileName -OutHost + if ($process.MainModule.ModuleName -eq "W3wp.exe") { + $SuspiciousW3wpProcessList += $OutString + } else { + $SuspiciousProcessList += $OutString } } }