Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]svchost.exe -k netsvcs -p #24

Closed
oaxao opened this issue Jun 6, 2023 · 6 comments
Closed

[FP]svchost.exe -k netsvcs -p #24

oaxao opened this issue Jun 6, 2023 · 6 comments
Labels
false positive Some rules block sth shouldn't be blocked

Comments

@oaxao
Copy link

oaxao commented Jun 6, 2023

  • Win 版本号:win10 22H2 19045
  • 火绒版本号:5.0.73.6
  • 火绒日志 (打开火绒日志界面,选择对应日志,导出/复制粘贴到此处)
    【1】2023-06-07 06:34:11,高级防护,自定义防护,svchost.exe触犯自定义防护规则, 已阻止

触犯规则:Suspicious.PowerShell.A
操作类型:【执行】
操作文件:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
操作结果:已阻止

进程ID:2632
操作进程:C:\Windows\System32\svchost.exe
操作进程命令行:C:\Windows\system32\svchost.exe -k netsvcs -p
父进程ID:744
父进程:C:\Windows\System32\services.exe
父进程命令行:C:\Windows\system32\services.exe

  • 截图 (可选)
  • 触发场景描述 (可选)
@oaxao oaxao added the false positive Some rules block sth shouldn't be blocked label Jun 6, 2023
@JerryLinLinLin
Copy link
Owner

这个是误报,但是由于火绒自定义规则模块无法判断子程序命令行,要写排除的话就是所有 svchost -> ps 操作都会被排除。
请问这个情况发生的频率是多少?

@oaxao
Copy link
Author

oaxao commented Jun 7, 2023
edited
Loading

大概20分钟左右一次,对了,我这个好像是安装了那什么webview之后就出来了,以前没有
QQ截图20230608060209.png

@JerryLinLinLin
Copy link
Owner

如果你方便的话,可以用process explorer 或者process killer 看看 powershell.exe 启动时的命令行(Command Line)是什么吗?

@oaxao
Copy link
Author

oaxao commented Jun 7, 2023

刚刚抓到了
QQ截图20230608062700.png
cmdline:'"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"'

@oaxao
Copy link
Author

oaxao commented Jun 7, 2023

这个脚本好像是关闭smb1的,我在任务计划里找到了
QQ截图20230608064721.png

我电脑上是已经开启了
QQ截图20230608064806.png

因为我有共享服务,但我查看smb的版本,并不是1.0的,所以,这个关了应该是没问题的吧。
QQ截图20230608064836.png

@JerryLinLinLin
Copy link
Owner

是的,SMBv1 不安全,建议disabled.
https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server

如无更多疑问,此 issue 将关闭。

@EYW-015 EYW-015 mentioned this issue Jan 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false positive Some rules block sth shouldn't be blocked
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oaxao @JerryLinLinLin