UnamBinder icon indicating copy to clipboard operation
UnamBinder copied to clipboard

Published 20 hours ago verified publisher icon UnamSanctam

Windows exclusions

Open shywick opened this issue 3 years ago • 19 comments

Is possible to execute files or at least certain files after windows exclusions are applied? So it won't give detection for that certain files. Start delay didn't help.

shywick avatar Oct 21 '21 23:10 shywick

All the files are dropped and executed after the exclusions are added. None are dropped and executed before that.

UnamSanctam avatar Oct 22 '21 01:10 UnamSanctam

Well, it doesn't work for me like that. I am using latest version. I can send video proof

shywick avatar Oct 22 '21 07:10 shywick

And you have both enabled the "Add Windows Defender exclusions" and is starting it as administrator?

UnamSanctam avatar Oct 22 '21 08:10 UnamSanctam

Yes. I do.

shywick avatar Oct 22 '21 08:10 shywick

Check your Windows Defender exclusions and see what's there.

UnamSanctam avatar Oct 22 '21 08:10 UnamSanctam

I know what it does but it just executing/dropping too fast in my opinion. Same for unamdownloader https://streamable.com/azxcac

shywick avatar Oct 22 '21 09:10 shywick

That doesn't look like you have any start delay.

UnamSanctam avatar Oct 22 '21 09:10 UnamSanctam

Oh right, it delays the exclusions as well since that can also get detections, you can move the WDCOMMAND above the sleep in this file and see https://github.com/UnamSanctam/UnamBinder/blob/master/UnamBinder/Resources/Program.c. It doesn't do it that fast for me, or in any of my VMs though.

UnamSanctam avatar Oct 22 '21 09:10 UnamSanctam

Alright, working. Perfect. Thank you! And what about drop to current folder? Is it possible?

shywick avatar Oct 22 '21 10:10 shywick

Well it's possible to add but will probably add more detections since I'd have to add something like GetModuleFileNameA to the program to get the current folder since there really isn't any other way to do it (The current folder options all use environment variables to get the folder location).

UnamSanctam avatar Oct 22 '21 12:10 UnamSanctam

I am fine with more detections.

shywick avatar Oct 22 '21 12:10 shywick

Hi I just noticed that even after windows exclusions windows defender still scans processes in memory. I assume there is no option to turn off real time protection with your program?

shywick avatar Oct 26 '21 22:10 shywick

Windows Defender doesn't really scan processes in memory unless you mean things like Assembly.Load, things like normally running processes or injecting things with RunPE is still excluded. And no the commands doesn't disable "Real-Time Protection" since when you do the user will get notifications constantly about it.

UnamSanctam avatar Oct 26 '21 22:10 UnamSanctam

My injection method is "LoadPE". My file was working for over 10 days until now.

shywick avatar Oct 26 '21 22:10 shywick

And the exclusions are still there? Exclusions have been working for me for 2 years now at least and I haven't had any issues with running programs in excluded folders (especially my miners), exclusions should work unless you use certain Windows APIs to load assemblies in-memory.

UnamSanctam avatar Oct 26 '21 22:10 UnamSanctam

Hm I think what could work for me is to exclude certain process name. (I am using always same name) Could you help me to implement it to your program?

shywick avatar Oct 27 '21 00:10 shywick

I want it like this if it's possible. I tested it and it's working. Windows defender is no longer killing the process. image

shywick avatar Oct 27 '21 00:10 shywick

Nvm got it

shywick avatar Oct 27 '21 00:10 shywick

Nvm got it

how did you make this work? it doesnt look like im even having exclusions show up or if they are even working...?

GoldenSkyRunner avatar Nov 18 '21 22:11 GoldenSkyRunner