sysmon-modular icon indicating copy to clipboard operation
sysmon-modular copied to clipboard

Published 20 hours ago verified publisher icon olafhartong

change 25 include_all to include on match

Open clairmont32 opened this issue 1 year ago • 1 comments

Include_all.xml had onmatch="exclude". Changed this due to the filename stating its intention

clairmont32 avatar Oct 23 '23 17:10 clairmont32

Your fix is incorrect. In sysmon :

  • If you want every possible event (i.e include_all.xml), you set a match on "exclude" with no rule. Nothing can match, therefore nothing is excluded, therefore everything is included.
      <ProcessTampering onmatch="exclude">
      </ProcessTampering>
  • If you don't want any event (i.e exclude_all.xml), you set a match on "exclude" with no rule. Nothing can match, therefore nothing is included, therefore everything is excluded.
      <ProcessTampering onmatch="include">
      </ProcessTampering>

Got it ?

The file from the repo is correct.

ipfyx avatar Apr 23 '24 15:04 ipfyx