Video Screencast Help

Detection rules for Virtual Layer wchih is Hide From Operating System

Created: 24 Jan 2014 • Updated: 06 Feb 2014 | 3 comments
jlenart's picture
This issue has been solved. See solution.

Hello everyone,

I search for the best metod to set detection for virtuall app which is Hide From Operating System.

Do you have any ideas?

 

Thanks

Operating Systems:

Comments 3 CommentsJump to latest comment

AngelD's picture

I don't think there is a standard way of detecting through a detection rule.

You could create a custom inventory to check each layers for the VisibilityFlags (attribute) bit/flag set to 8 (Hide from OS)

ksreek's picture

You may want to enumerate the layers. Enumerating layers returns several properties of the layers.
For e.g run "svscmd.exe enum -v" . It shows an attribute "Layer visibility" with corresponding values

{NULL} - No visibility parameters set.
    1     - Hide from other layers
    2     - Hide other layers from this layers
    3     - Hide from operating system .

You might see one or more combinations in the output depending upon what attributes are set to the layers .

To determine this through a rule you might want to script as below

Pipe the output of 'svscmd.exe enum -v' to a text file (for e.g svscmd.exe enum -v > c:\output.txt)You script should search for the attribute and corresponding values to present the appropriate result.

There MIGHT be a direct API call available in our SDK for layer visibility although am not aware of it at this time.

Hope this helps !

 

ksreek

 

SOLUTION
AngelD's picture

Just of interest, why having a detection rule based on isolation?