Microsoft is rolling out the latest version of Sysinternals Suite, bringing new versions of Sysmon (v14.0), Coreinfo (v3.53), and AccessEnum (v1.34). It is worth checking out the complete release notes here, but the most interesting change comes with Sysmon, which can now block processes from creating executable files.
This is important because it means Sysmon is now adept at stopping malware that installs with EXE or similar executables. In the changelog for Sysmon v14.0, Microsoft says the following:
“This major update to Sysmon, an advanced host monitoring tool, adds a new event type, FileBlockExecutable that prevents processes from creating executable files in specified locations. It also includes several performance improvements and bug fixes.”
Olaf Hartong, the maintainer of the Sysmon GitHub repository, explains the new ability will help to stop malicious files from being created. Furthermore, Sysmon will also be able to thwart secondary malicious files from malware droppers:
“Sysmon now impedes executables, based on the file header from being written to the filesystem according to the filtering criteria. This can be a very powerful feature into blocking certain programs writing malicious files to disk.”
Hartong wrote an accompanying Medium post to discuss the new tool. That is also worth a read because it provides examples of Sysmon's new ability in action.
Windows Sysinternals is a suite of free software that provides various services for Windows debugging. First developed independently in 1996, Microsoft acquired the Wininternals software in 2006 and continued development through its own TechNet portal.
Dozens of tools are available in Sysinternals, all designed to enhance CPU debugging capabilities and memory performance. Among the abilities in the suite are formatting hard drives, network debugging, log analysis, file integrity tests, local processing, and much more.
Tip of the day: Windows Update downloads can often be frustrating because they are several gigabytes in size and can slow down your internet connection. That means your device may work with reduced performance while the update is downloading. In our guide we show you how to limit bandwidth for Windows Update downloads, so they won't bother you again.