[FP]Intel vbs文件执行 svchost wscript cmd #26
Labels
false positive
Some rules block sth shouldn't be blocked
Comments
|
支持 6.0 的时候解决 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
火绒日志
触犯规则:Suspicious.ScriptHost.B 操作类型:【执行】 操作文件:C:\Windows\System32\wscript.exe 操作结果:已阻止进程ID:2320
操作进程:C:\Windows\System32\svchost.exe
操作进程命令行:C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule
父进程ID:1512
父进程:C:\Windows\System32\services.exe
父进程命令行:C:\WINDOWS\system32\services.exe
参考 #24 使用process explorer查看进程命令行
C:\WINDOWS\System32\Wscript.exe" //B //NoLogo "C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.vbs根据路径搜到了一个帖子
贴主说逆向之后认为此程序是安全的
已解决:查了一圈,确认是
Intel® Computing Improvement Program这个程序的定时任务,将其卸载之后,定时任务和SUR文件夹都清除了,看了几个帖子都说这是intel的正常文件The text was updated successfully, but these errors were encountered: