is CPF3 [b]capable[/b] of monitoring .sys files?

Hi :slight_smile:

I have a question; does cpf3 monitor .sys files by default?
It seems to me that it doesn’t.
How can I make it do so?
I used SSM until cpf3 was available, and SSM would ask about (or at least notice) services.exe loading various *.sys files.
I have defense+ set to “clean pc mode”, and have rebooted several times, but there is not one single .sys file under services.exe’s execution permissions. :frowning:

I have put *.sys in image execution control settings → files to monitor, but that doesn’t seem to make any difference.


If you have put them on the list, they should be checked, but with the safe list you may not see a lot of result from that for a while. You might get .sys files showing up on your “Pending Files” list, I don’t see any option for setting alerts, but that may be the automatic result for unknown .sys files. The key word is unknown. You may not see alerts until you encounter a new .sys file. The program assumes that the system is clean unless you set the security level higher than the default, but that makes for a lot of alerts. You would not want to do that unless you suspected that there was a problem.

I guess that mode only alert you about new files.
BTW D+ seem to monitor Driver installation.

You could try to add LocalSecurityAuthority.LoadDriver to your protected com interfaces. This can actually deny an app the privilege to launch any driver (none or all).

Hi… Once a sys file is installed … it’s pretty much capable of bypassing any hips.
However if you look under the different
‘Process Access Rigth’

You’ll see

  • Device driver installation
  • Physical memory

Those are the two way one can access the kernel.
(Well they should cover currently known attack)

generally .sys file are device drivers

The relation of .sys file as child of services.exe is interesting, but i believe it’s proprietary to the way SSM works. Hope it help.