I am curious about how this is handled in CIS. As per default the “Pro Active” preset (and the other presets) the process “SYSTEM” is included in the file group “Windows System Applications” and in HIPS rule section by default granted pretty much free access by the rule “Windows System Application”. Yet CIS classifies the “SYSTEM” process as dangerous. Wouldn’t it be better to remove it from the file group and create a HIPS rule for “SYSTEM” and add in the rules “Allowed files/folders” section exclusion for…
C:\WINDOWS\Logs\WindowsUpdate*
C:\WINDOWS\system32\WDI\LogFiles*
C:\WINDOWS\System32\LogFiles\WMI\Wifi.etl
C:\WINDOWS\System32\LogFiles\WMI\LwtNetLog.etl
C:\WINDOWS\System32\LogFiles\WMI\AutoLogger-Diagtrack-Listener.etl
(or just C:\WINDOWS\System32\LogFiles\WMI* )
This would I believe make it have far less headroom if used by malware and the exclusions makes so that you wont have any warnings when shuttingdown or using the computer overall unless most likely compromissed. True or am I missing something?