itman 1,627 Posted March 27 Share Posted March 27 I have a HIPS rule to alert me when any child processes are started from wmiprvse.exe. Up till two weeks ago, that rule was never triggered. At that time when performing an Eset on-demand scan, the rule triggered when scanning WMI entries noting an attempted startup of werfault.exe. Appeared to be a fluke event and I just blocked the werfault.exe startup. Yesterday while again running an Eset on-demand scan, the same behavior occurred: Time;Application;Operation;Target;Action;Rule;Additional information 3/26/2023 4:57:56 PM;C:\Windows\System32\wbem\WmiPrvSE.exe;Start new application;C:\WINDOWS\system32\WerFault.exe;Blocked;Deny child processes started from WmiPrvSE.exe; Here's a screen shot showing command line string input to werfault.exe: At the same time of the HIPS alert, my Win 10 Code Integrity log filled up with entries; most notably Eset eamsi.dll attempting to run: Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 27 Author Share Posted March 27 (edited) This is the last Win WMI log entry prior to the HIPS alert which is revealing: Edited March 27 by itman Link to comment Share on other sites More sharing options...
Recommended Posts