In Sysmon 13.10, the attached sysmon config filters ImageLoaded events so that KnownDlls are not reported. With Sysmon 13.20, all these events are appearing in the trace.100032-temp.xml
In Sysmon 13.10, the attached sysmon config filters ImageLoaded events so that KnownDlls are not reported. With Sysmon 13.20, all these events are appearing in the trace.100032-temp.xml
Looks like you may have encountered a new limit in the length of a configuration value as part of your ImageLoaded is any conditions.
When I merged your config and then inspected output of sysmon -c the values were truncated to 'C:\Win'
I did some boundary testing and it looks like truncation starts with the 128th character.
It's possible this is a display limit and not an actual configuration limit. If not limited to display this would explain the increase in logging due to your exclude based configuration strategy.
Update:
You could likely work within limits by employing the "contains any" filter condition instead of "is any". If you still want to differentiate between 32 bit and 64 bit you could add an additional ImageLoaded "begin with" condition for each rule group. With this situation in mind it would be cool if there was an "images" filter condition.
Thanks. My preference for "is any" over "contains any" is based on performance considerations, but perhaps that is a micro-optimisation I can live without.
I imagine I won't be the only person to be affected by this. It's quite a nasty defect because it's not immediately obvious that anything is wrong. It was only when I noticed a huge increase in my event volumes that I got suspicious.
Good idea!
I imagine you are indeed not the only one affected.
That said, looks like the longest length of a value in popular and public Swift and Olaf configs is 121 chars.
I reworked the ImageLoad filter as shown in the attached. This gets around the apparent defect in 13.20.
In case anyone is wondering, my actual Sysmon configuration file is a lot more complicated than shown here. I've stripped out stuff relating to other event types and also stuff relating to filtering out our own products.100334-temp.xml
3 people are following this question.