yarox24 / attack_monitor Goto Github PK
View Code? Open in Web Editor NEWEndpoint detection & Malware analysis software
License: GNU General Public License v3.0
Endpoint detection & Malware analysis software
License: GNU General Public License v3.0
First, I installed the tool like this (correct me if some steps were not needed, basically I just wanted to make sure I have all the capabilities).
First I ran python installer.py sysmon
to get proper sysmon config (was already there in my case):
Then I ran python installer.py install auditpol
(python installer.py auditpol
was returning an error, just wanted to be sure I have it installed with the extended audit).
Then I installed dependencies (by the way, I installed in the Endpoint Protection Mode, so pyshark and the reportlab should not really be required, should they?).
I also installed the pre-defined exceptions:
Then I tried to run it and got this issue:
So I dug a bit, added one print to the code to get some verbose output:
Tried to run again and got this:
So I figured out the culprit was the dummy FORCE_EMPTY_DIR file, which is not an actual JSON file:
So I removed it and ran the tool again, this time successfully :)
SOLUTION:
Remove that file while installing/avoid installing it in the first place.
It would be nice to have some sort of customiseable (so it can be adjusted/disabled in config at user's will) alert suppression mechanism.
For example, if there was more than 3 alerts within the last 20-seconds, just display another one with a message like 'More alerts suppressed, please see the C:\Program Files\Attack Monitor\logs\2019-05-13.txt log file for more details'. And add an option for how long to ignore alerts from being displayed after such threshold is reached. This could help prevent situations when (I experience this especially after wakeup from sleep) bunch of alerts queue up and it takes several minutes to get rid of them by clicking one after another, which at the same time can impede GUI usage of other active windows (e.g. web browser, that's exactly the spot where my 'full screen' option is on youtube/netflix :P).
I do understand this is a part and parcel of the early stage of learning so should gradually be less of a problem once proper learning rules are added in learning mode, however I do realize every system is unique and therefore everyone needs to adjust their own normalcy rules individually, so more users will face this issue regardless to the maturity of the pre-defined exceptions.json file coming with the installation.
Traceback (most recent call last):
File "madvr.py", line 254, in <module>
main()
File "madvr.py", line 166, in main
load_initial_exception_rules(cc, EXCEPTION_RULES)
File "madvr.py", line 67, in load_initial_exception_rules
rules = json.load(open(exception_path, 'r', encoding='utf8'))
File "C:\Users\Mehran\AppData\Local\Programs\Python\Python37-32\lib\json\__init__.py", line 296, in load
parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
File "C:\Users\Mehran\AppData\Local\Programs\Python\Python37-32\lib\json\__init__.py", line 348, in loads
return _default_decoder.decode(s)
File "C:\Users\Mehran\AppData\Local\Programs\Python\Python37-32\lib\json\decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "C:\Users\Mehran\AppData\Local\Programs\Python\Python37-32\lib\json\decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
After following all of the steps for EDR and malware analysis , I am able to follow all the command but still the attack_monitor software keeps on crashing. How to solve this error??
Adding autostart entry to Menu Start Startup folder
Traceback (most recent call last):
File "installer.py", line 393, in
main()
File "installer.py", line 379, in main
action_install()
File "installer.py", line 212, in action_install
TEMPLATE_LINES = template.readlines()
File "C:\Python37\Scripts\lib\codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
File "C:\Python37\Scripts\lib\encodings\utf_16.py", line 67, in _buffer_decode
raise UnicodeError("UTF-16 stream does not start with BOM")
UnicodeError: UTF-16 stream does not start with BOM
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.