Skip to main content

ATTR attributes for Solidcore 5

These are not listed in the documentation I had to get this information from development.


Attr command can be used to configured the required files to behave corresponding the solidifier.

-a  Always authorized attribute
     This attribute allows the user to configure a supported file as always authorized to execute.
      File configured under this attribute will be allowed to execute whether solidified or not.


-b  Bypassed from memory control attribute
      This attribute allows user to configure a process to run bypassed from MP-mangking and MP-decoying.
      This is one of the memory protection technique provided by solidifier but it is disabled by default.


-c  Bypassed from Critical Address Space Protection attribute
     Critical Address Space Protection is the latest and most effective memory protection technique provided by Solidifier. It is enabled by default.


     -c attribute configures a process to run bypassed from MP-CASP.


-d  Bypassed from process stack randomization attribute

    This comes under MP-VASR which is enabled only on special request from customer.


-e  Rebase dll attribute
    Changing the base address of the dll.


-r  Bypassed from dll relocation attribute
     -d, -e and -r attributes belong to VASR memory protection technique. This feature is disabled by default as CASP
     is enabled.


-f  Full crawl attribute
     -f attribute belongs the MP-mangling and MP-decoying memory protection. This feature is disable by default.
 
-i  Bypassed from installer detection attribute
    -i belongs to pkg-ctrl feature which tracks for the installation and uninstallation of MSI based packages...


-u  Always unauthorized attribute
    block the file from execution even if solidified.

-o  Process Context registry bypass:

Solidifier will not track any registry operations for the process configured under this attribute. All the registry operations in context of the configured process will be bypassed from solidifier.


-n Bypassed from DEP:
DEP is the Data Execution Prevention provided by Solidifier for 64-bit Machines. It is  a Memory protection technique provided by solidifier for 64 bit machines.Memory protection check will not apply  on the process configured as ‘Bypassed from DEP’.

-l Anti-Debugging Bypass:


Anti-debugging feature is there to prevent any process to access Memory space of the solidifier product. This is usually done by the debuggers to debug the application.

Any process bypassed from Anti-debugging  feature shall be able to access the solidifier address space in the kernel.

-p Process Context File Operations Bypass

Solidifier will not track any file operations for the process configured under this attribute. All the file operations in context of the configured process will be bypassed from solidifier.

Comments

Popular posts from this blog

Excel document for pinging list of computers VBA

Here is an excel document I created that will ping a list of nodes in column A and give results in column B. There are much better tools that can be used such as angry ip scanner  http://www.angryip.org/w/Home . I just wrote this as an example Requirements: Tested with Office 2010 Download: Download

Powershell - Com+ Application Recycle

Needed a script to recycle a com+ application nightly and this is what i came up with. This script will write each recycle it does to the event log under application. Run locally or via a scheduled task. #Recycle COM+ Application and write to the event log the status # 1.0 Release # Run script locally # Write to the event log ######################################## #Configurable ######################################## #Com+ ApplicationName $ComPlusLikeAppName = "Put the name of Com+ Application here a like statement is used to eval so you can get away with putting part of it" #EventLog to write to. $eventlog = "Application" #Source for eventlog. $source = "RecycleComObject" #Successful Event ID $SEventID = 0 #Error Event ID $EEventID = 666 #Process that COM+ runs under $process = "dllhost.exe". ######################################## #Clear $CurrentMemory = $null $PRocessID = $null $Commandline = $null $GUID = $null $AppID = $null $Messag

Powershell : Certutil Find Expired Certs on CA server

Wrote this to get certificate expiration information for certificates that expired 5 days ago to ones that expire in 90 days. Wrap an invoke-command around this for remote query. $Before = (get-date).adddays(90).ToString("MM/dd/yyyy") $After = (get-date).AddDays(-5).ToString("MM/dd/yyyy") <# https://blogs.technet.microsoft.com/poshchap/2016/01/01/powershell-and-certutil-exe/ We create a date range with $Before, i.e. certificates expiring before this date, and $After, i.e. certificates expiring after this date. These values are converted into something that certutil can understand - $Restrict. This is then used with the certutil -restrict parameter. #> $Restrict = "NotAfter<=$Before,NotAfter>=$After" $Report = @() $cmd = & certutil.exe -view -restrict $Restrict -out "RequesterName,CommonName,Certificate Expiration Date","Certificate Template" $SplitLines = $cmd.Split("`n`r") $Index = 0 foreach ($line in $Sp