diff --git a/README.md b/README.md index 80d819c..8930118 100644 --- a/README.md +++ b/README.md @@ -2,42 +2,48 @@ This program detects if any security software (AV, EDR, XDR, firewall, etc.) is running on the system. The program searches the list of running processes and compares their names with a predefined list of known security software processes. # Requirements -A C++11 or later compatible compiler. +A C++17 or later compatible compiler. Windows as the operating system. # Compilation Open a terminal or command prompt. Navigate to the directory where the main.cpp file is located. -Compile the program using CLion, also a C++11 or later compatible compiler. For example, to compile with g++, execute the following command: +Compile the program using CLion, also a C++17 or later compatible compiler. For example, to compile with g++, execute the following command: ``` -g++ -std=c++11 -o av_detect main.cpp +g++ -std=c++17 -o av_detect main.cpp ``` This will create an executable file named av_detect.exe in the same directory. # Detected Apps - Agnitum Outpost Firewall - Firewall +- Avast (additional process) - AV - Avast - AV - Avira - AV - AxCrypt - Encryption +- Bitdefender (additional processes) - AV - Bitdefender Total Security - AV - Check Point Daemon - Security - Check Point Firewall - Firewall - Cisco AnyConnect Secure Mobility Client - VPN - Cisco Umbrella Roaming Security - Security +- CrowdStrike Falcon (additional processes) - EDR - CrowdStrike Falcon Insight XDR - XDR - Cybereason EDR - EDR - Cytomic Orion - Security - DriveSentry - Security -- Elastic Winlogbeat - Security - ESET NOD32 AV - AV +- Elastic Winlogbeat - Security - FireEye Endpoint Agent - Security - FireEye HX - Security - FortiEDR - EDR - Host Intrusion Prevention System - HIPS -- Kaspersky Secure Connection - VPN +- Kaspersky (additional processes) - AV - Kaspersky - AV +- Kaspersky Secure Connection - VPN - Kerio Personal Firewall - Firewall +- Malwarebytes (additional processes) - AV - Malwarebytes - AV +- McAfee (additional processes) - AV - McAfee DLP Sensor - DLP - McAfee Endpoint Encryption - Encryption - McAfee Endpoint Security - AV @@ -47,16 +53,20 @@ This will create an executable file named av_detect.exe in the same directory. - Microsoft Defender ATP (Advanced Threat Protection) - Security - Microsoft Security Essentials - AV - Microsoft Sysmon - Security +- Norton Antivirus - AV - OpenVPN - VPN - Palo Alto Networks Cortex XDR - XDR - Palo Alto Networks GlobalProtect - VPN - Panda Security - AV - Sandboxie - Security +- SentinelOne (additional processes) - EDR - SentinelOne Singularity XDR - XDR +- Sophos (additional processes) - AV - Sophos Endpoint Security - AV - Symantec DLP Agent - DLP - Symantec Endpoint Protection - AV - Tanium EDR - EDR +- Trend Micro (additional processes) - AV - Trend Micro OfficeScan - AV - TrueCrypt - Encryption - VMware Carbon Black EDR - EDR diff --git a/main.cpp b/main.cpp index 085b2d3..c620c4b 100644 --- a/main.cpp +++ b/main.cpp @@ -18,18 +18,30 @@ bool isSecuritySoftwareRunning() { SetConsoleOutputCP(65001); //Set console encoding to utf8 std::map securitySoftwareProcesses = { + {"SentinelAgent.exe", {"SentinelOne", "EDR"}}, + {"SentinelCtl.exe", {"SentinelOne", "EDR"}}, + {"SophosClean.exe", {"Sophos", "AV"}}, + {"SophosHealth.exe", {"Sophos", "AV"}}, + {"aciseagent.exe", {"Cisco Umbrella Roaming Security", "Security"}}, + {"acumbrellaagent.exe", {"Cisco Umbrella Roaming Security", "Security"}}, + {"aswidsagent.exe", {"Avast", "AV"}}, {"avastsvc.exe", {"Avast", "AV"}}, {"avastui.exe", {"Avast", "AV"}}, {"avgnt.exe", {"Avira", "AV"}}, {"avguard.exe", {"Avira", "AV"}}, {"avp.exe", {"Kaspersky", "AV"}}, + {"avpui.exe", {"Kaspersky", "AV"}}, {"axcrypt.exe", {"AxCrypt", "Encryption"}}, {"bdagent.exe", {"Bitdefender Total Security", "AV"}}, + {"bdntwrk.exe", {"Bitdefender", "AV"}}, {"carbonsensor.exe", {"VMware Carbon Black EDR", "EDR"}}, {"cbcomms.exe", {"CrowdStrike Falcon Insight XDR", "XDR"}}, {"ccsvchst.exe", {"Symantec Endpoint Protection", "AV"}}, + {"coreServiceShell.exe", {"Trend Micro", "AV"}}, {"cpd.exe", {"Check Point Daemon", "Security"}}, {"cpx.exe", {"SentinelOne Singularity XDR", "XDR"}}, + {"csfalconcontainer.exe", {"CrowdStrike Falcon", "EDR"}}, + {"csfalcondaterepair.exe", {"CrowdStrike Falcon", "EDR"}}, {"csfalconservice.exe", {"CrowdStrike Falcon Insight XDR", "XDR"}}, {"cybereason.exe", {"Cybereason EDR", "EDR"}}, {"cytomicendpoint.exe", {"Cytomic Orion", "Security"}}, @@ -38,6 +50,7 @@ bool isSecuritySoftwareRunning() { {"dsmonitor.exe", {"DriveSentry", "Security"}}, {"dwengine.exe", {"DriveSentry", "Security"}}, {"edpa.exe", {"McAfee Endpoint Security", "AV"}}, + {"eegoservice.exe", {"McAfee Endpoint Encryption", "Encryption"}}, {"egui.exe", {"ESET NOD32 AV", "AV"}}, {"ekrn.exe", {"ESET NOD32 AV", "AV"}}, {"firesvc.exe", {"FireEye Endpoint Agent", "Security"}}, @@ -45,56 +58,63 @@ bool isSecuritySoftwareRunning() { {"fortiedr.exe", {"FortiEDR", "EDR"}}, {"fw.exe", {"Check Point Firewall", "Firewall"}}, {"hips.exe", {"Host Intrusion Prevention System", "HIPS"}}, + {"klwtblfs.exe", {"Kaspersky", "AV"}}, + {"klwtpwrs.srv", {"Kaspersky", "AV"}}, {"kpf4ss.exe", {"Kerio Personal Firewall", "Firewall"}}, + {"ksde.exe", {"Kaspersky Secure Connection", "VPN"}}, + {"ksdeui.exe", {"Kaspersky Secure Connection", "VPN"}}, + {"macmnsvc.exe", {"McAfee Endpoint Security", "AV"}}, + {"masvc.exe", {"McAfee Endpoint Security", "AV"}}, + {"mbae64.sys", {"Malwarebytes", "AV"}}, {"mbamservice.exe", {"Malwarebytes", "AV"}}, + {"mbamswissarmy.sys", {"Malwarebytes", "AV"}}, {"mbamtray.exe", {"Malwarebytes", "AV"}}, {"mcshield.exe", {"McAfee VirusScan", "AV"}}, + {"mdecryptservice.exe", {"McAfee Endpoint Encryption", "Encryption"}}, + {"mfeann.exe", {"McAfee", "AV"}}, + {"mfeepehost.exe", {"McAfee Endpoint Encryption", "Encryption"}}, {"mfefire.exe", {"McAfee Host Intrusion Prevention", "HIPS"}}, + {"mfemactl.exe", {"McAfee Endpoint Security Firewall", "Firewall"}}, + {"mfemms.exe", {"McAfee", "AV"}}, {"msascuil.exe", {"Windows Defender", "AV"}}, {"msmpeng.exe", {"Windows Defender", "AV"}}, {"msseces.exe", {"Microsoft Security Essentials", "AV"}}, + {"mssense.exe", {"Microsoft Defender ATP (Advanced Threat Protection)", "Security"}}, {"nissrv.exe", {"Microsoft Security Essentials", "AV"}}, + {"nortonsecurity.exe", {"Norton Antivirus", "AV"}}, + {"ns.exe", {"Norton Antivirus", "AV"}}, + {"nsservice.exe", {"Norton Antivirus", "AV"}}, + {"openvpnserv.exe", {"OpenVPN", "VPN"}}, {"outpost.exe", {"Agnitum Outpost Firewall", "Firewall"}}, {"panda_url_filtering.exe", {"Panda Security", "AV"}}, + {"pangps.exe", {"Palo Alto Networks GlobalProtect", "VPN"}}, {"pavfnsvr.exe", {"Panda Security", "AV"}}, {"pavsrv.exe", {"Panda Security", "AV"}}, {"psanhost.exe", {"Panda Security", "AV"}}, {"rtvscan.exe", {"Symantec Endpoint Protection", "AV"}}, {"savservice.exe", {"Sophos Endpoint Security", "AV"}}, + {"sbiesvc.exe", {"Sandboxie", "Security"}}, {"shstat.exe", {"McAfee VirusScan", "AV"}}, {"sophosav.exe", {"Sophos Endpoint Security", "AV"}}, {"sophossps.exe", {"Sophos Endpoint Security", "AV"}}, {"sophosui.exe", {"Sophos Endpoint Security", "AV"}}, {"sysmon.exe", {"Microsoft Sysmon", "Security"}}, + {"sysmon64.exe", {"Microsoft Sysmon", "Security"}}, {"tanclient.exe", {"Tanium EDR", "EDR"}}, {"tmntsrv.exe", {"Trend Micro OfficeScan", "AV"}}, {"tmproxy.exe", {"Trend Micro OfficeScan", "AV"}}, {"trapsagent.exe", {"Palo Alto Networks Cortex XDR", "XDR"}}, {"trapsd.exe", {"Palo Alto Networks Cortex XDR", "XDR"}}, {"truecrypt.exe", {"TrueCrypt", "Encryption"}}, + {"uiWinMgr.exe", {"Trend Micro", "AV"}}, + {"updatesrv.exe", {"Bitdefender", "AV"}}, + {"vpnagent.exe", {"Cisco AnyConnect Secure Mobility Client","VPN"}}, {"vsserv.exe", {"Bitdefender Total Security", "AV"}}, - {"wrsa.exe", {"Webroot Anywhere", "AV"}}, {"windefend.exe", {"Windows Defender", "AV"}}, - {"xagt.exe", {"FireEye HX", "Security"}}, - {"vpnagent.exe", {"Cisco AnyConnect Secure Mobility Client","VPN"}}, - {"macmnsvc.exe", {"McAfee Endpoint Security", "AV"}}, - {"masvc.exe", {"McAfee Endpoint Security", "AV"}}, - {"eegoservice.exe", {"McAfee Endpoint Encryption", "Encryption"}}, - {"mfeepehost.exe", {"McAfee Endpoint Encryption", "Encryption"}}, - {"mdecryptservice.exe", {"McAfee Endpoint Encryption", "Encryption"}}, - {"pangps.exe", {"Palo Alto Networks GlobalProtect", "VPN"}}, - {"mssense.exe", {"Microsoft Defender ATP (Advanced Threat Protection)", "Security"}}, - {"acumbrellaagent.exe", {"Cisco Umbrella Roaming Security", "Security"}}, - {"aciseagent.exe", {"Cisco Umbrella Roaming Security", "Security"}}, - {"mfemactl.exe", {"McAfee Endpoint Security Firewall", "Firewall"}}, - {"avpui.exe", {"Kaspersky", "AV"}}, - {"ksde.exe", {"Kaspersky Secure Connection", "VPN"}}, - {"ksdeui.exe", {"Kaspersky Secure Connection", "VPN"}}, - {"openvpnserv.exe", {"OpenVPN", "VPN"}}, - {"sbiesvc.exe", {"Sandboxie", "Security"}}, - {"sysmon64.exe", {"Microsoft Sysmon", "Security"}}, {"winlogbeat.exe", {"Elastic Winlogbeat", "Security"}}, - {"wireguard.exe", {"WireGuard", "VPN"}} + {"wireguard.exe", {"WireGuard", "VPN"}}, + {"wrsa.exe", {"Webroot Anywhere", "AV"}}, + {"xagt.exe", {"FireEye HX", "Security"}} }; bool found = false; diff --git a/processes.csv b/processes.csv index 5458f75..2784550 100644 --- a/processes.csv +++ b/processes.csv @@ -1,6 +1,11 @@ Process, Name, Type +"SentinelAgent.exe", "SentinelOne", "EDR" +"SentinelCtl.exe", "SentinelOne", "EDR" +"SophosClean.exe", "Sophos", "AV" +"SophosHealth.exe", "Sophos", "AV" "aciseagent.exe", "Cisco Umbrella Roaming Security", "Security" "acumbrellaagent.exe", "Cisco Umbrella Roaming Security", "Security" +"aswidsagent.exe", "Avast", "AV" "avastsvc.exe","Avast","AV" "avastui.exe","Avast","AV" "avgnt.exe","Avira","AV" @@ -9,11 +14,15 @@ Process, Name, Type "avpui.exe","Kaspersky","AV" "axcrypt.exe","AxCrypt","Encryption" "bdagent.exe","Bitdefender Total Security","AV" +"bdntwrk.exe", "Bitdefender", "AV" "carbonsensor.exe","VMware Carbon Black EDR","EDR" "cbcomms.exe","CrowdStrike Falcon Insight XDR","XDR" "ccsvchst.exe","Symantec Endpoint Protection","AV" +"coreServiceShell.exe", "Trend Micro", "AV" "cpd.exe","Check Point Daemon","Security" "cpx.exe","SentinelOne Singularity XDR","XDR" +"csfalconcontainer.exe", "CrowdStrike Falcon", "EDR" +"csfalcondaterepair.exe", "CrowdStrike Falcon", "EDR" "csfalconservice.exe","CrowdStrike Falcon Insight XDR","XDR" "cybereason.exe","Cybereason EDR","EDR" "cytomicendpoint.exe","Cytomic Orion","Security" @@ -30,23 +39,32 @@ Process, Name, Type "fortiedr.exe","FortiEDR","EDR" "fw.exe","Check Point Firewall","Firewall" "hips.exe","Host Intrusion Prevention System","HIPS" +"klwtblfs.exe", "Kaspersky", "AV" +"klwtpwrs.srv", "Kaspersky", "AV" "kpf4ss.exe","Kerio Personal Firewall","Firewall" "ksde.exe", "Kaspersky Secure Connection", "VPN" "ksdeui.exe", "Kaspersky Secure Connection", "VPN" "macmnsvc.exe", "McAfee Endpoint Security", "AV" "masvc.exe", "McAfee Endpoint Security", "AV" +"mbae64.sys", "Malwarebytes", "AV" "mbamservice.exe","Malwarebytes","AV" +"mbamswissarmy.sys", "Malwarebytes", "AV" "mbamtray.exe","Malwarebytes","AV" "mcshield.exe","McAfee VirusScan","AV" "mdecryptservice.exe", "McAfee Endpoint Encryption", "Encryption" +"mfeann.exe", "McAfee", "AV" "mfeepehost.exe", "McAfee Endpoint Encryption", "Encryption" "mfefire.exe","McAfee Host Intrusion Prevention","HIPS" "mfemactl.exe", "McAfee Endpoint Security Firewall", "Firewall" +"mfemms.exe", "McAfee", "AV" "msascuil.exe","Windows Defender","AV" "msmpeng.exe","Windows Defender","AV" "msseces.exe","Microsoft Security Essentials","AV" "mssense.exe", "Microsoft Defender ATP (Advanced Threat Protection)", "Security" "nissrv.exe","Microsoft Security Essentials","AV" +"nortonsecurity.exe", "Norton Antivirus", "AV" +"ns.exe", "Norton Antivirus", "AV" +"nsservice.exe", "Norton Antivirus", "AV" "openvpnserv.exe", "OpenVPN", "VPN" "outpost.exe","Agnitum Outpost Firewall","Firewall" "panda_url_filtering.exe","Panda Security","AV" @@ -69,6 +87,8 @@ Process, Name, Type "trapsagent.exe","Palo Alto Networks Cortex XDR","XDR" "trapsd.exe","Palo Alto Networks Cortex XDR","XDR" "truecrypt.exe","TrueCrypt","Encryption" +"uiWinMgr.exe", "Trend Micro", "AV" +"updatesrv.exe", "Bitdefender", "AV" "vpnagent.exe","Cisco AnyConnect Secure Mobility Client","VPN" "vsserv.exe","Bitdefender Total Security","AV" "windefend.exe","Windows Defender","AV"