09-20-2022, 05:45 PM
Just wanted to report what I found today with my SIW, I know there are other threads on a/v here and there is a post that it's out of your control, but just reporting what was reported in case there's anything useful in it for you.
The SentinelOne EDR reported this:
Abnormalities
This binary contains abnormal section names which could be an indication that it was created with non-standard development tools
The Entry point for this binary has an uncommon section name
The Entry point for this binary is an RWX section. It might contain self-modifying code
This binary has an RWX section. It might contain self-modifying code
This binary uses non-standard DOS stubs
Hiding/Stealthiness
The majority of sections in this PE have high entropy, a sign of obfuscation or packing
This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)
Packer
This binary was packed with MPRESS
What I experienced today was I ran siw.exe Tech version from my usb drive, and it was immediately quarantined. The other files seemed to remain, and I ran siw64.exe manually seemingly fine and was able to create my html report, so it didn't like something in siw.exe.
The SentinelOne EDR reported this:
Abnormalities
This binary contains abnormal section names which could be an indication that it was created with non-standard development tools
The Entry point for this binary has an uncommon section name
The Entry point for this binary is an RWX section. It might contain self-modifying code
This binary has an RWX section. It might contain self-modifying code
This binary uses non-standard DOS stubs
Hiding/Stealthiness
The majority of sections in this PE have high entropy, a sign of obfuscation or packing
This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)
Packer
This binary was packed with MPRESS
What I experienced today was I ran siw.exe Tech version from my usb drive, and it was immediately quarantined. The other files seemed to remain, and I ran siw64.exe manually seemingly fine and was able to create my html report, so it didn't like something in siw.exe.