Creating driver identifiers

Driver identifiers, or IDs, make it possible to define legitimate drivers that you can exclude from rootkit detection.

Driver IDs are necessary when you create audit rules for rootkit detection, and must be created beforehand.

For more information, refer to the section Protection against various threats.

Since IDs are specific to each rule set, you must create IDs in each set. You can however export all the IDs of a rule set to import and use them in another set. For more information, refer to the section Importing and exporting identifiers.Importing and exporting identifiers

  1. Select a policy in Security > Policies, then select a set of rules.
  2. Click on the Identifiers tab at the top right, then on the Driver IDs tab.
  3. Click on Edit in the upper banner, then on Add an ID.
    A blank ID appears below the existing IDs.
  4. Click on Edit at the bottom right side of the entry.
  5. In the field New driver ID, enter an ID name, then a description if needed.
  6. Click on + Icon and select all the ID criteria that you wish to use, e.g., Path and Hashes.
  7. Click outside the criteria window and define each ID criterion selected:

    1. Click on Edit then in the blue field at the bottom, enter the partial or full path to the driver file. This path may be a link or the path in the file system.

      The characters * and ? are allowed. For example, enter *\drivers\Stormshield Endpoint Security Agent\es*.sys to include Stormshield drivers.

      Full paths beginning with a letter (i.e., E:\Data\Backup) are not supported if the Volume type is remote or removable.

      Stormshield highly recommends using the EsaRoots path roots provided in SES Evolution instead of drive letters (i.e., C:\...), as these letters may vary from one workstation to another.

    2. You can also specify an alternate data stream. A file’s ADS contains metadata and makes it possible to find out the origin of the file. For further information, refer to Microsoft Windows documentation.

    3. Click on Add.

    4. Enter other paths in the blue field if necessary, then click on Add.

    5. Click on OK to confirm the list of paths.

    8. Hashes make it possible to accurately identify a trusted driver, as any modification will change the hash, which will no longer be recognized. Hash-based identification can be used in the following cases:
    • To guarantee that a legitimate driver has not been replaced or modified. However, this requires tedious maintenance as you will need to change IDs after every software update. It should therefore be used only on systems that do not undergo many changes.
    • To identify malware programs that often change names but may keep the same hash. Import the list of the most common malware hashes to block them from running.

    To add hashes:

    1. Click on Edit then on the pencil icon.

    2. In the blue field at the bottom, enter the MD5, SHA1 or SHA256 hash of the driver and a description, then click on Add..

      To obtain the hash of a binary, you can use the following Powershell command. In this example, the SHA256 hash of all .sys files is obtained:

      Get-ChildItem -Recurse -Filter '*.sys' | get-filehash -Algorithm SHA256 | select path, Hash

    3. Enter other hashes the blue field if necessary, then click on Add.

    4. Click on OK.

    5. You can also import a list of hashes from a CSV or text file. The file must contain one hash and a description per line separated by a comma, tab or semi-colon:

      • Hash (MD5, SHA1 or SHA2),

      • Description

      If there is an error or duplicate hash, SES Evolution will indicate it and only valid and unique hashes will be imported.

      Once they have been entered and imported, the window shows the number of hashes for each algorithm.

    6. Click on OK to confirm the list of hashes.
    1. Click on Manage.

    2. From the drop-down list at the bottom, select the type of account that launches the identified driver (e.g., NT_AUTHORITY\System), then click on Add.

      To obtain an SID, launch a command window with administration privileges and run the following command:

      WMIC useraccount get name,sid

    3. Select other accounts if necessary and click on Add.

    4. Click on OK to confirm the list of accounts.

    Specifying more criteria will more accurately identify the driver because all criteria must match.

  8. Click on Add an entry if you want to add another list of criteria for the same ID. Having several entries makes it possible to group various resources under the same ID, if the same security rules use them. For example, you can group all legitimate drivers to compile a whitelist.
  9. Click on OK.
  10. If you have finished creating driver identifiers, click on Save in the upper banner.
  11. To show the contents of a driver ID without editing it, click on View.