ProcFilter is a Windows service that integrates YARA rules to filter processes, offering targeted protection and analysis capabilities for malware analysts and security professionals. It allows dynamic blocking, logging, or quarantining of processes based on custom YARA signatures, enhancing endpoint security and threat intelligence gathering without requiring reboots.

How It Works

ProcFilter leverages Microsoft's Event Tracing for Windows (ETW) API to monitor process and thread events. It scans process memory and files against YARA rules, which can be dynamically updated via Git. Custom meta tags within YARA rules dictate actions like blocking, logging, or quarantining, providing granular control and extensibility through a C API for custom plugins.

Quick Start & Requirements

• Installation: Download and run the x86/x64 installer.
• Prerequisites: Windows 7+ or Windows Server 2008+ (unpatched Windows 7 requires hotfix 3033929).
• Configuration: Edit procfilter.ini for scanning options and Git repository URLs for rule updates.
• Documentation: https://github.com/godaddy/procfilter

Highlighted Details

• Dynamic installation/removal without reboot.
• YARA rule integration with custom meta tags for actions (Block, Log, Quarantine).
• ETW API integration for logging to Windows Event Log.
• Extensible via a C API and example plugins (e.g., command-line capturing, interactive allow/deny).

Maintenance & Community

• Contact: procfilter@godaddy.com or Gitter.
• The project is developed by GoDaddy.

Licensing & Compatibility

• License: MIT License.
• Compatibility: Compatible with Windows 7+ and Windows Server 2008+. Permissive license allows commercial use and integration with closed-source systems.

Limitations & Caveats

ProcFilter is described as beta and not yet ready for production environments. Its signature-based approach means it relies on previously identified threats and can be evaded by signature mutation. While extensible, it is not an AV replacement and has a minimal default signature set.