Security News > 2022 > August > Microsoft Sysmon can now block malicious EXEs from being created
Microsoft has released Sysmon 14 with a new 'FileBlockExecutable' option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware.
Users can find the complete list of directives in the Sysmon schema, which can be viewed by running the sysmon -s command at the command line.
The current Sysmon schema is version 4.82, which now includes the 'FileBlockExecutable' configuration option to block the creation of executables based on their path, name, hash, and the program trying to create the files, as shown below.
To start Sysmon and direct it to use the above configuration file, you would execute the sysmon -i command and pass the configuration file's name.
With the FileBlockExecutable feature enabled, when an executable is created and matches a rule, Sysmon will block the file and generate an 'Event 27, Sysmon' entry in Event Viewer.
For those who want a premade Sysmon configuration file that uses this feature to block known malware and hack tools, you can use one created by security researcher Florian Roth.