Merge pull request #98 from DimChris0/patch-2

svchost.exe check in mem-scan
Neo23x0 · May 24, 2018 · b68c622 · b68c622
2 parents 1b4714a + 9cd7143
commit b68c622
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/loki.py b/loki.py
@@ -776,7 +776,7 @@ def scan_processes(self):
                     logger.log("WARNING", "ProcessScan", "svchost.exe path is not System32 %s" % process_info)
             if name == "svchost.exe" and priority is not 8:
                 logger.log("NOTICE", "ProcessScan", "svchost.exe priority is not 8 %s" % process_info)
-            if name == "svchost.exe" and not ( self.check_svchost_owner(owner) or "UnistackSvcGroup" in cmd):
+            if name == "svchost.exe" and not ( self.check_svchost_owner(owner) or "unistacksvcgroup" in cmd.lower()):
                 logger.log("WARNING", "ProcessScan", "svchost.exe process owner is suspicious %s" % process_info)
 
             if name == "svchost.exe" and not " -k " in cmd and cmd != "N/A":