Author: virmusic
Subject: Sysmon prohibits deleting of image
Posted: 17 April 2015 at 1:07pm
As sysmon by default calculates a hash on loading an image into memory, deletion of the image after having run it is not possible, since the file is locked through sysmon during the calculation of the hash.
Subject: Sysmon prohibits deleting of image
Posted: 17 April 2015 at 1:07pm
As sysmon by default calculates a hash on loading an image into memory, deletion of the image after having run it is not possible, since the file is locked through sysmon during the calculation of the hash.
> run a large image (e.g. 2GB executable) and immediately delete it: a warning occurs stating the action cannot be accomplished since the file is opened by sysmon.
Any idea how to omit this? - Can sysmon be run without calculating a hash per image? -
thank you very much
virmusic