ProcFilter Cheat Sheet
Overview
ProcFilter is an open-source Windows service developed by GoDaddy that integrates YARA rules with Windows process creation events to provide real-time process filtering capabilities. When a new process is created on the system, ProcFilter scans the executable image against a configured set of YARA rules and can block, log, or quarantine the process based on rule matches. This provides a lightweight, signature-based defense layer that supplements traditional antivirus by allowing security teams to deploy custom detection rules targeting specific threats, malware families, or suspicious behaviors.
ProcFilter hooks into the Windows process creation mechanism via a kernel-mode minifilter driver, enabling it to intercept and scan executables before they fully load. It supports multiple response actions per YARA rule — block execution (prevent the process from starting), log the match (allow execution but record the event), or quarantine (copy the executable to a secure location and optionally block). ProcFilter integrates with Windows Event Log for centralized monitoring and SIEM integration. It is particularly effective for deploying emergency YARA rules during incident response to prevent known-bad executables from running across an enterprise fleet.
Installation
Pre-built Installer
# Download from GitHub releases
# https://github.com/godaddy/procfilter/releases
# Run the MSI installer
msiexec /i procfilter-x64.msi /qn
# Or interactive installation
procfilter-x64.msi
# Default installation directory: C:\Program Files\ProcFilterFrom Source
# Clone repository
git clone https://github.com/godaddy/procfilter.git
cd procfilter
# Build with Visual Studio (requires WDK for the driver)
# Open procfilter.sln in Visual Studio 2019+
# Build Solution (Release x64)
# Install the service
procfilter.exe -installService Management
# Install ProcFilter service
procfilter.exe -install
# Start the service
net start procfilter
# Or
sc start procfilter
# Stop the service
net stop procfilter
# Uninstall
procfilter.exe -uninstall
# Check service status
sc query procfilterCore Configuration
Main Configuration File
; C:\Program Files\ProcFilter\procfilter.ini
[ProcFilter]
; Enable/disable scanning
ScanEnabled=1
; YARA rules directory
RuleDirectory=C:\Program Files\ProcFilter\rules\
; Quarantine directory
QuarantineDirectory=C:\Program Files\ProcFilter\quarantine\
; Log file
LogFile=C:\Program Files\ProcFilter\procfilter.log
; Windows Event Log integration
EventLogEnabled=1
; Performance settings
ScanTimeout=30
MaxFileSize=52428800
; Hash algorithm for logging
HashAlgorithm=sha256
; Scan on process creation
ScanOnCreate=1
; Scan on image load (DLLs)
ScanOnImageLoad=0
; Whitelist directory (files that bypass scanning)
WhitelistDirectory=C:\Program Files\ProcFilter\whitelist\YARA Rule Actions
// Rules use meta tags to define ProcFilter actions
rule BlockMalware {
meta:
description = "Block known malware family"
// ProcFilter-specific meta tags:
Block = "true" // Block process execution
Log = "true" // Log the detection
Quarantine = "true" // Copy to quarantine dir
strings:
$str1 = "malicious_payload"
$str2 = { 4D 5A 90 00 }
condition:
all of them
}
rule LogSuspicious {
meta:
description = "Log suspicious but don't block"
Block = "false"
Log = "true"
Quarantine = "false"
strings:
$packed = "UPX!"
$crypto = "CryptEncrypt"
condition:
$packed and $crypto
}
rule QuarantineAndBlock {
meta:
description = "Quarantine and block ransomware"
Block = "true"
Log = "true"
Quarantine = "true"
strings:
$ransom1 = "Your files have been encrypted" nocase
$ransom2 = "bitcoin" nocase
$ext = ".locked" nocase
condition:
2 of them
}YARA Rule Management
Rule Directory Structure
C:\Program Files\ProcFilter\rules\
├── malware\
│ ├── ransomware.yar
│ ├── trojans.yar
│ └── backdoors.yar
├── suspicious\
│ ├── packers.yar
│ ├── shellcode.yar
│ └── obfuscation.yar
├── custom\
│ ├── incident_response.yar
│ └── threat_intel.yar
└── index.yar # Master file that includes othersIndex File
// index.yar - Master rule file
include "malware/ransomware.yar"
include "malware/trojans.yar"
include "malware/backdoors.yar"
include "suspicious/packers.yar"
include "suspicious/shellcode.yar"
include "custom/incident_response.yar"
include "custom/threat_intel.yar"Emergency Rule Deployment
# During incident response, quickly deploy a blocking rule
# Create emergency rule
@"
rule EmergencyBlock_Cobalt {
meta:
description = "Emergency block for active Cobalt Strike beacon"
Block = "true"
Log = "true"
Quarantine = "true"
author = "IR Team"
date = "2026-05-18"
strings:
`$beacon1 = { FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 }
`$beacon2 = "ReflectiveLoader"
`$config = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 }
condition:
any of them
}
"@ | Out-File -FilePath "C:\Program Files\ProcFilter\rules\custom\emergency.yar" -Encoding UTF8
# Restart service to load new rules
Restart-Service procfilter
# Verify rules loaded
Get-EventLog -LogName Application -Source ProcFilter -Newest 5Advanced Usage
Whitelisting
# Whitelist by hash (SHA256)
# Create whitelist file with one hash per line
@"
a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3
"@ | Out-File -FilePath "C:\Program Files\ProcFilter\whitelist\trusted_hashes.txt"
# Whitelist by path (in procfilter.ini)
# WhitelistPaths=C:\Windows\System32\;C:\Program Files\Windows Event Log Integration
# View ProcFilter events
Get-WinEvent -LogName Application | Where-Object {
$_.ProviderName -eq "ProcFilter"
} | Select-Object TimeCreated, Message | Format-List
# Filter for blocked processes
Get-WinEvent -LogName Application | Where-Object {
$_.ProviderName -eq "ProcFilter" -and $_.Message -match "Block"
} | Select-Object TimeCreated, Message
# Export events for SIEM
Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='ProcFilter']]]" |
Export-Csv -Path "procfilter_events.csv" -NoTypeInformation
# Create alert for blocked processes
$query = @"
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[Provider[@Name='ProcFilter'] and (Level=2)]]</Select>
</Query>
</QueryList>
"@Performance Tuning
; procfilter.ini - Performance settings
[ProcFilter]
; Timeout for YARA scan (seconds)
ScanTimeout=15
; Maximum file size to scan (bytes)
MaxFileSize=26214400 ; 25MB
; Thread pool size
ScanThreads=4
; Cache settings (cache scan results to avoid re-scanning)
CacheEnabled=1
CacheSize=10000
CacheTTL=3600
; Exclude paths from scanning (comma-separated)
ExcludePaths=C:\Windows\WinSxS\;C:\Windows\Installer\
; Only scan specific extensions
; ScanExtensions=.exe,.dll,.scr,.com,.bat,.ps1Monitoring and Reporting
# Monitor ProcFilter in real-time
Get-Content "C:\Program Files\ProcFilter\procfilter.log" -Wait -Tail 50
# Count detections per rule
Select-String -Path "C:\Program Files\ProcFilter\procfilter.log" -Pattern "Rule:" |
ForEach-Object { ($_ -split "Rule: ")[1] } |
Group-Object | Sort-Object Count -Descending
# List quarantined files
Get-ChildItem "C:\Program Files\ProcFilter\quarantine\" -Recurse |
Select-Object Name, Length, CreationTime | Format-Table
# Generate daily report
$today = (Get-Date).Date
Get-WinEvent -LogName Application | Where-Object {
$_.ProviderName -eq "ProcFilter" -and $_.TimeCreated -ge $today
} | Group-Object -Property Message | Select-Object Count, NameTroubleshooting
| Issue | Solution |
|---|---|
| Service fails to start | Check procfilter.log for YARA compilation errors in rules |
| YARA rule compilation error | Validate rules with yara64 -c rules/index.yar before deploying |
| Legitimate software blocked | Add to whitelist by hash or path; check rule specificity |
| High CPU usage | Increase ScanTimeout, reduce rule count, add path exclusions |
| Driver load failure | Ensure test signing or proper code signing for the minifilter driver |
| Missing detections | Verify rules directory path in INI, check rule Block/Log meta tags |
| Event log flooding | Adjust rules to use Log = "false" for noisy but non-critical matches |
| Quarantine directory full | Implement cleanup script; set size limits or retention policy |