Skip to content

[Rule Tuning] Unusual Print Spooler Child Process #4987

New issue
New issue
Open
Open
[Rule Tuning] Unusual Print Spooler Child Process#4987
Assignees
w0rk3r
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@wasserman

Description

@wasserman
wasserman
opened on Aug 15, 2025

Link to Rule

No response

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

The current rule allows for ?:\\Program Files (x86)\\CutePDF Writer\\CPWriter2.exe, but I found C:\Program Files (x86)\CutePDF Writer\CPWSave.exe with the following signature in my environment.
https://www.virustotal.com/gui/file/59f6afe416182af25cf9f30ef2bf69e4141755c40d34020e8ac3a014b474e18d/details

Please determine if it is reasonable to also allow for ?:\\Program Files (x86)\\CutePDF Writer\\CPWSave.exe.

Thanks!

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions