1. Overview
This document provides an overview of the event log structure, event categories, severities, and system components responsible for logging security-related activities in Arms Cyber.
Event logs are recorded under:
? Source: Applications and Services Logs/WinRandLogger
Each event follows this format:
Category: <event type>, Severity: <severity type>, Summary: <high-level overview>, Description: <detailed overview>, Mitigated: <0 if no, 1 if yes>
2. Event Severity Levels
Severity | Description |
Information | Routine system events |
Warning | Events requiring administrator attention |
Critical | High-priority events requiring immediate action |
3. System Components & Functions
Recovery Module: Restores archived files back to their original locations. Logs an event upon successful recovery.
Refresh Module: Updates the archive folder daily to ensure restored files remain within the last 24 hours.
Backup Module: Archives files before encryption or modification to a hidden folder.
System Module: Prevents deletion of shadow copies and event logs
- PowerShell Module: Deobfuscates and analyzes PowerShell commands before execution. Blocks suspicious/malicious commands.
Memory Module: Protects the internal memory of key processes from corruption attempts.
File Analysis Module: Monitors file behavior and entropy to detect ransomware.
Decoy Protection Module: Uses stealth decoy files to detect ransomware initiation points and kill malicious processes before encryption occurs.
4. Event Categories & Types
Hardening Events
Event | Severity | Summary |
Recovery Completed | Critical | Files successfully restored from archive |
Refresh Completed | Critical | Archive refreshed for new versions |
ArmsBackup Activated | Information | Hidden archival started |
System Module Activated | Warning | Protection initiated |
PowerShell Module Loaded | Warning | Obfuscation protection enabled |
Memory Module Loaded | Warning | Memory protection activated |
Arms File Analysis Activated | Critical | High entropy detection enabled |
Arms Decoy Protection Activated | Critical | Decoy protection enabled |
B. Detection Events
Event | Severity | Summary |
Decoy File Triggered | Critical | Decoy file triggered, stopping ransomware execution |
High Entropy Alert | Critical | File renaming detected with high entropy score |
System Module Alert | Warning | Shadow copy or event log deletion attempt detected |
PowerShell Defense Evasion Alert | Warning | Suspicious obfuscated commands detected |
C. Mitigation Events
Event | Severity | Summary |
Decoy Protection Terminated Process | Critical | Malicious process terminated due to decoy trigger |
File Analysis Terminated Process | Critical | Malicious process terminated due to suspicious renaming |
System Module Blocking Deletion | Warning | Attempt to delete logs or shadow copies blocked |
PowerShell Module Blocked Command | Warning | Suspicious obfuscated command execution blocked |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article