So... in a bit of a pickle; nothing major, just irritating... looking for a program that (there is criteria to consider... *sighs*): notifies me if certain executables are called (similar to how ERP and SS provide notifications) its settings are carried over from Administrator Account to Standard/Limited User Account no DNS callouts to Microsoft Secure Folders, XOSLAB Easy File Locker and Gilisoft EXE Lock are already used; each has a specific purpose. You may be thinking, "hang on, you know of these apps already!?". Yes, but... NVT ERP - settings do not respect Standard/Limited User Account (in virtual machine they do) SpyShelter - have licence, but settings do not respect Standard/Limited User Account AppGuard - have licence, but not interested in DNS callouts to Microsoft Pumpernickel/MemProtect - not interested in DNS callouts to Microsoft Here is the list of remaining files I would like to address... Spoiler C:\Windows\System32\cmd.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\msiexec.exe C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\dllhost.exe C:\Windows\SysWOW64\dllhost.exe C:\Windows\System32\conhost.exe C:\Windows\System32\mmc.exe C:\Windows\SysWOW64\mmc.exe C:\Windows\System32\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe C:\Windows\System32\net.exe C:\Windows\SysWOW64\net.exe C:\Windows\System32\netsh.exe C:\Windows\SysWOW64\netsh.exe C:\Windows\System32\ARP.EXE C:\Windows\SysWOW64\ARP.EXE C:\Windows\System32\at.exe C:\Windows\SysWOW64\at.exe C:\Windows\System32\sc.exe C:\Windows\SysWOW64\sc.exe Any ideas? Thanks in advance...
How does it "call Microsoft"? The driver itself isn't able to connect to the internet. Or are you using the following executables: MemProtectSignalCheck.exe / PumpernickelSignalCheck.exe? Because they can do it.
It isn't really Pumpernickel & MemProtect doing it... it is the KB update required for certificate checks that causes the callouts (crl.xxxxxx and/or ctl.xxxxxxx). I think W7HP can't fully shut off the certificate checks, so stuck I am... even after making changes to the HP version of Group Policy (Certificate Path Validation Settings).
I see connections to: http://crl.startssl.com/ http://crl.comodoca.com/ http://crl.globalsign.net/ Maybe try to block connections to these urls with a firewall - http://crl.xxxx.xxx/ I tried it with the Group Policy, but wasn't able to block these connections. But if you manage somehow to block these connections, you won't notice that a publisher revoked some of his certificates.
I've got those and a hell of a lot more in a custom HOSTS file, generated by Acrylic DNS Proxy... so the callouts go to 127.0.0.1, which Acrylic automatically binds to 0.0.0.0 So essentially, nothing is really being transmitted outdoors; just annoying to see the entries pop up in the Hit Log.
I stumbled across this while browsing on MT in a thread about disabling Windows Services. Although small, and sorta' not mature... it still does the trick. So far I have populated it with system and non-system exe and com files; am yet to try dll. Relatively easy to use, drag n drop files into the GUI, click the purple tick to finalise the list. Each entry has a tick box, untick and click purple tick to finalise, then tick and click purple tick when finished with unblocked files. One good thing about this app that others similars don't cater to is the "one filename fits all" rule. Example, 4 entries for dllhost.exe; 2 in WINSXS, 1 in SYSTEM32 and 1 in SYSWOW64. With RB, dragging any entry into the GUI blocks all 4 It won't accept conhost.exe; Explorer can't find it but 3rd party search programs can, so had to push this block back to Secure Folders. Also, if conhost is blocked, RB cannot finalise list. A little nasty I found out the hard way (was scratching my head... thinking, wth is this error) hahahaha Little example of how files look like when entered... Spoiler
Nice little tool. I'm gonna test it in a VM. I think the resource usage isn't high with that tiny executable.
I'm just going off of the 3 websites that talked about vulnerable processes. I think @hjlbx mentioned them initially. Although it isn't a critical process, ARP.exe is responsible mapping IP addresses to MAC addresses. It also has the ability to display, add and delete network interfaces, and it could be used in conjunction with tools responsible for ARP poisoning and ARP spoofing (pretend to be the computer you are communicating with, essentially a MitM sorta' thing...). ARP, most likely isn't the first cab off the rank to target, and usually isn't in the top section of the exe list to exploit... but hey, it still is possible. In regards to ITW, your imagination is as good as mine. Routers & Network Interface Cards spit out and swallow ARP requests on a regular basis. They can be switched off/lowered to Gratuitous ARP which removes most of the repeat requests (once a request has been acknowledged and response received, no calls for a while)... but it can't be fully shut off, don't quote me on this... just running off what I have seen in Wireshark while mucking around with settings. In regards to sc.exe, this one is more of an after-thought than anything else. It's once they are inside, that they can wreak havoc.. if that makes sense? I guess the same applies for at.exe? I tend to go all out on this stuff, hence blocking/restricting a lot of processes isn't new to me.
the main problem is that , hard to find a well coded soft that would distinguish a single user using 2 accounts (one for admin tasks and one for daily use) from 2 users using the same computer... Microsoft doing secondary accounts stupidly, during installation of the OS, an admin account and an SUA related to it should have been made simultaneously.
I'm guessing UAC max on your admin account isn't enough? If it prompts for a password I'm assuming it'll be functionally identical (or at least very similar) to sudo right?
hehe you spotted me, indeed i added password request to my admin account. That is what i'm trying to emulate
OK I see, thanks for the info. These so called "vulnerable processes" are indeed a bit risky, I do monitor the most known ones with ERP. The problem is that trusted system processes do sometimes need to run these apps, and you don't want to be prompted everytime. So I'm still looking for a tool that can monitor parent-child process control, like SSM back in the days.
Apart from finding the ideal piece of software... I "guess" the only way to do this properly would be to have child PCs dedicated to specific tasks which are locked out of Admin Elevation (eg: disable Windows Services such as Application Information, Secondary Logon)... connected to a parent PC which runs as Admin... <---sounded good in my head at the time of typing! ----- EDIT: Just remembered why I decided to lock ARP.exe; it's because I use a VPN, and ARP is called when waking up/activating the TAP Adapter and finalising VPN connection. ----- Yep, trusted processes sometimes do need to run these apps. It depends on how far you desire to push the "control" envelope. The whole notification side of things became stale very quickly on my end. Interaction is one thing, permission/approval/confirmation is another. Sometimes it would be so repetitive, your hair would scream to be torn out at its roots! Some of our forum members use default-deny while browsing, some use default-deny as soon as they turn their PC on, along with blacklist vs whitelist and 3rd party apps vs policy/permission. I haven't made use of an active/real-time AV/AM app since November 2015. This lead me down the path of policy/permission/escalation. IMO, stopping here still left me somewhat exposed, and the challenge wasn't challenging enough. We've all seen stories/reports about UAC being bypassed, and it doesn't help matters that Windows has Services that allow for escalation of privileges. I felt I wanted more... but was limited in what I could accomplish because I use Home Premium. I was stuck with a custom-created Group Policy which didn't have all the juicy changes available in the Professional version, and there was no access to Applocker/Bitlocker either. So, I enhanced (some would say complicated) things further by introducing process locks. As expected, one app wouldn't cover all, so I had to use "a collection". Ugh, but... after the dust has settled, I believe I now have a hardened LUA... a properly-hardened LUA. It helps when you sorta' know that your PC is finalised. The only thing left to do is collect updates for apps and designate a day for backups and updates. Sorry for the rant!
Yes, that's what I meant. You don't want to break things and interfere with legit behavior. It's probably best if security tools would allow these so called "vulnerable processes" to run only when launched by system applications that reside inside C:\Windows. If other apps try to run them, then you should be alerted. And even explorer.exe and svchost.exe are often abused by malware. A lot of ransomware will startup them in suspended state in order to inject code (process hollowing), which will render a lot of HIPS powerless, since malicious actions are now done by a trusted system process. In other words, they should be also monitored closely, at least when launched by non-system apps.
BTW, turns out that SpyShelter Firewall already does this, it will alert about all child processes being launched.
