New Antiexecutable: NoVirusThanks EXE Radar Pro

Ok then why @novirusthanks listed that one?

 

He might have listed for XP - perhaps ?

 

I was just whitelisting command lines. I had not interest in knowing what programs were allowed or not since AppGuard treats the PC as if it is already infected... so why bother? Thoughts.

 

Let's be completely honest here... anything added to AppGuard is very likely just plain overkill.

That being said, an anti-exploit, virtualization, web content filtering, outbound notifications and on-demand AV scanner are judicious supplements to AppGuard - but not absolutely necessary.

 

Whatever app I run is already guarded in AppGuard. Whatever executables that app spawns inherits protection as well. Therefore, why whitelist executables when the same protection lies in another app? Why not just whitelist the command lines exe/dll/sys (whatever else falls in the ERP net) files use?

 

Unless those apps are located in any non-system partitions/drives/ramdisks, then AG can't protect them for the moment; only ERP will do the job.

 

Doesn't all that come under User Space, whether it's sucked into "Removable Media", or entered manually (D:\, E:\, etc...)? Unless something has changed in the beta builds... I am still using current stable. Sorry, haven't been paying attention to beta posts.

 

Where can I find Peters security config?

 

In fact , AG never protected any apps located outside the system partition, but with the previous versions, it didn't warn about that.
In the betas, it now warns that any non-system located rules are erroneous.

User-space rules are valid ONLY if the path is in the system partition.

If you tried the betas, you would see that you still can add partitions/drives/folders in the User-Space tab but then any rules with non-system partition's paths will from now on generate an error.

Also folders outside the system partition can't be protected or made private.

So to resume:

Anything not located on the system partition isn't protected by AG.

 

In fact running ERP alongside AG will protect other partitions unlike AG.

 

I already asked for some info in the VS thread. But it's a bit confusing, so you're saying that ERP and VS were bypassed, but in the VS thread the developer says it stopped the payload?

 

It depends on the way you look at. The reason why I don't like AG, is because the concept is harder to grasp.

My approach:

If apps are not on the white-list, they can't run, no need to think about system and user space, ERP doesn't care. If I don't trust some app, I run it virtualized with SBIE, it can't touch the registry, file system, and can't communicate with or modify processes running outside the sandbox. If I'm ready to run some app on the real system, I monitor it with HIPS like SpyShelter. It will block behavior related to keyloggers, rootkits, trojans and can also protect private data against ransomware.

 

That is sound mult-layered approach.

 

Contrary to what others might state, my native Chinese speaking contact states that both VS and ERP were bypassed - since the webpage exploit abused white-listed, but vulnerable processes - like PresentationHost.exe - to circumvent the white-list.

You have to read Chinese to fully understand everything that is presented.

 

Are you still inflating your vuln proc list? I can't wait to have a copy of it

 

@MisterX - from Florian @ Excubits

Add from these locations: C:\Windows - System32, SysWOW64, MicrosoftNet\Framework, MicrosoftNET\Framework64

Note: For NET items you must add them for all versions in which the file resides = search the version folders, if file found, add it to vulnerable process list.

When adding all these items to vulnerable process list, Alert Mode is recommended.

Everything below is Florian's words...

*InstallUtil*
*Regsvcs*
*RegAsm*
*wusa*
?:\$Recycle*
*reg.exe
*vssadmin.exe
*aspnet_compiler.exe
*csc.exe
*jsc.exe
*vbc.exe
*ilasm.exe
*MSBuild.exe
*script.exe
*journal.exe
*msiexec.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*bcdedit.exe
*mstsc.exe
*powershell.exe
*powershell_ise.exe
*hh.exe
*set.exe *
setx.exe
*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*dfshim.dll - NOTE: Adding to NVT ERP Vulnerable Process list is NOT supported - and should not be added (@novirusthanks)
*PresentationHost.exe
C:\Windows\ADFS\*
C:\Windows\Fonts\*
C:\Windows\Minidump\*
C:\Windows\Offline Web Pages\*
C:\Windows\tracing\* C:\Windows\Tasks\*

I also suggest that you restrict write access permissions on

C:\Windows\ADFS\*
C:\Windows\Fonts\*
C:\Windows\Minidump\*
C:\Windows\Offline Web Pages\*
C:\Windows\tracing\*
C:\Windows\Temp\*
C:\Windows\Tasks\* - NOTE: When installing some apps, they will need access to this folder to schedule start, updates, etc.
C:\ProgramData\*

such, that you - as a default/normal user - cannot copy (or write) files into one of these folders. Please note, ensure that Windows Update (or the Trusted Installer and Admin) are still able to write into these folders or you gonna end up in some trouble

 

@Mister X

Good infos:

http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html

https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/Limits.txt

https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt

https://www.google.com/url?sa=t&rct...rp.pdf&usg=AFQjCNEtzdGLLNA-z4AJGmWwpn2Owpm3DA

There's is all kinds of infos online if you search.

 

@hjlbx

Thank you very much.

 

@Mister X - you are welcome.

I would use Alert Mode until you are confident that enabling Lock Down mode will not smash your system.

Remember about Windows updates - sometimes they might need NET Assemblies - so when perform Windows update - you might have to enable Allow mode.

Anyhow, I have run into no problems yet adding everything on the list - except I didn't do the write access to folders - since I can't use Secure Folders on my system.

 

Got it, thanks.

 

OK, so the VS developer misunderstood? I wonder why he's saying that the ransomware payload was still blocked though.

A lot of them are already in my vulnerable processes list. But I'm not really that worried, because my browsers are all running sandboxed.

 

I think he is misunderstanding parts of translated page; must read webpage in Chinese to fully understand.