New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

Page 211 of 306
  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,805
    Location:
    .
    C:\WINDOWS\system32\cmd.exe /c "C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe" --parent-window=0 chrome-extension://glcimepnljoholdmjchkloafkggfoijh/ < \\.\pipe\chrome.nativeMessaging.in. * > \\.\pipe\chrome.nativeMessaging.out. *

    Watch carefully and leave a space between red dot and asterisk.
     
    Mr.X, Jul 5, 2016
    #5251
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,805
    Location:
    .
    Mr.X, Jul 5, 2016
    #5252
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    Okay....Thanks
     
    bjm_, Jul 5, 2016
    #5253
  4. guest

    guest Guest

    .
     
    Last edited by a moderator: Jul 7, 2016
    guest, Jul 5, 2016
    #5254
  5. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    @marzametal so I was feeling all smug thinking I didn't have an issue with NVT ERP in a SUA :) BUT as soon as I logged into my Admin account to do something... I found the 'Trusted Vendors' list and 'Whitelist' were both reset to default :( Everything works fine as long as i stay in the SUA - I guess i can live with this - i'll just export my settings for the few times a year i need my Admin account
     
    rm22, Jul 6, 2016
    #5255
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    Q: wildcard question re spaces.
    for example \12.3.4.56\
    I've tried \*\ and \ * \ and \*.*.*.*\ and \ *.*.*.* \with no joy...so, what do you think....where to add space...?
    Do I add space before and after * or ? or .
     
    bjm_, Jul 6, 2016
    #5256
  7. guest

    guest Guest

    You can't use Wildcard with those lines; cmd.exe is the parent and is in the vulnerable processes list , so you will ALWAYS have an alert whatever you do ; unless you remove it from the list , which i don't suggest.
     
    guest, Jul 7, 2016
    #5257
  8. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    wildcard with Whitelist Command-Lines....edit command line string.
    e.g.,
    C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Norton Security with Backup\Engine\22.5.2.15\coNatHst.exe" --parent-window=0 chrome-extension://cjabmdjcfcfdmffimndhafhblfmpjdpe/ < \\.\pipe\chrome.nativeMessaging.in.* > \\.\pipe\chrome.nativeMessagi
     
    bjm_, Jul 7, 2016
    #5258
  9. guest

    guest Guest

    cmd.exe = vulnerable process
     
    guest, Jul 7, 2016
    #5259
  10. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    Well, string goes to Command-Lines and has been there from almost day one with multiple strings.
    I thought after reading about spaces I could narrow down 15 strings.
    So, Vulnerable like cmd and rundll cannot be wildcard.
    Well, that's good to know.
    So, I can Whitelist coNatHst.exe and no work-around for changing 22.5.2.15

    Um, what about default Command-Lines with cmd and rundll + wildcards...?
     
    Last edited: Jul 7, 2016
    bjm_, Jul 7, 2016
    #5260
  11. guest

    guest Guest

    It is up to you if you want reduce security alerts for more comfort.
     
    guest, Jul 7, 2016
    #5261
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    Sorry, and sorry for being thick.
    So, ERP default can employ wildcards with cmd and rundll...... but, I can't.... or shouldn't or can't or may or ?
     
    bjm_, Jul 7, 2016
    #5262
  13. guest

    guest Guest

    You can but it is pointless until you remove cmd & rundll from vulnerable process list, i personally won't do that , security win over comfort. if you can't handle alerts , shift to another product.
     
    guest, Jul 7, 2016
    #5263
  14. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    I don't get alerts for coNatHst.exe (Norton browser extension).
    Since, ERP default employs wildcards with cmd and rundll.
    I presumed I could....
    I like Alerts, hence I have ERP on Alert Mode.
    Once trained. Alert has been quiet for trained.
     
    bjm_, Jul 7, 2016
    #5264
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Same here. Contrary to the "silent type" I actually thrive on Alert Notifications especially with AUDIO!!!
     
    EASTER, Jul 11, 2016
    #5265
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    Q: re Allow system protected. When I have "Allow system protected" checked.
    Does "Allow system protected" override Alert Mode alerts and or Lockdown Mode alerts for Vulnerable Processes that are "system protected".
    Meaning, will I still get alerts for Vulnerable Processes with Allow system protected checked.
     
    bjm_, Jul 18, 2016
    #5266
  17. guest

    guest Guest

    Yes.
     
    guest, Jul 18, 2016
    #5267
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    Good, W10 in-place upgrade has been throwing a lot more alerts than W8.1, even with whitelist running. So, I checked Allow system protected until W10 gets settled. Thanks!
     
    bjm_, Jul 18, 2016
    #5268
  19. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    FWIW ~ here's my Vulnerable Processes. Easier for me to manage in ERP, then edit to other. Back to Lockdown Mode, allow system protected not checked, allow from programs files not checked, no trusted vendors ~ YMMV
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wscript.exe
    C:\WINDOWS\system32\cscript.exe
    C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\SysWOW64\rundll32.exe
    -10
    C:\Windows\SysWOW64\wscript.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
    C:\Windows\System32\vssadmin.exe
    C:\Windows\SysWOW64\vssadmin.exe
    C:\Windows\SysWOW64\bitsadmin.exe
    C:\Windows\System32\bitsadmin.exe
    C:\Windows\System32\bcdedit.exe
    C:\Windows\SysWOW64\mshta.exe
    -20
    C:\Windows\SysWOW64\mstsc.exe
    C:\Windows\System32\mshta.exe
    C:\Windows\System32\mstsc.exe
    C:\Windows\SysWOW64\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\reg.exe
    C:\Windows\SysWOW64\reg.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    C:\Windows\System32\DiskSnapshot.exe (blacklist)
    -30
    C:\Windows\System32\dmclient.exe (blacklist)
    C:\Windows\System32\CompatTelRunner.exe (blacklist)
    C:\Windows\System32\dstokenclean.exe (blacklist)
    C:\Windows\System32\setx.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.10586.486_none_7640e086266ea227\TiWorker.exe
    C:\Windows\System32\Defrag.exe
    C:\Windows\System32\MRT.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
    -40
    C:\Windows\SysWOW64\msra.exe
    C:\Windows\System32\msra.exe
    C:\Windows\SysWOW64\regini.exe
    C:\Windows\System32\regini.exe
    LUV to NVT
     
    Last edited: Jul 28, 2016
    bjm_, Jul 27, 2016
    #5269
  20. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @ bjm --- Thanks!!!
     
    bellgamin, Jul 27, 2016
    #5270
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    work in progress > W10 has a few, o_O head scratch.
     
    Last edited: Jul 27, 2016
    bjm_, Jul 27, 2016
    #5271
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    Q: what does ERP do when same item on more than one filter...e.g., Whitelist and Vulnerable.
    Seems item in Vulnerable may also be Whitelisted.
    at least for me e.g., > C:\Windows\SysWOW64\svr32.exe will add to Whitelist okay while also (and remains) in Vulnerable (same hash).
     
    Last edited: Jul 28, 2016
    bjm_, Jul 28, 2016
    #5272
  23. guest

    guest Guest

    The vulnerable list "overrules" the Whitelist.
    Application = whitelisted + on the vulnerable list = Prompt
    Application = whitelisted + not on the vulnerable list = No prompt
     
    guest, Jul 28, 2016
    #5273
  24. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,457
    Location:
    .
    Thanks!, and Blacklist "overrules" Vulnerable.?. And Whitelist / Blacklist are either or.?.
    Edit: and with item in Vulnerable, I may also add item to Blacklist.
     
    Last edited: Jul 28, 2016
    bjm_, Jul 28, 2016
    #5274
  25. guest

    guest Guest

    The Blacklist should have the highest priority (it's "final") :)
    If something is in the blacklist = blocked.
    Even if it's in the whitelist / vulnerable / whitelist command-lines list.
     
    guest, Jul 28, 2016
    #5275
Page 211 of 306
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...