New Antiexecutable: NoVirusThanks EXE Radar Pro

Following my post #5339 and similar from @rpsgc in #5347, with @Peter2150's responses in #5340 and above #5349, I am still unsure which one should be used:
1. 'Do not check if a process is signed (save bandwidth)' or
2. 'Do not allow signed processes'
I have checked 1, as I understand it to mean signed or unsigned processes are treated equally and not trusted.
I do not understand 2. It almost sounds as if unsigned processes are allowed.

 

What does help file say about those settings ?

 

I did look there but could not find anything. It seems geared to the earlier stable version.

 

@rpsgc

Signed malware FUD
This is caused by security programs allowing signed malware without actually checking whether the signature is valid. When the validity of a signature is checked, all forged signatures will be revealed (hash incorrect). This is also the reason why Microsoft co-signes drivers in W10 and from W10AU requires new (more advanced) hashing to make a clean start with signed software again. These improvements will be pushed to windows 7 and 8/8.1 next year also.

There are a few cases of Comodo (who else) selling valid signatures to cybernet criminals. Those cybernet criminals had piggy backed their software with some shareware and freeware offerings. The point is that those signed programs were from a fantasy named vendor (because they can't use patented names like Microsoft, Intel, AMD, etc). So when you tailor your trusted vendor list, you reduce the chance of running into such a malware with a valid signature (simply because the malware vendor is not on the trusted vendor's list).

My guess/advice
Do not check if a process is signed (save bandwith), probably checks the validity of a program signature (which costs bandwith). So when you keep "Do not allow signed processes" on the default (meaning NVT auto-allows signed processes), you should also keep "Do not check if a process is signed" on the default value (so NVT checks the validity of signature). When you keep those two settings on the default and tailor the "trusted vendors list" to the ones you have on your PC, the chance of signed malware intruding your system is zero.

Food for thought
The developer of NVT is a well known security specialist. Do you seriously think that a man with such deep knowledge of security would develop and release a security program which would have serious security issues and would be vulnarable by default?

 

Thanks for clarifying re signed malware.
Regarding the Signed Processes setting: one can only select one or the other i.e. it is not a question of multi-selection, at defaults ...

 

So you're saying that I should leave all settings at default values?

 

@rpsgc

I am saying that a security expert like NVT would not release software with build-in weakness. It is up to you what to decide.

Since you have a Windows 10 Pro with Common Sense(trade marked), I would rather use https://malwaretips.com/threads/windows-pro-owner-use-software-restriction-policies.61871/

 

I discovered that if you have a short vulnerable processes list, the easiest way to rebuild it after a major windows update is to right click and choose set to default (last option at the bottom)
This will reset all the default processes to the new hash value. Then you can add or subtract as you wish, but at least the basic list will work.

 

what if you chose to block a file, and then you clicked on "ignore"? how to undo the ignore?

 

Settings - Notifications - "Manage Excluded Processes"

 

NVT easily doing it's usual bang up job on my 8.1 just as it is and will be resident for the remainder of my 8.1 until something gives out.

 

when installing a new program, which of the default vulnerable processes can I expect to see?
I already know that I will see a lot of regsvr.
what other processes are not suspicious during installation?

 

I heard that some programs now use powershell during installation. ever hear of that?

 

allow me to clarify my question.
if you trust the program, and you use install mode, you aren't really gaining any protection from ERP.
and if you don't trust the program, and don't install it, you don't need to be protected from it.
So, aside from those browser exploits that use unpatched vulnerabilities in java and flash, and they will rarely affect you if you have a good browser that is up to date, how does ERP actually help you?

 

thanks, that makes sense

 

That's the whole point of ERP, to mainly protect against exploits. It can also be used to prevent other people from installing apps on shared PC's.

 

It should be effective also in stopping the payload, which often arrives delayed, or after a reboot

 

Question - does ERP ever go out to the internet? Does it ever check any network traffic? I don't think so, but would like an expert answer because I'm investigating something else unrelated.

 

I tried that out, it's good!

 

ERP doesn't block dlls (and todays it is one of the biggest threats) , which it is why SOB was created for. So ERP is quite useless to me as main protection, i see it now only as a complementary anti-exe. The softs is outdated, underdeveloped (not to say abandoned) and in the actual days , it can't keep the pace with others like Appguard and co.

 

what blocks the DLLs?