New Antiexecutable: NoVirusThanks EXE Radar Pro

Cutting_Edgetech · Nov 19, 2018

__Nikopol said: ↑

@novirusthanks You could use MD5 instead of SHA1 for the hashes. This saves a few seconds with big files, like installers.
Or better yet: Try the new xxHash32/64. It's as fast as RAM speeds: 6.8 GB/s / 13.8 GB/s, compared to SHA1s measily: 0.28 GB/s
But have an option to calculate SHA1 and maybe others with a click so that we can compare them.
Click to expand...

Many of us long time users requested that SHA-1 or SHA-256 be used. That's why he changed from using MD5. There's a very slight chance of MD5 collisions outside the lab in the near future.

Edited: 11-19-18 @ 11:39

__Nikopol · Nov 19, 2018

Cutting_Edgetech said: ↑

Many of us long time users requested that SHA-1 or SHA-256 be used. That's why he changed from using MD5. There's a very slight chance of MD5 collisions outside the lab in the near future.
Click to expand...

This is overkill. It is a totally unrealistic attack scenario that someone is going to through the lengths to create a working malicious executable that has the same MD5 hash and still works. You have to make the file executable. And maybe that starting point is where it gets impossible to find a file that has the same hash as the original, and that isn't suddenly 100 MB big due to all the random bytes.
Also, better use sha-512 instead 256. It's two times as fast as 256 in 64bit systems, and nobody should really still be using 32bit OSs.

xxHash or similar should be enough. It's just a database thing and should have nothing to do with security.

BananaMoe · Nov 20, 2018

novirusthanks said: ↑

Correct, ven if ERP is disabled, it has to calculate process hash and other details to show them in the Events tab.
Click to expand...

Well, would it make sense to have a "Disable Completely" mode to match the old behaviour from ERP3?

Cutting_Edgetech · Nov 22, 2018

__Nikopol said: ↑

This is overkill. It is a totally unrealistic attack scenario that someone is going to through the lengths to create a working malicious executable that has the same MD5 hash and still works. You have to make the file executable. And maybe that starting point is where it gets impossible to find a file that has the same hash as the original, and that isn't suddenly 100 MB big due to all the random bytes.
Also, better use sha-512 instead 256. It's two times as fast as 256 in 64bit systems, and nobody should really still be using 32bit OSs.

xxHash or similar should be enough. It's just a database thing and should have nothing to do with security.
Click to expand...

There's not enough impact using SHA-1 vs MD5 to bother me. I haven't ever experienced a collision with MD5, only MD4, but I prefer we use SHA-1, that's my preference.

Yes, SHA-512 performs better than SHA-256. I wasn't aware of that a few years back when I suggested it.

Edited: 11/22/18 @ 11:27

Floyd 57 · Nov 22, 2018

Cutting_Edgetech said: ↑

Virus Total uses SHA-256. That's why 256 was recommended as a possible choice, in case the developer decided to use VT with the application. There's not enough impact using SHA-1 vs MD5 to bother me. I haven't ever experienced a collision with MD5, only MD4, but I prefer we use SHA-1, that's my preference.
Click to expand...

I actually like NVT ERP precisely (not just cuz ofc) because it doesn't use VT... Voodooshield was so much slower with it scanning each process. So toggle option would be best

Cutting_Edgetech · Nov 22, 2018

Floyd 57 said: ↑

I actually like NVT ERP precisely (not just cuz ofc) because it doesn't use VT... Voodooshield was so much slower with it scanning each process
Click to expand...

I don't think you have to use SHA-256 with VT for it to work. I thought you did at the time, but they also calculate the MD5, and SHA-1 hashes so i'm not sure what they require if you use their API.

Cutting_Edgetech · Nov 22, 2018

Btw.. The only way I like using VT is on-demand, it does have a big impact when compared to not using it at all.

Mr.X · Nov 22, 2018

Sharing my new vuln proc rules, based on Florian's list:

Code:

<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Xwizard.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = xcacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Wscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wmic.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = windbg.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wbemtest.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Wab.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vssadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vsjitdebugger.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = visualuiaverifynative.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vbc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = utilman.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = UserAccountControlSettings.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Tracker.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = te.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = taskkill.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = takeown.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = systemreset.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = syskey.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = SyncAppvPublishingServer.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Stash.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = SQLToolsPS.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Sqlps.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Sqldumper.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = setx.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = set.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdclt.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdbinst.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Scriptrunner.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = script.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = scrcons.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runscripthelper.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runonce.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RunLegacyCPLElevated.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Rpcping.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Replace.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Regsvcs.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Register-cimprovider.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regini.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Regedit.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RegAsm.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = reg.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rcsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = quser.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Print.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = PresentationHost.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell_ise.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Pcwrun.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Pcalua.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = odbcconf.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntsd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntkd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netstat.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netsh.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msxsl.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mstsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msra.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mspub.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msiexec.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mshta.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msdt.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msdeploy.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = MSBuild.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mmc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msconfig.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Microsoft.Workflow.r.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Microsoft.Workflow.Compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Mftrace.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Mavinject.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Makecab.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = lpkinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = kd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = jsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = js.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = journal.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = InstallUtil.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = infdefaultinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ilasm.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexpress.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexplore.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = IEExec.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Ie4unit.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = hh.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Gpscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsiAnyCpu.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Forfiles.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Findstr.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = eventvwr.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Extrac32.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Extexport.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Expand.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Esentutl.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Dxcap.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dnx.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Dnscmd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Diskshadow.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = diskpart.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = DFsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = debug.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbgsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbghost.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cvtres.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csi.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Control.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cmstp.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Commit.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = CmdTool.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cmdkey.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = certutil.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cdb.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ByteCodeGenerator.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootsect.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootim.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootcfg.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bitsadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bginfo.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdedit.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdboot.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bash.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = auditpol.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = attrib.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Atbroker.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = aspnet_compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = appvlp.exe] [Action = Ask]</> <enabled>1</> <comment></>

__Nikopol · Nov 22, 2018

Cutting_Edgetech said: ↑

There's not enough impact using SHA-1 vs MD5 to bother me.
Click to expand...

Not much, no. But if he'd use xxHash there would be no impact at all. And maybe that is causing all the delays people describe.

paulderdash · Nov 23, 2018

Mr.X said: ↑

Sharing my new vuln proc rules, based on Florian's list:
Click to expand...

Thanks @Mr.X

Mr.X · Nov 23, 2018

paulderdash said: ↑

Thanks @Mr.X
Click to expand...

You're welcome.

Cutting_Edgetech · Nov 23, 2018

It may be a good ideal to change wevtutil.exe from deny to ask. Microsoft Office ClickToRun uses wevtutil.exe. I just had it blocked 5 times in a row. The maintenance task it was running could not continue after that. Below are the ClickToRun command lines I was initially prompted for before wevtutil.exe was blocked. The event log is attached below.

schtasks.exe /Create /tn "Microsoft\Office\OfficeBackgroundTaskHandlerLogon" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeBackgroundTaskHandlerLogon.xml"
schtasks.exe /Create /tn "Microsoft\Office\OfficeBackgroundTaskHandlerRegistration" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeBackgroundTaskHandlerRegistration.xml"
schtasks.exe /Create /tn "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml"

Using Windows 10 x64 Pro, and ERP build 31.

shmu26 · Nov 27, 2018

Mr.X said: ↑

Sharing my new vuln proc rules, based on Florian's list:

Code:

<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Xwizard.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = xcacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Wscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wmic.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = windbg.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wbemtest.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Wab.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vssadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vsjitdebugger.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = visualuiaverifynative.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vbc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = utilman.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = UserAccountControlSettings.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Tracker.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = te.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = taskkill.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = takeown.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = systemreset.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = syskey.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = SyncAppvPublishingServer.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Stash.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = SQLToolsPS.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Sqlps.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Sqldumper.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = setx.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = set.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdclt.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdbinst.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Scriptrunner.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = script.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = scrcons.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runscripthelper.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runonce.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RunLegacyCPLElevated.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Rpcping.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Replace.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Regsvcs.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Register-cimprovider.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regini.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Regedit.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RegAsm.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = reg.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rcsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = quser.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Print.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = PresentationHost.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell_ise.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Pcwrun.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Pcalua.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = odbcconf.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntsd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntkd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netstat.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netsh.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msxsl.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mstsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msra.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mspub.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msiexec.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mshta.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msdt.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msdeploy.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = MSBuild.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mmc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msconfig.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Microsoft.Workflow.r.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Microsoft.Workflow.Compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Mftrace.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Mavinject.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Makecab.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = lpkinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = kd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = jsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = js.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = journal.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = InstallUtil.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = infdefaultinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ilasm.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexpress.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexplore.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = IEExec.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Ie4unit.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = hh.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Gpscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsiAnyCpu.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Forfiles.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Findstr.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = eventvwr.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Extrac32.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Extexport.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Expand.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Esentutl.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Dxcap.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dnx.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Dnscmd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Diskshadow.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = diskpart.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = DFsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = debug.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbgsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbghost.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cvtres.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csi.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Control.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cmstp.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Commit.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = CmdTool.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cmdkey.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = certutil.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cdb.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ByteCodeGenerator.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootsect.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootim.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootcfg.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bitsadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bginfo.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdedit.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdboot.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bash.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = auditpol.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = attrib.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Atbroker.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = aspnet_compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = appvlp.exe] [Action = Ask]</> <enabled>1</> <comment></>

Click to expand...

Hi @Mr.X, does this list stand on its own, or does it supplement your AppGuard protection?
Really I am asking like this: if you didn't use any other advanced security app, is there something you would add to this list?

Mr.X · Nov 27, 2018

shmu26 said: ↑

Hi @Mr.X, does this list stand on its own, or does it supplement your AppGuard protection?
Really I am asking like this: if you didn't use any other advanced security app, is there something you would add to this list?
Click to expand...

Stands on its own. Nothing handled by AppGuard for vuln proc.
Nothing to add to this list for the time being until Florian releases a new one.

Note that this list still have there deprecated processes Florian removes on newer lists. I don't care I leave them because they could come back in the future, who knows. This list covers, not that sure, Windows 7, 8.1, 10+, so anyone can use it on any Windows versions now. I mean it won't hurt to have them all in a Vuln Proc category even if one version does not have some exes and others have.

My list is not path or hash dependent as you already seen. I think ERP could block and alert any run attempt from any location or file hash.

Floyd 57 · Nov 27, 2018

Cutting_Edgetech said: ↑

It may be a good ideal to change wevtutil.exe from deny to ask. Microsoft Office ClickToRun uses wevtutil.exe. I just had it blocked 5 times in a row. The maintenance task it was running could not continue after that. Below are the ClickToRun command lines I was initially prompted for before wevtutil.exe was blocked. The event log is attached below.

schtasks.exe /Create /tn "Microsoft\Office\OfficeBackgroundTaskHandlerLogon" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeBackgroundTaskHandlerLogon.xml"
schtasks.exe /Create /tn "Microsoft\Office\OfficeBackgroundTaskHandlerRegistration" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeBackgroundTaskHandlerRegistration.xml"
schtasks.exe /Create /tn "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml"

Using Windows 10 x64 Pro, and ERP build 31.
Click to expand...

Why are you complaining, NVT dev is doing you a favor by blocking MS Office

Mr.X said: ↑

I think ERP could block and alert any run attempt from any location or file hash.
Click to expand...

Or, you know, any process

Cutting_Edgetech · Nov 29, 2018

Floyd 57 said: ↑

Why are you complaining, NVT dev is doing you a favor by blocking MS Office
Click to expand...

LOL, I have to use it for school and work.
What office suite do you use?

Floyd 57 · Nov 29, 2018

Cutting_Edgetech said: ↑

LOL, I have to use it for school and work.
What office suite do you use?
Click to expand...

School and work LUL, they're overrated anyway

Recently, like in a long time, I haven't needed to create or edit any office-related stuff, I use google drive for viewing. Get the link of the file, add drive.google.com/viewerng/viewer?url= before it, and voila. For local files, go to drive.google.com, upload your file by either dragging it or by clicking New, and then you can view it. Infinitely more convenient (and secure) than installing bloated MS Office

Cutting_Edgetech · Nov 29, 2018

I also use Google Docs from time to time. It really just depends on who i'm corresponding with.

__Nikopol · Dec 2, 2018

I got this error after ERP blocked something. The program didn't crash though and everything was fine.

mike83 · Dec 3, 2018

If I understand correctly, It seems that NVT ERP does not have an "Admin bypass" option similar to what the native Windows SRP has. I wonder if anyone has suggested adding this as a feature into ERP 4.0 as one of the ON/OFF settings?

Or has this idea already been discussed and abandoned? I tried searching this thread but did not find anything related - and I considered reading thru all 298 pages a bit too much of a job...

Floyd 57 · Dec 3, 2018

mike83 said: ↑

If I understand correctly, It seems that NVT ERP does not have an "Admin bypass" option similar to what the native Windows SRP has. I wonder if anyone has suggested adding this as a feature into ERP 4.0 as one of the ON/OFF settings?

Or has this idea already been discussed and abandoned? I tried searching this thread but did not find anything related - and I considered reading thru all 298 pages a bit too much of a job...
Click to expand...

If this is the path you want to take... then you can already use the "allow X" options on the back, that should cover like 98% of the "admin" programs (ofc can vary wildly, if you have a folder on your desktop full of unsigned admin-requiring tools, then yeah)

mike83 · Dec 3, 2018

Ok, that may be the solution... or not, I don't know yet.

I wonder if there is some documentation available describing what e.g. "Allow known safe process behaviors" or "Allow System Files" exactly mean?

My point was not focused on allowing specific "admin progams", but instead on allowing "processes with admin privileges" as specified within SRP ("bypass for local administrators"; I guess probably meaning high/system integrity levels).

I'm not sure what the "Allow X"s mean in ERP - do they allow specific programs to be executed (regardless of who is trying to execute them), or do they allow programs to be run only by local administrators?

Floyd 57 · Dec 3, 2018

mike83 said: ↑

Ok, that may be the solution... or not, I don't know yet.

I wonder if there is some documentation available describing what e.g. "Allow known safe process behaviors" or "Allow System Files" exactly mean?

My point was not focused on allowing specific "admin progams", but instead on allowing "processes with admin privileges" as specified within SRP ("bypass for local administrators"; I guess probably meaning high/system integrity levels).

I'm not sure what the "Allow X"s mean in ERP - do they allow specific programs to be executed (regardless of who is trying to execute them), or do they allow programs to be run only by local administrators?
Click to expand...

I'm not sure exactly how it works, you can test it yourself, I don't use any of the "Allow X" stuff, but if I know the dev well, he made it so that the "Allow X" options override the other rules. The known safe process behaviors is just a list of hardcoded rules that the dev continuously updates for common software, to avoid common false-positives. Allow system files is likely anything from C:\Windows, or maybe a combination of folders such as C:\Windows\System32, C:\Windows\SysWOW64 etc. again you can test this yourself

ERP either blocks or allows process execution based on a certain criteria (or asks you), "who" is trying to execute them in this case is the parent process (path, hash, signer), but there is no criteria for "parent process integrity level"

@novirusthanks Ideally, in the future the parent process will also have a name criteria, and integrity level criteria, maybe even a cmdline criteria (what cmdline was the parent process launched with when it was a child process), obviously you can't apply cmdline criteria to an already running process otherwise

And all of the above, as well as more, are the reasons why I use the what I like to call "God mode", where all of the options "Allow ..." are unchecked and you decide what to do for each and every process (as long as it starts after ERP's driver) using Alert Mode

guest · Dec 3, 2018

Floyd 57 said: ↑

[...] he made it so that the "Allow X" options override the other rules. Allow system files is likely anything from C:\Windows, or maybe a combination of folders such as C:\Windows\System32, C:\Windows\SysWOW64 etc.
Click to expand...

Not everything in C:\Windows\* is allowed if "Allow System Files" is ticked.
Regarding System Files:

mood said: ↑

Not all files located in C:\Windows\* or in subdirectories are automatically System files.
A Windows API is used to find out if a file is a System file:

novirusthanks
We use a Windows API to know if a process is a system file, some processes even if located on C:\WINDOWS\System32\ they are not considered system files by the API. We may add additional custom checks to identify a process as a system file probably.
#6247
Click to expand...

Click to expand...

And "Allow X" options are not overriding all other rules. Ask/Deny rules still have a higher priority.

Floyd 57 · Dec 3, 2018

There are so many ways and APIs that "check" if a process is a system one, who knows that the dev is using, we can only hope he has implemented it well (well, I don't have to hope, cuz I don't use that)

Log in or Sign up

New Antiexecutable: NoVirusThanks EXE Radar Pro

Cutting_Edgetech Registered Member

__Nikopol Registered Member

BananaMoe Registered Member

Cutting_Edgetech Registered Member

Floyd 57 Registered Member

Cutting_Edgetech Registered Member

Cutting_Edgetech Registered Member

Mr.X Registered Member

__Nikopol Registered Member

paulderdash Registered Member

Mr.X Registered Member

Cutting_Edgetech Registered Member

Attached Files:

wevtutil.jpg

RadarPro.Events.2018-11-23.log

shmu26 Registered Member

Mr.X Registered Member

Floyd 57 Registered Member

Cutting_Edgetech Registered Member

Floyd 57 Registered Member

Cutting_Edgetech Registered Member

__Nikopol Registered Member

mike83 Registered Member

Floyd 57 Registered Member

mike83 Registered Member

Floyd 57 Registered Member

guest Guest

Floyd 57 Registered Member

Log in or Sign up

New Antiexecutable: NoVirusThanks EXE Radar Pro

Cutting_Edgetech Registered Member

__Nikopol Registered Member

BananaMoe Registered Member

Cutting_Edgetech Registered Member

Floyd 57 Registered Member

Cutting_Edgetech Registered Member

Cutting_Edgetech Registered Member

Mr.X Registered Member

__Nikopol Registered Member

paulderdash Registered Member

Mr.X Registered Member

Cutting_Edgetech Registered Member

Attached Files:

wevtutil.jpg

RadarPro.Events.2018-11-23.log

shmu26 Registered Member

Mr.X Registered Member

Floyd 57 Registered Member

Cutting_Edgetech Registered Member

Floyd 57 Registered Member

Cutting_Edgetech Registered Member

__Nikopol Registered Member

mike83 Registered Member

Floyd 57 Registered Member

mike83 Registered Member

Floyd 57 Registered Member

guest Guest

Floyd 57 Registered Member

Useful Searches