New Antiexecutable: NoVirusThanks EXE Radar Pro

BTW, here are some links to examples of common - Top 10 for 2021 - ransomware analysis:

https://www.welivesecurity.com/2016/04/04/analysis-of-the-locky-infection-process/

https://www.bitdefender.com/files/News/CaseStudies/study/154/Bitdefender-Whitepaper-GoldenEye.pdf

https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/

https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack

They all utilize either scripting, such as .vbs or .js, or rundll32.exe to launch the malicious executable or DLL. OSArmor provides the protections to stop these initial stages in the attack chain, and with SRP (Software Restriction Policies) enabled, unauthorized executables are prevented from launching in userspace directories where they are typically dropped. And in the case of malicious Word documents in phishing emails, macros should be disabled by default, and even if allowed, the malicious script or rundll32.exe command line should be prevented.

 

Actually now that I think about it. Perhaps what I said about ERP being more secure than OSA, isn't even true. Because once a user gets tricked into downloading malware and AV's says the file is clean, he/she will allow it to run anyway, so whitelisting won't help. And as said before, OSA is designed to block exploits, so you don't need whitelisting for this either.

 

This is actually crucial. Anyone determined to run an executable can and probably will bypass the AE's defenses, and the same goes for OSA or similar security utilities. The final line of defense lies with the user, especially if antivirus scans fail.

But what I was trying to clarify in my above posts is that OSA is far more effective than it's given credit for, as long as several of the key additional protections are enabled.

 

Is NVT's anti exec redundant with OSA?

 

For the home user using OSA and some basic SRP measures, I think so, unless one wants to control which programs are allowed to be run on their device, in which case an anti executable could play a useful role in this capacity.

 

That's exactly why I have always been interested in ''post execution'' security tools. AV's should identify and block malware from running, but what if they fail to do so? Then you will have to rely on your second line of defense, with tools like OSA, SpyShelter and AppCheck for example.

 

Being nothing more than a rank beginner amateur in the field of malware infections, the following is my assessment:

Taken from the following link which is an analysis of Locky ransomware: https://blog.avast.com/a-closer-look-at-the-locky-ransomware

There is social engineering (user is tricked into enabling macros) and scripting used in the initial stages to launch the malicious binary.

1. There has to be (should be) some responsibility upon the user to be suspicious of the email content, and avoid a click-happy response.
2. failing the above, **SRP should prevent the script from launching the binary.
3. failing 2 for some reason, SRP should prevent the binary from executing from user space, except the user's %TEMP% directory, where they are typically allowed to run so programs can be installed.

It looks like Locky drops it into this folder, so it would probably succeed in compromising the victim at this stage.

** Before posting this, I realized it is SRP preventing the sample scripts I have from launching in my setup. Either way, with basic SRP and something like OSA, one or the other should prevent the scripts from running.

The first screenshot shows SRP preventing the .VBS script:



After temporarily disabling SRP from within Hard_Configurator, the same script is now prevented by OSA:



Here is the command line taken from OSA logs where the script attempts to launch a common LOLBin wscript.exe: Command Line:

Edit: sorry other way around. Wscript->.vbs script

"C:\WINDOWS\System32\WScript.exe" "C:\Users\username\Desktop\ClsTS.vbs"

 

There's a layered defense to Windows. SRP and an anti executable will kick in first for disallowed exes and processes and if that's somehow bypassed, your AV/AR should detect them and remove them.

The most important factor in PC security is human common sense and never to download anything from an untrusted site, if your browser security extension doesn't already block you from going there.

Prevention beats a cure every time.

 

Now that I think of it, why are hackers using malicious Office documents, is it to bypass AV protection? You would think they could simply mail the malware directly to users and convince them to open it. It's perhaps a silly question, but I don't read that many of these kind of articles anymore, I mean are people still so dumb to fall for this? And besides, AV's should block these samples easily, at least you would hope so.

 

I think so. The .vbs file is obfuscated, and I think that's what makes it hard to detect by the AV's. And my guess is binary files can't be obfuscated?

 

Personally I for one would enjoy seeing ERP really ramped up and not just your ordinary basic upgrade. The app is NOT insignificant by any stretch and holds it's compliment of effective protection/prevention very well in spite of it's seemingly complexity to some. Some overlook it as too configurable laden but that is the best part of it because once you set it to choice, then it really goes into action and is not noisy when you know where to look.

 

Has anyone experimented with this on Windows 11 yet? Last time I tried it in Windows 10, startup was so prolonged I was like: that's it.

I love the concept of ERP. I would use this plus OSArmor with fewer rules enabled than now.

On the website it says "Version 4 coming soon." Could someone give a less vague ETA?

 

Not really. The last v4 Beta release was January 2019: https://malwaretips.com/threads/exe-radar-pro-v4-beta.80310/page-15#post-790944

Perhaps Andreas ( @novirusthanks ) can shed some light on this?

 

Now that I think of it, I'm guessing that .exe files delivered via email are blocked from running in companies. So that's why they a trying to abuse Office documents, but this can also easily be blocked via process execution control, like you said.

 

ERP v4 didn't work correctly for me on Win 10 either. But wait a minute, I now see that strangely enough ERP v3 is still being offered for download on the NVT website, and it's supposed to be compatible with Win 10? I believe NVT should correct this ASAP, because it simply isn't true.

https://www.novirusthanks.org/products/exe-radar-pro/

 

On some Windows 10/11 systems, its buggy. Hasn't beem

No. The only other anti exe compatible with Windows 10/11 are VS and SAP.

 

Exactly. I find it curious that ERP was promised here and there to be updated to be more compatible but those promises never materialize. Must be some special considerations we're not privy to, otherwise we would have received a new version by now. One just has to be patient, I guess.

Yes, thanks, my experience pretty much also. Slowed startup in particular.

 

Strange. on the only Windows 10 I have, a Dell with the latest hardware specs, ERP 4 is working just fine. It alerts as expected especially cmd.exe which a Dell Assist uses to update it's pieces on occasion. I always examine the origin and destination on the prompt to be sure whether to allow or not. Obviously I have that file in the Vulnerable List set to ASK.

All the way around ERP 4 works well on my 10 and to be honest with WVSX and DefenderUIPro it's probably overlayered with more than enough security.

 

I think it makes NVT look bad, he should either make sure that ERP 3 and 4 work correctly on Win 10 and 11, or simply remove it from the website, especially since it's not freeware.

Perhaps it depends on the Win 10 version that you're using, I'm using 1909.

 

Windows 11 goes by build numbers.

 

That's the users fault and not ERP. I am positive that ERP will intercept more attacks than OSA when configured correctly because it denies everything that is not specifically whitelisted and it's command line monitoring can do anything that OSA can do. I am monitoring some very key vulnerable executables which were not monitored by OSA by default the last time I checked ( I have not checked OSAs command line monitoring for about 2 years). I'm not saying OSA is not a good product because I think it is an excellent product, but i choose ERP for a higher level of security.

If the user allows malicious files to execute after being prompted then maybe ERP is not for them. I am well capable of knowing malicious behavior from normal system behavior or just some application attempting to do something it needs to do to function correctly. There is a very low chance of an attacker tricking me into allowing something malicious. I have an Associates Degree in Information Security and I have two semesters left before I complete my bachelors degree. I also have 20 years of beta testing security software, so I think you get the point. Also, ERP blocks by default in Lock-Down Mode instead of prompting the user, which I occasionally use.

If you do a good job at configuring ERP then you will receive very few prompts. I had to whitelist 2 command lines for my VPN using Wildcards and I had to use 2 digital certificates so ERP would not interfere with some of my firmware. I use a total of 10 digital certificates, but I don't necessarily need all 10. I only remember receiving 2 prompts from ERP in the last 2 1/2 months.

I should note that I removed route.exe, net.exe, net1.exe, and netsh.exe from the vulnerable process list because having those on the list will surely cause problems for users of VPNs, especially route.exe and netsh.exe. Monitoring command lines for those executables could cause your VPN to leak or completely fail in some cases.

Edited: 09/10 @ 6:34

 

That's potentially good info to be made aware of for user's of ERP in this instance. Thanks

 

My point is that OSA is designed to block malware from either running at all, or to block them from using so called LOLBins (see link) without the need for whitelisting. So if file-based malware gets delivered via exploit, it will be blocked. And if a user runs malware by mistake, it will be blocked in stage 2 of the attack. So my point is, you don't need whitelisting per se for extra security.

https://lolbas-project.github.io

 

Agreed. For instance, here's a recent phishing threat that uses MS Appinstaller to install a malicious executable payload disguised to look like an Adobe component:

https://www.zdnet.com/article/bazarloader-now-abuses-windows-10-app-feature-in-call-me-back-attack/

The targeted victim actually has not one, but two opportunities to prevent this attack if they are reasonably knowledgeable about email threats:

1. they can hover the mouse pointer over the link to see the prefix "ms-appinstaller". - first red flag
   
2. they are asked to allow the installation of "Adobe PDF component". - second red flag

The above opportunities are there without the help of security programs.

Of course there are not so knowledgeable click-happy users all over, so 3rd-party security can come into play. OSA has just added the protection against the malicious use of MS appinstaller:




This alert will occur before an anti-executable leaps into action. If this protection is not in play, then of course the anti-executable comes into play when the malicious PE (portable executable) attempts to install.

The point in this example is that the anti-executable is the last line of defence. Not that this is a bad thing, but that this type of threat or similar can be stopped much earlier in the attack chain of events.

 

Far be it from me to make any mention on OSA since it's really a strong program and growing.
Yet for example on my Windows 10 ERP Radar Pro Beta 4.0 last known version really is another cog in my security scheme. With WVSX AND some overlap using in combo AppCheck all in all, ERP Radar Pro is masterful in interrupting for one 'Magniber' and a few other notorious ransomware's I turned loose. I like to think of it as a first line electric fence and the dog gone ERP 4.0 jumps at the first sign of activation from processes, system files signed or unsigned others. It's for the time being my go-to HIPS of sorts and even when a malware jumps a code in an attempt that triggers the AV real-time protection, that dropper or jumper's origin process is already suspended by ERP 4.0. The granularity of ERP makes it a nice addition on my setups. Sure there are clever methods that unleash when a process is detected but ERP suspends matters allowing the (knowledgeable) user to react to the alert and trace the offender to it's path & file. ERP 4 was never meant to be the end all of course, but even after all these years the thing still offers me impressive results as a current day security help that's a very useful compliment. No malware developer bothers with such 3rd party inventions since their chief aim is to bypass a popular AV or LoLBins, but when they run into other levels of monitoring like ERP, they are suddenly abruptly. For a left behind program it still holds it's own even on Windows 10.