New Antiexecutable: NoVirusThanks EXE Radar Pro

Thanks Lockdown!

 

BTW, can you please implement a strict "parent-child process control" feature? This means that apps shouldn't be allowed to run the browser or explorer and svchost.exe as a child process. And BTW, I have decided to remove msiexec.exe from the "vulnerable apps" list, because even in "Install Mode" you keep getting alerts about it, so now it's monitored by Sandboxie.

 

We already spoke about this, ERP is all about process control, so this feature makes sense. It's more of an AE than a HIPS feature. Plus it would help against malware that are using process hollowing and network leakage to bypass HIPS, AV and firewall. It should also be optional for people who don't need it.

 

To clarify, it wouldn't cause any annoyance, because it wouldn't work any different than the "vulnerable processes" feature. The only difference is that ERP should be programmed to only allow explorer.exe, services.exe and svchost.exe to launch other system tools and the browser. Of course, so called "multiple process" browsers should also be allowed to run their own child process browser.

 

Something like this:
* Chrome.exe is allowed to execute Chrome.exe, all other processes are blocked.
* Sumatrapdf.exe isn't allowed to execute other applications.
Or:
* Chrome can execute other applications except applications in the c:\windows\-directory.
* Applications in C:\Program Files\* aren't allowed to execute applications in C:\Windows\*

Btw.: SOB is already able to do this.
First we create a block-rule to disallow chrome.exe from opening all other processes (*), then we create an exclude-rule (chrome.exe can only execute chrome.exe, and both must be digitally signed from Google):

Code:

Block-rule:
[%PROCESS%: *] [%PARENTFILENAME%: chrome.exe]
Exclude-rule:
[%PROCESS%: *\chrome.exe] [%FILESIGNER%: Google Inc] [%PARENTFILENAME%: chrome.exe] [%PARENTSIGNER%: Google Inc]

 

In fact im more excited to get a GUI-based SoB than new ERP

 

yes at least we know he is still alive lol

 

Yes!! I like this pattern best.

 

That might actually bring my own self back to SOB again. Just can't help it.

GUI anything gets top billing for my safety apps and after all NVT does fashion them quite well in this department IMO.

 

Me too
The syntax will be a little bit different, but rules in the coming version of ERP can be enabled/disabled with a simple mouse-click and: "- All will be focused in a super easy way to manage rules"

 

I think both ideas are great. New ERP written from scratch and new SOB gui based. I hope Andreas can make our wish come true.

 

@mood

ERP will use SHA-256 hash.

@Rasheed187

With the new ERP's rules structure you can do that like this:

Code:

[proc.parent = "*\chrome.exe"] [proc.signer = "Google Inc."] [proc.action = "allow"]
[proc.parent = "C:\WINDOWS\Explorer.exe"] [proc.name = "C:\Test\*"] [proc.action = "block"]
[proc.parent = "C:\WINDOWS\System32\svchost.exe"] [proc.name = "C:\Test\*"] [proc.action = "block"]

So with those rules you can control parent->child processes.

@guest @EASTER @mood @Mister X

Yes, we can work on a SOB-GUI version after the new ERP has been released.

ERP will use some of the SOB technology for rules creation and process monitoring, so lets see first how they perform on ERP-GUI.

 

Great news! Thanks a lot @novirusthanks

 

Very nice

 

Wow. That was a better answer then I was expecting. Gee Whiz @novirusthanks

 

Nice, thank you.

 

Wonderful. Like Rasheed, I keep wishing for the parent-child jobs.
I hope we will not have to write strings. Will there be an alert "Test wants to run svchost" (or the other way around (I'm not sure how to read the examples))?

 

Blake2 is not very common. Apparently, it is more efficient, and especially on 64-bit processor but not used in Bouncer, etc.
Don't know why.
https://blake2.net

 

Still following....I have a version from a couple of years ago, installed on my XP desktop. Can't wait to try a new version when released on my Surface Book.

 

Looks very nice. I wouldn't want to be alerted about every child process, because that would be annoying, but you should be able to auto-block loading of certain child processes.

 

I believe it will work exactly the same, but with more options for monitoring certain child processes. For obvious reasons, you can currently not add explorer.exe, svchost.exe and browsers to the "vulnerable apps" list, because that would cause problems. This new feature would fix that.