New Antiexecutable: NoVirusThanks EXE Radar Pro

That is why you need a layered security setup.
ERP can not handle all malware itself....it needs a companion AV at least...

 

Yes. ERP + something like Shadow Defender is also a viable option, for those who don't want AV.

 

+1

 

Nope. ERP never seen HMP. Just to make sure I ran the same test with Geek.exe. Same results. Loads without a problem at start up but 5s later ERP lockdown mode kicks in and then gets blocked.

 

Sorry, i don't follow. It loads at startup, how? You let it install, right?

 

Ah, now i get it. You mean, that you want to install something, reboot and have ERP block it before it loads?

Well, if what you installed is malware, i wouldn't trust the PC to be "good" anymore, even if ERP loads very early and blocks suddenly an exe. Because at that point, you installed malware and you can't know what it may have done during reboot. Installed drivers? Injected "legitimace" windows processes? You will never know. Your PC may be already phoning out through svchost and you won't see a peep.

It will be better if it boots early, but if you already installed the malware, it's too risky to "trust" that your Windows installation is clean. The whole point of ERP is to PREVENT code execution as to avoid infection. If you allow malware to install, reboot and HOPE that the only "bad" thing happened is a new "exe" running, it's more like "install and pray"... It defeats the main purpose of using ERP.

 

No. The other way around.
I have Geek.exe on my desktop. The application is unsigned and never seen by ERP. I have currently ERP on lockdown and when I try to execute Geek.exe it gets automatically blocked. NOW, when I restart the computer, on boot time ERP will fail to block Geek.exe when I double click it during the initial 10s. Meaning that on start up, ERP doesn't protect my system and any executable can load.

 

a full blown hips will be able to help you in that case but not an anti-executable

 

Ah, well, yes, of course. It's the same thing with executing malware while you have ERP disabled. Obviously, you will get infected... Until the dev makes it boot faster, don't click unknown things you 've downloaded for 10 seconds. Cause a malware won't load within 10 seconds from boot on its own. Either you 've allowed it before reboot, or you need to infect yourself in 10 seconds (click a malicious exe, rush to exploited website, etc). That's not an easy task to do!

Of course, if you are determined to click on a malicious file, there is no way to stop yourself...

 

Not really impatient. Just worried that malware may simply install itself while ERP is booting.

 

Add WinPatrol then...

 

@jo3blac1

The startup delay is a known issue of v2.7.2, it has been fixed in v2.7.3

Regarding HMP that was executed when it was in Program Files folder, ERP has the option "Automatically allow all software from program files folder" enabled by default, but you can uncheck it and you will be prompted to allow/block a process everytime it is started from Program Files folder.

It is very rare that a malware is able to add a registry key to the registry if it cannot be executed first, also Java.exe, if exploited, it generally executes the payload that is dropped to the disk, but I have never seen it to add a startup key in the registry to then start the payload, also because this is bad (delayed payload execution has less possibilities to successfully infect the system, because the user can detect its startup key/file, the payload location, the AV can detect it in the next hours, and is also possible that the user will reboot the system after N days ==> not good). An exploit needs to immediately infect the system else it will most probably lose the possibility to do so.

 

Video.

Probably XP? Probably IE6?
trojan.exe looks to run from C:\. C:\ is generally off limits to drop a program in Win7.
Perhaps /program files/ too is like that?

In any case, just because it is supposed to be that way, does not mean that it cannot be taken advantage of.

When trojan.exe runs, IE vanishes, immediately.
I don't understand that, where did it go?

The parent to trojan.exe (from the first video) is explorer.exe (not iexplor.exe).

Just because one doesn't understand how something is working does not mean one should dismiss it or make excuses for it. If it is happening, it needs to be explored to find out how, & get it fixed.

Sure more information would help, & if it is not forthcoming, again does not mean the potential exploit is not there.

Likewise with the 10 seconds (even if it is to be fixed in 2.7.3).

In the realm of (current) computers, 10 seconds is an eternity, & no matter if or how something got onto my system, that is a long time for the potential to exist to further an exploit.

BTW, I can do something similar with NoScript, injecting, running some JavaScript from the Firefox Address bar, where I should not be allowed to, if I am quick enough. Pop open a window, & bam, paste in the command & I can get it to run. Delay one second, & NoScript is able to block it. But beat it, & I can, & I win.

If everything worked as intended, as designed, security wise, there would be no need for NVT or Windows security updates or ... .

 

@ therube. Echoes my own thoughts here.

@NVT I understand that there may be no java (or other) exploit behaving this way but it is a potential vulnerability in your application at present.

Is it something to worry about? Maybe not. After all how many POCs out there are realistic threatgates? Not as many as Matousec would have us believe I'd bet but I think when something that may reduce the protection level of your product is found it's fair to admit your product at the current version would not prevent such an attack - albeit with the proviso you've now fixed it and move on.

We don't improve by ignoring things we find inconvenient and to be fair to NVT they have an excellent record making positive changes to their product. Better start times will be another in a long list I'm sure.

Cheers

 

Unfortunately I didn't follow, what anti-executable exactly Rmus tested, which anti-executable and since it is older version is it possible to download it somewhere?

 

Faronics AE is AFAIK effective against all exploits seen, provided you have dll monitoring enabled. If not, some exploits bypass it.

The current version of Faronics AES is downloadable as trial, but they require an email.

P.S.: On my computer, Faronics' dll monitoring never worked, PC freezes sooner or later (usually within few minutes).

 

now the new version has dll and jar monitoring in real time

 

Does your PC freeze ocasionally?

 

Wow, this means i 'd get pc freezing in real time?

The bad thing with dll monitoring (at least with the whitelist in older Faronics versions),aside stability, is the heavy drag on system performance.

Maybe now their realitime monitoring is lighter?

 

it is super light here in win7 or xp very fast with low ram usage

 

Hmm... Maybe they nailed it finally. Anyway, with the current Shadow Def TRIM situation, i may go for Comodo again. I feel a bit too vulnerable (Wilders' paranoia kicking in).