New Antiexecutable: NoVirusThanks EXE Radar Pro

Yes ... I have populated the list as per @hjlbx, which in turn is based on Florian Excubit's list and other sources.
I also had the problem that hashes changed with upgrades, but following his settings advice seems to work i.e. the vulnerable processes continue to alert after an upgrade, so no longer seem to be hash-dependent.

 

Is there a happy medium between the very short default list, and the very long @hjlbx list?
To put it another way: are there some especially important additions that could/should be made to the default list?

 

But, if one does that then one will get a:



In place of



Right? Hope I understood correctly, cause afaik if a file hash changes from the vulnerable processes list then it becomes Unkown one.

 

To answer my own question: mshta.exe is a good one to add. This is because the HTA file type is used maliciously, and it opens natively on Windows systems, and NVT ERP does not seem to monitor this file type by default.
This process was in fact mentioned before, by @Rasheed187, so I am just seconding his recommendation.

 

Correct. If the hash has changed, a vulnerable process turns into an unknown process.
Vulnerable Processes = hash-dependent

Nevertheless add the upgraded files to your vulnerable processes-list.
The idea of Vulnerable Processes is to have an alert every time you execute a Vulnerable process (so you are aware of its execution), even if it's whitelisted.
But after you whitelisted an "Unknown application" you get no alert for it anymore.

Strictly seen, alerts for "Unknown Application" (unknown process) and "Vulnerable Application" (known process) are not the same.

That is the disadvantage of Vulnerable Processes. You have to populate new hashes to your Vulnerable Processes-list manually after each upgrade.

 

This is the same knowledge I already had so I was waiting @paulderdash or someone else to agree my previous post, then I could post your same answer @mood , so thanks a lot for your confirmation.

 

and with Allow Microsoft Windows system protected processes: checked and Do not allow signed processes: checked.....
I'll still receive ?

btw ~ thanks for reminding me to update my Vulnerable Processes

 

@Mister X @mood I think you guys are right, my apologies.
I rolled back from an AU upgrade back to version 1511, hence I returned to the old hashes and still get the Vulnerable Process alerts.
I would need to upgrade again to confirm what happens with my settings, but I am sure you are right.
Updating the long @hjlbx vulnerable process list with every upgrade would definitely be a PITA.
I have more or less that list in AppGuard also so probably it is easier to go back to the default list in ERP.
Lately, I have been occasionally having some issues with ERP where my mouse freezes on a Vulnerable Process and I cannot allow it and I have to do a hard reboot. Not sure if this is due to the 24062015 build, never had it with 15052015 buld.
ERP is maybe abandoned, so may eventually move away from ERP, but I do like the program.
I do hope for Andreas to return and hopefully fix this Vulnerable Process hash issue.

 

I do like the program as well, really a lot. But for me there's no reason to move away as long it keeps doing its job, so I'll stick to it while I can or OSes can support it and viceversa, even it's abandoned.

PITA to maintain the list? Well yes but I believe it's worth the hassle, imho.

 

ERP is one of the programs i simply can't uninstall

If it happens one more time, then it's maybe better to revert to the 15052015 build.
You will not loose functionality or features if you revert back.

Windows processes are allowed to execute without a prompt, for non-windows processes you'll see a "Unknown Application Detected"-prompt
After you add processes to Vulnerable Apps, you'll see a "Vulnerable Application Detected"-Prompt, even if it's a Windows-Process or whitelisted.
Step 1)
[X] Allow Microsoft Windows system protected processes: "c:\windows\system32\mmc.exe" = No prompt, Allowed
[X] Allow Microsoft Windows system protected processes: "c:\windows\system32\malware.exe" = Prompt: "Unknown Application Detected"
Step 2)
After "c:\windows\system32\mmc.exe" is being added to Vulnerable Apps = Prompt: "Vulnerable Application Detected"
After "c:\windows\system32\malware.exe" is being added to Vulnerable Apps = Prompt: "Vulnerable Application Detected"
Step 3)
(Option unticked) [ ] Allow Microsoft Windows system protected processes: "mmc.exe + malware.exe" = Prompt: "Vulnerable Application Detected"
Step 4)
Removed from Vulnerable Apps: mmc.exe + malware.exe = Prompt: "Unknown Application Detected"

 

> you're technical writing graduate.... Thanks!

 

Thanks @mood.
I will try this next time to see if my problem disappears.

I originally unticked 'Allow Microsoft Windows system protected processes', after advice that it would get around the vulnerable process / upgrade issue.
But it seems the best option is to retick it, and re-add the vulnerable process list with each Windows upgrade.

 

you can use the default vulnerable processes list, which is really easy to refresh and it covers the basics, and for your custom additions, you can use Process Lasso to add additional processes or file types that you want to block. (However, this will result in a total block, not a prompt.)

 

With Drag&Drop it would be much easier to add files to the lists, but sadly ERP doesn't support it
But it should not take long to add new vulnerable processes after an upgrade... as long as it is not 50-100 or more Processes

 

My list, based on the @hjlbx list (in turn based on Excubit's list and other sources) is 150, including System32 and SysWOW64, and all .NET entries
Maybe I'll just revert to defaults and leave the vulnerable processes to AG, where they are defined also, as User Space.

 

from your signature, it looks like you are running appguard. So you don't even need that list in NVT ERP, because you can implement it in appguard. There is even a download that will add them automatically, it is from the dev:
https://malwaretips.com/threads/basic-hardened-appguard-policy-xml.64991/

 

Yes, I do have them in AppGuard, so no indeed no real need to have the list in NVT ERP (it's just that I had already populated that list before I realised I could do it in AppGuard too).
So as I said, maybe I'll get rid of it, but I can't remember what the default list was.
Is this list still correct: http://www.novirusthanks.org/help-files/exe-radar-pro/#tabs-advanced-vulnerable-processes ?
Thanks for the link from Jeff-T.

 

this is the latest list I know of from @hjlbx:
https://1drv.ms/u/s!AsdAHooQXWQs43wSLL1toEPGy0We

 

Thanks @shmu26.
I meant is the NVT ERP default vulnerable processes list still the same as per the link in my post?
I'd rather not start from scratch.

 

the vulnerable processes as shown in that help file are not the same as I see in the free beta version.
this is the default list that I see:

 

Thanks. I think I will revert to this in NVT ERP.

 

Does NVT Exe Radar Pro block and protect against this:
https://www.wilderssecurity.com/thr...-2016-test-results.390319/page-3#post-2635688
http://lqdc.github.io/making-finfisher-undetectable.html

 

150.
Ok, as said above, the alternative is adding them to AG. With using wildcards you'll have much less entries to add, and you don't have to add them again after an upgrade.

Yes, it's less time-consuming to handle the default list of Vulnerable Apps with ERP and the rest of your list (150 ) with AG.

 

what do you guys say about the ERP default list, vis-a-vis the current security scene?
Does it still provide adequate, basic protection, or are there gaping holes?
If the latter, what are they?

 

Should I add all of this to Vulnerable Process?
And what about this "Restrict Write Access Permissions to" (are this all in orange box), how to do that?