New Antiexecutable: NoVirusThanks EXE Radar Pro

Anyone else have an HP printer? I am having a hard time getting ERP to honor the HP command lines with wildcards, even though I am using "like to"
The HP print to fax is working (although it is usually more problematic) but the regular print job (HP officejet) is just not honoring the wildcards.

EDIT:
For instance:
C:\WINDOWS\system32\Rundll32.exe Prnntfy.dll,AsyncUILoaderEntry Local\{*}_ASYNCUI

I think I see the problem now. There does not seem to be a parent process and a child process, instead, rundll32 is just loading a dll.

 

Is it possible to make an Allow rule which will allow my hotkeymanager.exe to launch any exe? This doesn't work:

 

thank you will give version 4 a try

 

I side with this user on that concern.

Maybe cosmetic only of sorts but is there any chance to return user preference of a custom audio instead of the horrid system beep when alerting?

 

I have been using diskpart utility lately. If someone was able to use it remotely in an attack then the results could be devastating. I would add it to the vulnerable process list set to ask user, or deny upon execution attempts.

 

You can set almost 100+ Windows processes to the vulnerable processes.

 

The Ultra-paranoid Vulnerable Processes List. Could share it please?
One of these days and just for the sake of feeling anxiety and despair, I'm going to try and get locked out from my computer.

 

it is somewhere on the Bouncer thread; i didn't implemented it yet on ERP.

 

Have fun! And if you are on Windows 10, there is lots of extra fun waiting for you, if you want to boot into safe mode in order to save your system, but you can't get to the lock screen...

 

The expression builder is awesome but right now out of my control. Still trying to catch on to so many areas of configurations.

Andreas will surely chime in for you on that. And thank you for bringing it up since am still digging into the granularity of it all myself.

 

Maybe because the VPL is not finished yet. It is a work in progress.
For instance, the first VPL had the obvious omission of wscript and cscript, so if you were still using that initial csv when you ran your test, you need look no further.

 

In addition rules with (Action = Allow) seem to have a higher priority than (Action = Deny)
This means that Allow-rules are setting Ask + Deny-rules out of action.

With ERP 3.x processes can be set as a Vulnerable Process and an alert can be seen if it is executed (even if whitelisted)
But with ERP 4.x this alert isn't available anymore if the process is already included in another Allow-rule.

If a specific Publisher is blocked (Deny, "[Proc.Signer = Nir Sofer] [Action = Deny]") they should stay blocked. Allow-rules and even Ask-rules shouldn't affect it.
Or: If the user is "protecting" a directory with a simple deny-rule, launching of executables in this directory shouldn't be possible.

Code:

Created Rules:
Deny, "[Proc.Path LIKE c:\examples\Deny*] [Action = Deny]
Ask, "[Proc.Path LIKE c:\examples\ask*] [Action = Ask]
Allow, "[Proc.Path LIKE c:\examples*] [Action = Allow]
Directories:
c:\examples\allow\
c:\examples\ask\ (=Alert dialog should appear)
c:\examples\deny\ (=Execution should be denied)

Result:

Code:

C:\examples\allow\test.exe = Allowed (ok)
C:\examples\ask\test.exe = Allowed (?) (allowed by the rule: Expression : [Proc.Path LIKE c:\examples*] [Action = Allow]) - (Expected: Action = Ask)
C:\examples\Deny\test.exe = Allowed (?) (allowed by the rule: Expression : [Proc.Path LIKE c:\examples*] [Action = Allow]) - (Expected: Action = Deny)

The way of how ERP 4.x seems to handle rules (Priority) is:
1) Allow
2) Ask
3) Deny

(In Theory:)
After setting the priority to for example:
1) Deny
2) Ask
3) Allow
and after launching the above mentioned executables again, files are allowed/denied as expected:

Code:

C:\examples\allow\test.exe = Allowed
C:\examples\ask\test.exe = Alert dialog
C:\examples\Deny\test.exe = Denied

-------------------

Issue #1: "Export rules" / missing "do you want to overwrite the existing file?"-dialog
An existing file "Rules.csv" is simply overwritten. ERP should ask beforehand...
Issue #2: The GUI of ERP is opened in the background (doubleclick on the tray-icon)
Issue #2b: sometimes the alert is opened in the background too

 

mood, I noticed this too. Quoting part of your thread :

"With ERP 3.x processes can be set as a Vulnerable Process and an alert can be seen if it is executed (even if whitelisted)
But with ERP 4.x this alert isn't available anymore if the process is already included in another Allow-rule.
"
I imported the default vulnerable processes, 33 in total and after whitelisting some processes, the vulnerable list had dropped itself by one to 32

 

I saw this too, when you get a prompt and the parent process is on the VPL, you need to resist the temptation to permanently allow it, and instead you need to make a command line rule.

 

Maybe there should be hierarchy, so the rules above are stronger than rules below.

 

I customised the alert and then saved it to allow it as a whitelisted process thinking that this would be a unique rule but it seemed to reduce the vulnerable process list by one.

 

Hello,

I am having issues with vulnerable processes. I have imported the list as outlined in @novirusthanks post. No matter how I configure the rules I add, I cannot get the rules I add to work. I keep getting allow/block prompts. I am probably doing something wrong but I can not figure it out. I will give two examples (both have multiple similar cmd.exe alerts so I am using wildcards when I create the rule.

First example:
From the logs:
Date/Time : 2018-03-04 14:21:55.793
Action : Ask/Allow Once
Expression : -
Category : Alert Dialog
PID : 5712
Process : C:\Windows\System32\cmd.exe
SHA1 : 3585B37200EF3321262B0977401183694A3C15C6
Signer :
Command : "cmd.exe" /c route -4 PRINT
Parent : C:\Program Files\AirVPN\AirVPN.exe
Parent SHA1 : FAA8F7FAAEBC14660900D394FD494269CD482E0A
Parent Signer: AIR DI PAOLO BRINI
Rule that I created:
AirVPN Allow [Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.Hash = 3585B37200EF3321262B0977401183694A3C15C6] [Proc.CmdLine LIKE "cmd.exe" /c route*] [Parent.Name = C:\Program Files\AirVPN\AirVPN.exe] [Parent.Signer = AIR DI PAOLO BRINI] [Parent.Hash = FAA8F7FAAEBC14660900D394FD494269CD482E0A] [Action = Allow] 1

Second example:
From the logs:
Date/Time : 2018-03-04 14:22:24.112
Action : Ask/Allow Once
Expression : -
Category : Alert Dialog
PID : 10452
Process : C:\Windows\System32\cmd.exe
SHA1 : 3585B37200EF3321262B0977401183694A3C15C6
Signer :
Command : "cmd.exe" /c ipconfig /flushdns
Parent : C:\Program Files\AirVPN\AirVPN.exe
Parent SHA1 : FAA8F7FAAEBC14660900D394FD494269CD482E0A
Parent Signer: AIR DI PAOLO BRINI
Rule that I created:
AirVPN Allow [Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.Hash = 3585B37200EF3321262B0977401183694A3C15C6] [Proc.CmdLine LIKE "cmd.exe" /c ipconfig*] [Parent.Name = C:\Program Files\AirVPN\AirVPN.exe] [Parent.Signer = AIR DI PAOLO BRINI] [Parent.Hash = FAA8F7FAAEBC14660900D394FD494269CD482E0A] [Action = Allow] 1

I have tried with and without wildcards, with and without command lines...
What am I doing wrong? Any help will be greatly appreciated...

 

try enabling "similar to" (I think that is what it is called) by the command line.
That enables wildcard support, and makes it so you don't need the full path.

 

Hello,

@Peter2150 - Same here...
@shmu26 - You are probably referring to "Like to" which I already have selected for those command lines (See the rules I posted above).

 

You are right, I see what you mean.
This might be similar to the problem I was having with rundll32.
In my case, rundll32 was not executing another process, just loading a dll.
Also in your case, cmd.exe is not executing another process.
My guess is that the rules maker is not yet set up for that kind of command line.
Awaiting clarification from Andreas.

 

Suggestion - Enhancing of the "readability" of rules shown in the GUI.
We can optimize it a little bit and only a quick view on the rules is needed to know what the rule is all about, and it is much better to read.
Old:

Optimized:

=
a) Name/ Signer / Hash / Path / etc. is now added as a column.
One big advantage: Rules can be sorted by Hash / by Signer, etc.
b) Instead of mentioning of [Proc.Path ...], etc. in each rule it is now only mentioned in the header of the column. Only the most important is now displayed in the GUI.
Before: [Proc.Signer = Nir Sofer] [Action = Deny]
After: Nir Sofer

Regarding the old style:
a) In the case of for example: [Proc.Path LIKE c:\*]
= 'LIKE c:\' can be shown in a different colour (or bold?) and is distinguishable from the rest of the rule.
(the part of the rule which can be changed by the user is shown in a different way)
Before: [Proc.Path LIKE c:\*] [Proc.Signer = Nir Sofer]
After: [Proc.Path LIKE c:\*] [Proc.Signer = Nir Sofer]

Ideas:
a) Painting of Deny/Ask rules in a different color...(?)
a2) Painting of disabled rules in a lighter color = Better distinction between enabled/disabled rules.
b) Setting: Showing of Grid Lines (changeable by the user? Setting: on/off)
b2) Setting: Mark Odd/Even rows (changeable by the user? Setting: on/off)
b3) Setting: Automatic Column Size (changeable by the user? Setting: Fixed Size/By Column Values)
= for example "Hash" is consuming a lot of space, would be nice if the user can change it (and other columns) to a fixed size (and it should stay like that)
c) Support of CTRL-C
= After selecting of rules and pressing CTRL-C, selected rules are copied to the clipboard and the user can paste it somewhere else.

Regarding painting of rules in different colors, Illustration:

= For example a quick look on "Nir Sofer" reveals that it is an enabled Deny-rule, "Nir Sofer" would be a disabled Deny-rule.
Now there is no need to look back and forth between the "Enabled" and "Action"-column.