New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I meant to make this post in the ERP thread, but accidentally made it in the NetLimiter earlier.

    After turning on the computer this morning I noticed that all of ERP's list had been whipped clean except for the white list. The Black List, Vulnerable Process List, and Trusted Publisher's List are all gone. There's not a single entry in any of them. This is the last beta build of ERP 3 which many ERP users still use. It's going to suck having to redo the blacklist, and vulnerable process list. Has anyone else experienced this before? This is a first for me. I'm using Windows 10 x64 version 1709.
     
  2. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    @Cutting_Edgetech - Yes, I've had this problem multiple times and it's a known issue with ERP 3. I believe it's reproducible if you just turn the PC off without doing a proper shutdown, but can also occur when you do a normal shutdown. The new v4 shouldn't suffer from this (it uses SQLite db for rules, instead of text files), although I haven't properly tested this issue yet.

    Workaround is obviously to export settings/rules and just re-import when this issue occurs.

    Just had a thought that you might be able to recover it if File History is enabled, although I haven't tried this either as I disable this feature.
     
  3. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    Why don't you use v4 man? It's like a completely different software, you'll never be able to go back afterwards, MALWARE CREATORS HATE HIM!!!
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    That's probably it then. My power goes out here on a daily basis. It sucks living in the sticks!
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I do use ERP 4, but only in a VM. It's still in alpha, and not ready for production systems. Maybe I can use it on real system soon, but development for ERP 4 seems slow in comparison with OSArmor. I hope they have a new release soon.
     
    Last edited: Aug 30, 2018
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    LOL This user-tester either runs with a high confidence level to this developer on this particular program's development or naïve, but either way it's proven safe enough on my own real system right from the first release-bugs and all. If anyone is equally confident in v3 and reluctantly skeptical to v4 by all means that is a smart, prudent and reasonable step to make.

    One item that always stands out IMO is if a program blue-screens you or not. So far no NVT apps I use ever have to my knowledge. Blue Screens and slow-to-a-crawl energy gulpers are a quick turn off for many and this camp is no exception.

    I share the anticipation of the next new release though as others. It's been a rolling experiment for the developer's team I assume as well seeing how many suggestions have already been implemented and bugs being worked out currently.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    If I only had one BSOD at the wrong time the consequences could be severe. I take a lot of exams online, and it's a pain having to ask my professor to be able to retake an exam. They can always say no, and then you might get black balled if you try to go above them (luckily my professors have been understanding so far).

    I also am working on my own business/project which I hope to launch next year. It started out as something I do to learn languages, but i'm going to share my work online in about a year. Unfortunately someone had a similar ideal, and released their work first. They have raised almost 2 million dollars doing what I had planned to do soon. My work is much more comprehensive, and contains much more content so I still plan on releasing my work. I have been working on it for 10 years so it would be a shame not to share it. The power has gone out several times while I was working, and I had to redo hours of lost work. I badly need a UPS for all the power outages I have, but can't afford one at the moment.
     
  8. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Guys,

    question please

    I am getting a Warning from ERP about this process.

    Code:
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
    This just started today and No updates have been installed recently.

    Block it or allow it ??
     
  9. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    Can you post the contents of DisableUnusedSmb1.ps1 ?
     
  10. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Here it is, but I just checked and this file is on every Windows 10 PC I have and if you have a Windows 10 PC you should also have it.

    So what's weird about it is that it started today ! And I am getting it now every 30 minutes, still blocking every one of them.

    Code:
    # Copyright (c) 2017 Microsoft Corporation. All rights reserved.
    #
    # This script is used to automatically removes support for the legacy SMB 1.0/CIFS protocol when such support isn�t actively needed during normal system usage..
    Param
    (
        [Parameter(Mandatory=$True)]
        [ValidateSet("Client", "Server")]
        [string]
        $Scenario
    )
    
    #
    # ------------------
    # FUNCTIONS - START
    # ------------------
    #
    Function UninstallSmb1 ($FeatureNames)
    {
      try
        {
           Disable-WindowsOptionalFeature -Online -FeatureName $FeatureNames -NoRestart
        }
        catch {}
    }
    
    #
    # ------------------
    # FUNCTIONS - END
    # ------------------
    #
    
    #
    # ------------------------
    # SCRIPT MAIN BODY - START
    # ------------------------
    #
    
    $ScenarioData = @{
        "Client" = @{
            "FeatureName" = "SMB1Protocol-Client";
            "ServiceName" = "LanmanWorkstation"
        };
        "Server" = @{
            "FeatureName" = "SMB1Protocol-Server";
            "ServiceName" = "LanmanServer"
        }
    }
    
    $FeaturesToRemove = @()
    
    foreach ($key in $ScenarioData.Keys)
    {
        $FeatureName = $ScenarioData[$key].FeatureName
        $ServiceName = $ScenarioData[$key].ServiceName
    
        $ScenarioData[$key].FeatureState = (Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).State
        $ScenarioData[$key].ServiceParameters = Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\${ServiceName}\Parameters"
    }
    
    $FeaturesToRemove += $ScenarioData[$Scenario].FeatureName
    $ScenarioData[$Scenario].FeatureState = "Disabled"
    
    $RemoveDeprecationTasks = $true
    
    foreach ($key in $ScenarioData.Keys)
    {
        if($ScenarioData[$key].FeatureState -ne "Disabled" -and
           $ScenarioData[$key].ServiceParameters.AuditSmb1Access -ne 0) {
    
            $RemoveDeprecationTasks = $false
        }
    }
    
    if ($RemoveDeprecationTasks) {
        $FeaturesToRemove += "SMB1Protocol-Deprecation"
    
        $RemoveToplevelFeature = $true
    
        foreach ($key in $ScenarioData.Keys)
        {
            if($ScenarioData[$key].FeatureState -ne "Disabled") {
                $RemoveToplevelFeature = $false
            }
        }
    
        if ($RemoveToplevelFeature) {
            $FeaturesToRemove += "SMB1Protocol"
        }
    }
    
    UninstallSmb1 -FeatureName $FeaturesToRemove
    
    $NewFeatureState = (Get-WindowsOptionalFeature -Online -FeatureName $ScenarioData[$Scenario].FeatureName).State
    
    if ($NewFeatureState -ne "Enabled")
    {
        $ServiceName = $ScenarioData[$Scenario].ServiceName
        $RegistryPath = "HKLM:\System\CurrentControlSet\Services\${ServiceName}\Parameters"
        New-ItemProperty -Path $RegistryPath -Name AuditSmb1Access -Value 0 -PropertyType DWORD -Force | Out-Null
    }
    
     
  11. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    f
    3rd line explains what it is for.
    remember the Wannacry outbreak? it was using SMB to spread over the network, so Microsoft decided to disable it, seemingly with this powershell script.
     
  12. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Thx, yes I know about it, but what I find strange about it, is that today is the 1st time I am seeing this and I have ERP installed since Day 1 I got this PC a couple of weeks ago that’s all. Better be careful then careless ;)
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Believe me, ERP 4 is already ready for prime time. I haven't had any problems with it, my system runs smoothly. And it looks way better than ERP 3.
     
  14. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    And ... what happened ?? Today NO alert, blocked it all day yesterday, and Nothing yet today.

    So it must be a Saturday Scheduled Task (or a First day of the Month) that MS has set up for this !
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I may just take the chance, and try it on my production machine. I've been waiting for the next build to be released, but i've been waiting for a while now. I'm not sure what the ETA is on the next build.
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v4.0 (pre-release) test26:
    https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test26.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    Build 26
    + Added new vendors to default Trusted Vendors List
    + Fixed saving/loading of Unicode strings on Rules database
    + Fixed Truncate the category name if it is longer than 30 characters
    + Fixed When a Custom Rule is added via Alert dialog, act accordingly to selected action and close the Alert dialog
    + Added "File Information" in the Alert dialog
    + Added a new button "Scan running processes" on "Trusted Vendors" window
    + Added a new option "Disable Until Reboot" on trayicon -> Protection Modes -> "Disable protection" options
    + Improved "Allow Known Safe Process Behaviors"
    + Minor fixes and improvements

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @Mr.X

    That issue is fixed now, sorry for the inconvenience with the rules.

    We may include soon an auto-backup for the rules so in case of similar issues/crashes they can be easily recovered.

    @Defenestration

    We've re-added the option to disable protection until reboot.

    @EASTER

    Will take a look at it.

    @mood

    Added "File Information" in the Alert dialog.

    Thanks, added to Safe Behaviors.

    @n8chavez

    Probably yes (or a dark theme), will discuss about it.

    @iammike

    That powershell command is safe and is started by Windows to disable SMB.

    If is possible, can you post the fulll event log for that command? (including parent process, etc).

    So I can add it to Safe Behaviors rules.

    @Cutting_Edgetech

    New build 26 released just now =)
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    No problem. Great thanks.
    Great, thanks.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    It's not of priority since it is so far only an occasional ordeal.

    However would like to read-hear your opinion on the other suggestion if adding some different notice specifying on the Alert dialog to any changes after a process-file is been Excluded-similar to how v3 handles changed Hash. UNKNOWN APPLICATION DETECTED is default and if no need to add is ok-just curious.

    Thanks.
     
    Last edited: Sep 2, 2018
  20. guest

    guest Guest

    Result with test26:
    ERP_test26_unicode.png
    :thumb:
     
  21. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    @novirusthanks

    Here you go

    Code:
    Date/Time      : 2018-09-01 15:22:52.927
    Action         : Ask/Deny Once
    Expression     : -
    Category       : Alert Dialog
    PID            : 12520
    Process        : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Integrity Level: System
    User/Domain    : SYSTEM/NT AUTHORITY
    System File    : True
    SHA1           : 1B3B40FBC889FD4C645CC12C85D0805AC36BA254
    Signer         :
    Command        : C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
    Parent         : C:\Windows\System32\svchost.exe
    Parent SHA1    : 660B76B6FB802417D513ADC967C5CAF77FC2BAC6
    Parent Signer  : Microsoft Windows Publisher
    
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I actually decided to take a chance, and install build 25 on my production machine. I have been testing on a VM until now. It figures build 26 would come out the same day. I guess I should have held off a little longer. I uninstalled build 25, and installed build 26. All is good so far.

    Andreas, I was wondering if they ever made a decision on PresentationHost.exe. Is NVT going to add it to the vulnerable process list by default?
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Whether yes or no, I don't wait:
    Code:
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = aspnet_compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = attrib.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = auditpol.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bash.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdboot.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdedit.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bginfo.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bitsadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootcfg.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootim.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootsect.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ByteCodeGenerator.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cdb.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = certutil.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = CmdTool.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Commit.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csi.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbghost.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbgsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = debug.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = DFsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = diskpart.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dnx.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = eventvwr.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsiAnyCpu.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = hh.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = IEExec.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexplore.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexpress.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ilasm.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = infdefaultinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = InstallUtil.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = journal.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = jsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = kd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = lpkinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Microsoft.Workflow.Compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mmc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = MSBuild.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mshta.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msiexec.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msra.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mstsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netsh.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netstat.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntkd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntsd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = odbcconf.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell_ise.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = PresentationHost.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = quser.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rcsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = reg.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RegAsm.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regini.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Regsvcs.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RunLegacyCPLElevated.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runonce.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runscripthelper.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = scrcons.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = script.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdbinst.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdclt.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = set.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = setx.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Stash.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = syskey.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = systemreset.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = takeown.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = taskkill.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = UserAccountControlSettings.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = utilman.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vbc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = visualuiaverifynative.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vssadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wbemtest.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = windbg.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wmic.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = xcacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
    
    
     
  24. guest

    guest Guest

    this one is excellent, we start going back to the ease of use that made v3 a pearl.
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    @Mr.X, just curious, is this list based on Excubits' blacklist, and if so, does it take into account latest changes?

    Wondering if you've saved me some work :).

    +1, if this refers to the v3 'yellow' 'changed' message ... ?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.