New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

Page 290 of 306
  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thanks, but its not what I was looking for. I want to see if anything can be done to ERP so this is no longer a problem. There's several others that have also wanted to see this behavior changed in ERP in the past. I will wait, and see if Andreas responds if it has not been lost in the mix.
     
    Cutting_Edgetech, Sep 22, 2018
    #7226
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,811
    Location:
    .
    This is odd. Same Rules.xml file on two machines, different hardware same Windows 8.1 x64.

    Code:
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = xcacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wmic.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = windbg.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wbemtest.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vssadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = visualuiaverifynative.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vbc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = utilman.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = UserAccountControlSettings.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = taskkill.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = takeown.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = systemreset.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = syskey.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Stash.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = setx.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = set.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdclt.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdbinst.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = script.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = scrcons.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runscripthelper.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runonce.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RunLegacyCPLElevated.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Regsvcs.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regini.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RegAsm.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = reg.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rcsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = quser.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = PresentationHost.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell_ise.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = odbcconf.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntsd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntkd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netstat.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netsh.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mstsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msra.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msiexec.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mshta.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = MSBuild.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mmc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Microsoft.Workflow.Compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = lpkinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = kd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = jsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = journal.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = InstallUtil.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = infdefaultinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ilasm.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexpress.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexplore.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = IEExec.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = hh.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsiAnyCpu.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = eventvwr.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dnx.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = diskpart.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = DFsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = debug.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbgsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbghost.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csi.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csc.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Commit.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = CmdTool.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = certutil.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cdb.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ByteCodeGenerator.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootsect.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootim.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootcfg.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bitsadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bginfo.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdedit.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdboot.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bash.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = auditpol.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = attrib.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = aspnet_compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
<category>CMD line</> <action>Exclude</> <expression>[Proc.Name = runonce.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.Hash = 9F67686B5643D7770E4A2D0397F24ECD0273B65C] [Proc.CmdLine = C:\Windows\SysWOW64\runonce.exe /Run6432] [Parent.Name = C:\Windows\Explorer.EXE] [Parent.Signer = Microsoft Windows] [Action = Exclude]</> <enabled>1</> <comment></>
<category>CMD line</> <action>Exclude</> <expression>[Proc.Name = rundll32.exe] [Proc.Path = C:\Windows\System32] [Proc.Hash = D4AC232D507769FFD004439C15302916A40D9831] [Proc.CmdLine = C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding] [Parent.Name = C:\Windows\system32\svchost.exe] [Parent.Signer = Microsoft Windows Publisher] [Action = Exclude]</> <enabled>1</> <comment></>
<category>CMD line</> <action>Exclude</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.Hash = 7C3D7281E1151FE4127923F4B4C3CD36438E1A12] [Proc.CmdLine = C:\Windows\System32\cmd.exe /c rmdir /s /q "R:\Sandbox\MrX\__Delete_*"] [Parent.Name = C:\Program Files\Sandboxie\Start.exe] [Parent.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>CMD line</> <action>Exclude</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.Hash = 7C3D7281E1151FE4127923F4B4C3CD36438E1A12] [Proc.CmdLine = C:\Windows\system32\cmd.exe /c "C:\Intel\GfxCPLBatchFiles\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat"] [Parent.Name = C:\Windows\system32\igfxCUIService.exe] [Parent.Signer = Intel(R) pGFX] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = XYplorer.exe] [Proc.Path = P:\XYplorer] [Proc.Signer = Donald Lessau] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = XMind.exe] [Proc.Path = P:\XMind] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = WINWORD.EXE] [Proc.Path = C:\Program Files (x86)\Microsoft Office\Office16] [Proc.Signer = Microsoft Corporation] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = WinRAR.exe] [Proc.Path = C:\Program Files\WinRAR] [Proc.Signer = win.rar GmbH] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Windows and Office Genuine ISO Verifier.exe] [Proc.Path = P:\Windows and Office Genuine ISO Verifier] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = WiFiGuard.exe] [Proc.Path = P:\WiFiGuard] [Proc.Signer = SOFTPERFECT PTY. LTD.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = VTHash.exe] [Proc.Path = C:\Program Files (x86)\Boredom Software\VT Hash Check] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = vmware.exe] [Proc.Path = C:\Program Files (x86)\VMware\VMware Workstation] [Proc.Signer = VMware, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = vmware-vmx.exe] [Proc.Path = C:\Program Files (x86)\VMware\VMware Workstation\x64] [Proc.Signer = VMware, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = vmware-usbarbitrator64.exe] [Proc.Path = C:\Program Files (x86)\Common Files\VMware\USB] [Proc.Signer = VMware, Inc.] [Parent.Name = C:\Windows\System32\services.exe] [Parent.Signer = Microsoft Windows Publisher] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = vmware-unity-helper.exe] [Proc.Path = C:\Program Files (x86)\VMware\VMware Workstation] [Proc.Signer = VMware, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = vmware-tray.exe] [Proc.Path = C:\Program Files (x86)\VMware\VMware Workstation] [Proc.Signer = VMware, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = vmware-shell-ext-thunker.exe] [Proc.Path = C:\Program Files (x86)\VMware\VMware Workstation] [Proc.Signer = VMware, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = vmware-hostd.exe] [Proc.Path = C:\Program Files (x86)\VMware\VMware Workstation] [Proc.Signer = VMware, Inc.] [Parent.Name = C:\Windows\System32\services.exe] [Parent.Signer = Microsoft Windows Publisher] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = vmware-authd.exe] [Proc.Path = C:\Program Files (x86)\VMware\VMware Workstation] [Proc.Signer = VMware, Inc.] [Parent.Name = C:\Windows\System32\services.exe] [Parent.Signer = Microsoft Windows Publisher] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = vmnat.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.Signer = VMware, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = VISIO.EXE] [Proc.Path = C:\Program Files (x86)\Microsoft Office\Office16] [Proc.Signer = Microsoft Corporation] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = VDeck.exe] [Proc.Path = C:\Program Files (x86)\VIA\VIAudioi\VDeck] [Proc.Signer = VIA Technologies Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = USBSRService.exe] [Proc.Path = C:\Program Files (x86)\USB Safely Remove] [Proc.Signer = Crystal Rich Ltd] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = USBSafelyRemove.exe] [Proc.Path = C:\Program Files (x86)\USB Safely Remove] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = UltraISOPortable.exe] [Proc.Path = P:\UltraISO] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = UltraISO.exe] [Proc.Path = P:\UltraISO\App\UltraISO] [Proc.Signer = SHENZHEN YIBO DIGITAL SYSTEMS DEVELOPMENT CO. LTD.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = tor.exe] [Proc.Path = P:\Tor Browser\Browser\TorBrowser\Tor] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = TLPD.exe] [Proc.Path = P:\Too Long Path Detector] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SyncBackPro.exe] [Proc.Path = P:\SyncBackPro] [Proc.Signer = 2BrightSparks Pte. Ltd.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SUMoPortable.exe] [Proc.Path = P:\SUMo] [Proc.Signer = Rare Ideas, LLC] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SUMo.exe] [Proc.Path = P:\SUMo\App\SUMo] [Proc.Signer = KC SOFTWARES] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SumatraPDF.exe] [Proc.Path = P:\SumatraPDF] [Proc.Signer = Krzysztof Kowalczyk] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = StartScreen.exe] [Proc.Path = C:\Program Files (x86)\StartIsBack] [Proc.Signer = Stanislav Zinukhov] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = StartIsBackCfg.exe] [Proc.Path = C:\Program Files (x86)\StartIsBack] [Proc.Signer = Stanislav Zinukhov] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Start.exe] [Proc.Path = C:\Program Files\Sandboxie] [Proc.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ssd.exe] [Proc.Path = P:\SlideShare Downloader] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Deny</> <expression>[Proc.Name = software_reporter_tool.exe] [Proc.Path = C:\Users\MrX\AppData\Local\Google\Chrome\User Data\SwReporter\*] [Proc.Signer = Google Inc] [Action = Deny]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SnapTimer.exe] [Proc.Path = P:\SnapTimer] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SMMVSplitter_Business.exe] [Proc.Path = P:\SolveigMM Video Splitter] [Proc.Signer = Solveig Multimedia OOO] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Slack.exe] [Proc.Path = P:\Slack\app] [Proc.Signer = Slack Technologies, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = slack.exe] [Proc.Path = P:\Slack\app\app*] [Proc.Signer = Slack Technologies, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = slack-portable.exe] [Proc.Path = P:\Slack] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Skype.exe] [Proc.Path = P:\Skype] [Proc.Signer = Skype Software Sarl] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = simplewall.exe] [Proc.Path = P:\simplewall] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Service.exe] [Proc.Path = C:\Program Files\Shadow Defender] [Proc.Signer = Yang Ping] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ScreenToGif.exe] [Proc.Path = P:\ScreenToGif] [Proc.Signer = Nicke Manarin] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SbieSvc.exe] [Proc.Path = C:\Program Files\Sandboxie] [Proc.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SbieSvc.exe] [Proc.Path = C:\Program Files\Sandboxie\32] [Proc.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SbieCtrl.exe] [Proc.Path = C:\Program Files\Sandboxie] [Proc.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SandboxieRpcSs.exe] [Proc.Path = C:\Program Files\Sandboxie] [Proc.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SandboxieDcomLaunch.exe] [Proc.Path = C:\Program Files\Sandboxie] [Proc.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SandboxieCrypto.exe] [Proc.Path = C:\Program Files\Sandboxie] [Proc.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = SandboxieBITS.exe] [Proc.Path = C:\Program Files\Sandboxie] [Proc.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = RtkNGUI64.exe] [Proc.Path = C:\Program Files\Realtek\Audio\HDA] [Proc.Signer = Realtek Semiconductor Corp.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = RegistryFinder.exe] [Proc.Path = P:\RegistryFinder] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ramdiskws.exe] [Proc.Path = C:\Program Files\SoftPerfect RAM Disk] [Proc.Signer = SOFTPERFECT PTY. LTD.] [Parent.Name = C:\Windows\Explorer.EXE] [Parent.Signer = Microsoft Windows] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ramdiskws.exe] [Proc.Path = C:\Program Files\SoftPerfect RAM Disk] [Proc.Signer = SOFTPERFECT PTY. LTD.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = QuiteRSS.exe] [Proc.Path = P:\QuiteRSS] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = QtWebEngineProcess.exe] [Proc.Path = C:\Program Files\Jotta] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = procexp64.exe] [Proc.Path = P:\Sysinternals\Process Explorer] [Proc.Signer = Microsoft Corporation] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = POWERPNT.EXE] [Proc.Path = C:\Program Files (x86)\Microsoft Office\Office16] [Proc.Signer = Microsoft Corporation] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = PDFXEdit.exe] [Proc.Path = P:\PDF-XChange Editor Plus] [Proc.Signer = Tracker Software Products (Canada) Ltd.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = OUTLOOK.EXE] [Proc.Path = C:\Program Files (x86)\Microsoft Office\Office16] [Proc.Signer = Microsoft Corporation] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = notepad++.exe] [Proc.Path = P:\notepad++] [Proc.Signer = Notepad++] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = NetDisabler.exe] [Proc.Path = P:\NetDisabler] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = msoia.exe] [Proc.Path = C:\Program Files\Microsoft Office\Office16] [Proc.Signer = Microsoft Corporation] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = MPC-HCPortable.exe] [Proc.Path = P:\MPC-HC] [Proc.Signer = Rare Ideas, LLC] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = mpc-hc.exe] [Proc.Path = P:\MPC-HC\App\MPC-HC] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = mpc-be64.exe] [Proc.Path = P:\MPC-BE] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = mp4Converter64.exe] [Proc.Path = P:\Pazera Free MP4 Video Converter] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = mp3DirectCut.exe] [Proc.Path = P:\mp3DirectCut] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = MediaDisc.exe] [Proc.Path = P:\BurnAware\App\BurnAware] [Proc.Signer = Burnaware] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = MD5Checksum.exe] [Proc.Path = P:\NVT MD5 Checksum Tool\x64] [Proc.Signer = NoVirusThanks Company Srl] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = MathType.exe] [Proc.Path = C:\Program Files (x86)\MathType] [Proc.Signer = Design Science Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = LMS.exe] [Proc.Path = C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS] [Proc.Signer = Intel(R) Embedded Subsystems and IP Blocks Group] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = linguist.exe] [Proc.Path = P:\QtLinguist] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = LicQueryApp.exe] [Proc.Path = C:\Program Files (x86)\AppGuard LLC\AppGuard] [Proc.Signer = AppGuard LLC] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = License.exe] [Proc.Path = C:\Program Files\Sandboxie] [Proc.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Jottacloud Setup Helper.exe] [Proc.Path = C:\Program Files\Jotta] [Proc.Signer = Jotta AS] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = jotta.exe] [Proc.Path = C:\Program Files\Jotta] [Proc.Signer = Jotta AS] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = jhi_service.exe] [Proc.Path = C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL] [Proc.Signer = Intel(R) Embedded Subsystems and IP Blocks Group] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = i_view64.exe] [Proc.Path = P:\IrfanView] [Proc.Signer = Irfan Skiljan] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = iResizer.exe] [Proc.Path = P:\iResizer] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = igfxtray.exe] [Proc.Path = C:\Windows\System32] [Proc.Signer = Intel Corporation - pGFX] [Proc.CmdLine = "C:\Windows\System32\igfxtray.exe"] [Parent.Name = C:\Windows\Explorer.EXE] [Parent.Signer = Microsoft Windows] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = igfxsrvc.exe] [Proc.Path = C:\Windows\System32] [Proc.Signer = Intel Corporation - pGFX] [Proc.CmdLine = "C:\Windows\system32\igfxsrvc.exe" -Embedding] [Parent.Name = C:\Windows\system32\svchost.exe] [Parent.Signer = Microsoft Windows Publisher] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = igfxpers.exe] [Proc.Path = C:\Windows\System32] [Proc.Signer = Intel Corporation - pGFX] [Proc.CmdLine = "C:\Windows\System32\igfxpers.exe"] [Parent.Name = C:\Windows\Explorer.EXE] [Parent.Signer = Microsoft Windows] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = igfxEM.exe] [Proc.Path = C:\Windows\System32] [Proc.Signer = Intel(R) pGFX] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = IDMGrHlp.exe] [Proc.Path = C:\Program Files (x86)\Internet Download Manager] [Proc.Signer = Tonec Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = IDMan.exe] [Proc.Path = C:\Program Files (x86)\Internet Download Manager] [Proc.Signer = Tonec Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ICCProxy.exe] [Proc.Path = C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service] [Proc.Signer = Intel Corporation] [Proc.CmdLine = "C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe"] [Parent.Name = C:\Windows\System32\services.exe] [Parent.Signer = Microsoft Windows Publisher] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = IAStorIconLaunch.exe] [Proc.Path = C:\Program Files\Intel\Intel(R) Rapid Storage Technology] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = IAStorIcon.exe] [Proc.Path = C:\Program Files\Intel\Intel(R) Rapid Storage Technology] [Proc.Signer = Intel(R) Rapid Storage Technology] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = IAStorIcon.exe] [Proc.Path = C:\Program Files\Intel\Intel(R) Rapid Storage Technology] [Proc.Signer = Intel Corporation - Intel® Rapid Storage Technology] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = IAStorDataMgrSvc.exe] [Proc.Path = C:\Program Files\Intel\Intel(R) Rapid Storage Technology] [Proc.Signer = Intel(R) Rapid Storage Technology] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = IAStorDataMgrSvc.exe] [Proc.Path = C:\Program Files\Intel\Intel(R) Rapid Storage Technology] [Proc.Signer = Intel Corporation - Intel® Rapid Storage Technology] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = hkcmd.exe] [Proc.Path = C:\Windows\System32] [Proc.Signer = Intel Corporation - pGFX] [Proc.CmdLine = "C:\Windows\System32\hkcmd.exe"] [Parent.Name = C:\Windows\Explorer.EXE] [Parent.Signer = Microsoft Windows] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = HexFrame.exe] [Proc.Path = P:\Hex Editor Neo\Data\NEO] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Hex Editor Neo.exe] [Proc.Path = P:\Hex Editor Neo] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = gpup.exe] [Proc.Path = P:\notepad++\updater] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = googleearth.exe] [Proc.Path = C:\Program Files (x86)\Google\Google Earth Pro\client] [Proc.Signer = Google Inc] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = GoogleCrashHandler64.exe] [Proc.Path = C:\Program Files (x86)\Google\Update\*] [Proc.Signer = Google Inc] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = GoogleCrashHandler.exe] [Proc.Path = C:\Program Files (x86)\Google\Update\*] [Proc.Signer = Google Inc] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Deny</> <expression>[Proc.Name = GoogleUpdateCore.exe] [Proc.Path = C:\Users\MrX\AppData\Local\Google\Update\*] [Proc.Signer = Google Inc] [Action = Deny]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Deny</> <expression>[Proc.Name = GoogleUpdate.exe] [Proc.Path = C:\Users\MrX\AppData\Local\Google\Update] [Proc.Signer = Google Inc] [Action = Deny]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Deny</> <expression>[Proc.Name = GoogleUpdate.exe] [Proc.Path = C:\Program Files (x86)\Google\Update] [Proc.Signer = Google Inc] [Action = Deny]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Deny</> <expression>[Proc.Name = GoogleUpdateSetup.exe] [Proc.Signer = Google Inc] [Action = Deny]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = FXStat.exe] [Proc.Path = C:\Program Files (x86)\Efofex\bin] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = FXGraph.exe] [Proc.Path = C:\Program Files (x86)\Efofex\bin] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = FXEquation.exe] [Proc.Path = C:\Program Files (x86)\Efofex\bin] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = FXDraw.exe] [Proc.Path = C:\Program Files (x86)\Efofex\bin] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = FSRecorder.exe] [Proc.Path = P:\FastStone Capture] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = FSCapture.exe] [Proc.Path = P:\FastStone Capture] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = FlacToMp3.exe] [Proc.Path = P:\Pazera FLAC to MP3 Converter] [Proc.Signer = Jacek Pazera] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = firefox.exe] [Proc.Path = P:\Tor Browser\Browser] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ffmpeg.exe] [Proc.Path = P:\ShareX\ShareX\Tools] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ffmpeg.exe] [Proc.Path = P:\Pazera Free MP4 Video Converter\tools\FFmpeg64] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ffmpeg.exe] [Proc.Path = P:\Pazera Free Audio Extractor\tools\FFmpeg64] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ffmpeg.exe] [Proc.Path = P:\Pazera FLAC to MP3 Converter\tools\FFmpeg] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ffmpeg.exe] [Proc.Path = P:\Captura\FFmpeg] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = EXCEL.EXE] [Proc.Path = C:\Program Files (x86)\Microsoft Office\Office16] [Proc.Signer = Microsoft Corporation] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Everything.exe] [Proc.Path = P:\Everything] [Proc.Signer = David Carpenter] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = EraseDisc.exe] [Proc.Path = P:\BurnAware\App\BurnAware] [Proc.Signer = Burnaware] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = die.exe] [Proc.Path = P:\Detect It Easy\stuff] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = die.exe] [Proc.Path = P:\Detect It Easy] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = DefenderDaemon.exe] [Proc.Path = C:\Program Files\Shadow Defender] [Proc.Signer = Yang Ping] [Proc.CmdLine = "C:\Program Files\Shadow Defender\DefenderDaemon.exe"] [Parent.Name = C:\Program Files\Shadow Defender\Defender.exe] [Parent.Signer = Yang Ping] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = DefenderDaemon.exe] [Proc.Path = C:\Program Files\Shadow Defender] [Proc.Signer = Yang Ping] [Parent.Name = C:\Windows\Explorer.EXE] [Parent.Signer = Microsoft Windows] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Defender.exe] [Proc.Path = C:\Program Files\Shadow Defender] [Proc.Signer = Yang Ping] [Parent.Name = C:\Program Files\Shadow Defender\DefenderDaemon.exe] [Parent.Signer = Yang Ping] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ConvertXtoDvd.exe] [Proc.Path = P:\ConvertXtoDVD] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ConvertXtoDvd.exe] [Proc.Path = C:\Program Files (x86)\VSO\ConvertX\4] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = ConnectionsViewer.exe] [Proc.Path = C:\Program Files\NoVirusThanks\Connections Viewer] [Proc.Signer = NoVirusThanks Company Srl] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = chrome.exe] [Proc.Path = C:\Program Files (x86)\Google\Chrome\Application] [Proc.Signer = Google Inc] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = CheckFolder.exe] [Proc.Path = P:\CheckFolder] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Captura.exe] [Proc.Path = P:\Captura] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = bvckup2.exe] [Proc.Path = P:\Bvckup 2] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = BurnAwarePortable.exe] [Proc.Path = P:\BurnAware] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = BurnAware.exe] [Proc.Path = P:\BurnAware\App\BurnAware] [Proc.Signer = Burnaware] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Bongiovi DPS.exe] [Proc.Path = C:\Program Files\Bongiovi Acoustics\Bongiovi DPS] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = avidemux.exe] [Proc.Path = P:\Avidemux] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = Autoruns64.exe] [Proc.Path = P:\Sysinternals\Autoruns] [Proc.Signer = Microsoft Corporation] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = AudioExtractor64.exe] [Proc.Path = P:\Pazera Free Audio Extractor] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = AppGuardGUI.exe] [Proc.Path = C:\Program Files (x86)\AppGuard LLC\AppGuard] [Proc.Signer = AppGuard LLC] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = AntDM.exe] [Proc.Path = C:\Program Files (x86)\Ant Download Manager] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = 7zG.exe] [Proc.Path = C:\Program Files\7-Zip] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = 7zFM.exe] [Proc.Path = C:\Program Files\7-Zip] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = 4kvideodownloader.exe] [Proc.Path = P:\4kvideodownloader] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Exclude</> <expression>[Proc.Name = µTorrent.exe] [Proc.Path = P:\µTorrent] [Proc.Signer = BitTorrent Inc] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Trusted</> <action>Deny</> <expression>[Proc.Name = *.exe] [Proc.Path = C:\Users\MrX\AppData\Local\Temp\ChromeCleaner*] [Proc.Signer = Google Inc] [Action = Deny]</> <enabled>1</> <comment></>

    MrX-PC (just fine):
    https://i.imgur.com/wbXmiPk.png

    MrX-PC2 (not fine):
    https://i.imgur.com/VY2aPjP.png
     
    Mr.X, Sep 24, 2018
    #7227
  3. guest

    guest Guest

    Sort order: "Added".
    ERP is sorting by at what time rules have been added to your rule database.
    There only needs to be a tiny delay while ERP is importing rules (and is adding them to the database) and rules now appear later in the rules list.
     
    guest, Sep 24, 2018
    #7228
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,811
    Location:
    .
    @mood

    I exported the rules from MrX-PC to Rules.xml file and manually in notepad++ arranged/sorted as you can see above.
    Next I deleted all rules in the same machine's ERP and re-imported them: Rules look fine.
    Finally I deleted all rules in MrX-PC2 ERP and re-imported them: Rules not looking fine like in first machine.

    I've repeated above procedure in MrX-PC2 in various ways but restarting the machine, reinstalling ERP, deleting registry entries, etc. It just doesn't work.
     
    Mr.X, Sep 24, 2018
    #7229
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    That is odd. Good catch though if it's something that persists. I also run Windows 8.1 x64 so this is of interest.

    A lot of things happened after I done an import of your rules (mentioned earlier back) which after they merged into my existing rules a couple of times my explorer went into a loop of sorts-I waited and waited but I think it was just a glitch. With Process Hacker running dllhost.exe kept populating the process list while waiting for explorer to RESTART but it got hung up and I eventually resorted to a hard reset to free up all the memory and start anew.

    It was what i noticed as something unusual but it ironed itself out and it hasn't happened again since.

    BUT, if there is some clash or hang up going on with the deletions-reimport of rules then perhaps we'll get the answers you need as to why that's occurred like it has with you on MrX-PC2.

    @Mr.X- Your annotation is a work of fine art. Spells it out nicely. Should prove helpful for Andreas to address or review for rework. Nice. :thumb:
     
    Last edited: Sep 24, 2018
    EASTER, Sep 24, 2018
    #7230
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,811
    Location:
    .
    Thank you mate.
     
    Mr.X, Sep 25, 2018
    #7231
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks for making mention. I not tried that lately (this version) but will now.
     
    EASTER, Sep 25, 2018
    #7232
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Can someone offer a solution to this?

    When Gmail is left open awhile the googletalk plugin apparently retries to start every x minutes. It's safe and ok but the problem is simply I always allow ERP to ASK so I can directly look at it and then I press INSTALL. It loads but apparently google feels it necessary to telemetry it but restarting it every so often.

    As such, when away from the machine for awhile the ERP Alerts stack up and I end up having to reply with INSTALL several times before it shuts up and goes away.

    I seriously don't know how to address this and it most certainly isn't ERP's fault, however ERP recognizes another duplicate googletalk plugin process has engaged again and rightly so ERP holds it, and the others as it retries every so many minutes.

    I do not want to set it to Exclude at all so is there some other alternative I can try with the rules? If this is more a Gmail issue I accept that, I was just wanting some assurance just in case there could be an entry made in the rules to keep those alerts from stacking up when im away and having to click multiple times to satisfy them all.

    There's no cause for alarm, just another annoyance but not on ERP's end.
     
    EASTER, Sep 25, 2018
    #7233
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Will do the next time I go into it again. It got to be annoying and in all honesty it's really quite safe I suppose to exclude it and that would solve any more alerts. However I found it intriguing that if those Alerts stack up in a que of sorts, what's to say the same doesn't happen with other Events. As in one after another after another and so on etc.

    BUT I've also since found one thing overlooked that might just resolve this which went completely overlooked.

    In the Settings tab, missing is the ticking of the box (Duh Me) under the Idle Action - Perform an action after N minutes of inactivity:

    Feel like a schmuck but I bet this will address that annoyance fully. Will try that and check back if no joy.
     
    EASTER, Sep 26, 2018
    #7234
  10. guest

    guest Guest

    @novirusthanks
    Small issue: While shutting down the system, the service of ERP (ERPSvc.exe) seems to re-launch EXERadar.exe (~20-30 process creations (& terminations) in a row)
    Addition: OS Armor is affected in the same way (OSArmorDevSvc.exe wants to launch OSArmorDevUI.exe while logging out)
    ----
    After initiating a shutdown and while the logout screen is displayed there is a noticable delay.
    And after looking into logfiles of Processlogger Service i can see that the service of ERP wants to relaunch EXERadar.exe.
    But because the system is shutting down, the process cannot launch "Exit Status: 0xC000026B"
    It doesn't seem to bother ERP and it wants to launch it again, and again ... :cautious:

    Details (Excerpt):
    Code:
    ERP
20-30x in a row:
[Process Creation]
Process: [7388] C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe
CommandLine: "C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe" /nogui
Parent: [3100] C:\Program Files\NoVirusThanks\EXERadarPro\ERPSvc.exe

[Process Termination]
Process: [7388] C:\Program Files\NoVirusThanks\EXERadarPro\RadarPro.exe
Uptime: ~00:00:00
Exit Status: 0xC000026B

OS Armor
20-30x in a row:
[Process Creation]
Process: [9500] C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevUI.exe
CommandLine: "C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevUI.exe"
Parent: [3120] C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevSvc.exe

[Process Termination]
Process: [9500] C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevUI.exe
Uptime: ~00:00:00
Exit Status: 0xC000026B
    While reviewing logfiles it seemed to happen since several months.
    The very first time it has occured:
    OS Armor - 2018-04-12 (OSArmorDevUI.exe) - (MD5 Hash: 973415754605BC3EB0BD35939F66DF4D)
    ERP - 2018-07-23 (RadarPro.exe) - (MD5 Hash: 13FBCDF7BF95D89A567890E1ABA6A799)

    I don't know what exact version was installed at these time but the date and the MD5 Hash might give an indicator (the issue happens with all later installed versions too)

    A possible mitigation would be if the service checks for a process error initialization code while the user is being logged off. And if the service encounters the error code, it doesn't try re-launch the process. Or something similar...
     
    guest, Sep 27, 2018
    #7235
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,644
    Location:
    Under a bushel ...
    Master sleuthing!
     
    paulderdash, Sep 28, 2018
    #7236
  12. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    Not familiar with the googletalk plugin, but I assume it launches other processes, hence you choosing Install instead of just Allowing it ?

    If ERP detects another process launch which has same path and hash (and possibly other identifiers, if needed), ERP could be modified to compare with all previous pending alerts, and group them together. Then, instead of showing multiple alerts, it could show a single alert with the number of times this process has been launched (and maybe some other clear visual indicator that this alert (and corresponding user response) applies to multiple launch attempts.
     
    Defenestration, Sep 28, 2018
    #7237
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Yeah, I know. I already do this on a routine basis. Install allows for no more Alerts. What I haven't quite gotten around to yet is tracing the Primary (parent) Secondary (child) process chain looking to the Events List to either Exclude or simply go the Idle Action route.

    Although I rarely ever use googletalk plugin anymore, it is an integral part of Gmail for me that I do keep on hand and don't mind it loading but lately it's been like on a timer repeat if ignored. Just an annoyance and one I will get around to getting to the bottom of it eventually.

    ERP 4 will help in resolving this.
     
    EASTER, Sep 28, 2018
    #7238
  14. guest

    guest Guest

    Confirmed.
    I guess it has something to do that the notification window disappears after ERP has been minimized.
    a) ERP main window is displayed on the screen
    b) A process has been blocked
    c) Notification window is displayed
    d) ERP main window is closed
    e) = the notification window disappears too :oops:
    f) doubleclick on the trayicon = ERP window is displayed again and the notification window
    = A click on "Close All" does nothing.
    Without step d)-f) it works.

    @novirusthanks
    I propose that the notification window shouldn't disappear if ERP has been minimized.
    It seems that they are "bound together" somehow.
    Addition: I found more:
    a) Alert dialog is displayed on the screen
    b) the user doubleclicks the ERP trayicon, and the main ERP window appears
    c) the alert dialog "looks different", only Name & Path &File Information & SHA1 is displayed now (as if the user has clicked on 'Less' in the alert dialog - but the user actually hasn't clicked it)
    d) if the main window of ERP is closed now, the alert dialog disappears too
    = This might lead to a scenario where the user has minimized the ERP window while the alert dialog has been displayed and is now wondering why processes cannot be launched (because the alert dialog has disappeared too, and the user is simply not aware of it anymore)
     
    guest, Sep 28, 2018
    #7239
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Confirmed!!

    Nice one guys
     
    EASTER, Sep 28, 2018
    #7240
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,559
    Location:
    The Netherlands
    Guys, I still haven't been able to figure out how to allow only certain parent processes to launch certain child processes. For example, is it possible to give start.exe (from Sandboxie) the ability to launch any .exe file without seeing any alerts from ERP?
     
    Rasheed187, Sep 29, 2018
    #7241
  17. guest

    guest Guest

    Exclude rule.
     
    guest, Sep 29, 2018
    #7242
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,559
    Location:
    The Netherlands
    A bit more instructions please. :D
     
    Rasheed187, Sep 29, 2018
    #7243
  19. guest

    guest Guest

    when you create a rule , you can set it to allow/block/exclude.
    so basically, if you want the rule to be ignored , set it to exclude.

    note by just setting Sbie's container on a non-system aprtitiuon, you avoid lot of troubles.
     
    guest, Sep 29, 2018
    #7244
  20. guest

    guest Guest

    This works if a process is launched via "Run Sandboxed" (the process is launched via start.exe [it is the parent process]) and if there is an exclusion rule for start.exe.
    RadarPro_exclusion-start.exe.png
    = Launching of vulnerable processes or unknown processes will be without alert (blocked processes will be allowed to launch too)

    But after a sandboxed process has been launched, subsequent launches of vulnerable processes or unknown processes within the sandbox will be not without alert because the parent process isn't start.exe anymore.
     
    guest, Sep 29, 2018
    #7245
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I ran into the same problem a while back. I used the instruction given to me by Andreas in this thread, but could not get it to work. I think I was using Allow rules instead of Exclude though like guest suggested.

    I believe Andreas needs to give a detailed explanation on how it is suppose to be done, and an example to go by. An example would be a huge help!
     
    Cutting_Edgetech, Sep 29, 2018
    #7246
  22. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    There should be parent-parent, just parent is not enough. So, like imagine, start.exe launches a sandboxed process, sandboxed process launches another process, now that another process' parent will be the sandboxed process, not start.exe, so it will alert, and if that another process launches its own process, again alert. So, there should be "Oldest Parent" who is the parent of all parents, and every process started in the chain below is automatically allowed
     
    Floyd 57, Oct 2, 2018
    #7247
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Agree.

    I don't know how most guys or gals do it or what the intent is per running sandboxed apps-but once I launch Start.exe from Sandboxie and/or any other Sandboxie process, I come to expect the ERP alerts which follow, which also offers something of a nice tracking flow to either confirm where the now sandboxed process goes or does next. Sort of a navigator tracker.

    Not sure I quite understand where ERP becomes of any real concern (even to it's subsequent Alerts) since it's advanced enough as it picks up after Start.exe and then as expected the next Parent process is picked up and tallied in the Events Log as well as acted on by ERP itself via Alert.

    Maybe i'm not exactly following where the concern is regarding parent-child/parent-parent etc. as mentioned or suggested.
     
    EASTER, Oct 2, 2018
    #7248
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    If the user decides that the child process launched by the vulnerable app is safe then all other processes launched from that point on should be safe unless the user made a mistake, and allowed a malicious processes to be launched by the vulnerable app. The most important process will be the first child launched by the vulnerable parent.

    I can see how all those additional prompts due to the parent process changing can be annoying though. I'm not sure if NVT has coded a way around that or not.

    Edit: 10-3-18 @2:21
    I forgot to mention that processes are still considered child processes by the original parent in the chain from that point on even after being spawned by another parent. If I remember correctly (Linux class some time ago) the OS labels them child, grandchild, great grandchild, etc.. I remember reading something about forking.

    That was my understanding at the time I was reading about it unless that is just a label we use for the purpose of avoiding confusion when discussing process trees.
     
    Last edited: Oct 3, 2018
    Cutting_Edgetech, Oct 3, 2018
    #7249
  25. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    FYI for those who have or plan to update to Windows 10 version 1809...
    After upgrading to Windows 10 version 1809 last night, I noticed that NVTERP was not giving me any alerts. My rules and settings had carried over with the upgrade and were correct. However, on the NVTERP GUI "Home" tab, the "Processes Analyzed" count remained at zero. The "Events" tab was empty as were the log files.
    I thought that the windows upgrade had probably broken something and that a simple uninstall and reinstall of NVTERP would more than likely fix the issue. However, after doing an uninstall which included manually removing any leftovers, rebooting, and then a fresh install, the issue is still present.
    It seems that the Windows 10 upgrade to version 1809 has broken NVTERP (at least on my machine)...
    Is anyone else that upgraded also seeing this?
     
    Last edited: Oct 3, 2018
    puff-m-d, Oct 3, 2018
    #7250
Page 290 of 306
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...