Anti Exes

Discussion in 'other anti-malware software' started by DX2, Mar 1, 2013.

Thread Status:
Not open for further replies.
  1. DX2

    DX2 Guest

    Has anyone tested AppGuard or NoVirusThanks and had a virus get past them? Just wondering. If this is already posted, feel free to close.
     
  2. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    You have to manually tweak NVT ERP in order to become "bulletproof" against exploits.
    More settings will be introduced in v2.7.3, which is expected to be released in next few days...
    Yet, there will still be some popups, even if you put it in Lockdown mode.
     
    Last edited: Mar 1, 2013
  3. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Siketa
    What did you "tweak" to increase your exploit protection?
     
  4. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    In v2.7.3 there is a new tab/functionality that enables alert for each process that is run by msiexec.exe, rundll32.exe, regsvr32.exe, wscript.exe, etc. (you can enter executables that you want from System32 folder).
    If you know that child process is safe, you can select "Whitelist commandline" in popup alert and you will get no popups in the future (take MBAM for example).
     
  5. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Oh ok. That's in the newest version coming out. I thought that I had missed something in the current version. Thanks.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi DX2

    I am using Appguard along with ERP, and also Sandboxie. It is rock solid as far as I am concerned

    I haven't run any AV's or AS's type software, nor have I done any Windows updates in 2 years.

    Recently out of curiosity, I completely scanned all 4 of my machines with two different scanners. Not one hit.

    Pete
     
  7. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    :thumb:
     
  8. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Darn. Appguard, ERP and sandboxie. I'm surprised anything runs with that much default/deny running.
     
  9. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    :argh: :thumb:
     
  10. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Free version of exe radar pro is soon going to be abandoned.?
     
  11. DBone

    DBone Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    1,041
    Location:
    SoCal USA
    That's what we've heard as a possibility from the Dev. Nothing set in stone, yet.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    1. Sandboxie only lets run in the sandbox what is needed. Why run more?

    2. Appguard basically lets everything valid run. Just guards the system area, and yes does prevent stuff from running where there shouldn't be anything running.

    3. ERP lets every legit program on my system run, except stuff I deliberately block, which I do like.

    Right now I have just the browser and a movie running.

    The machine has 95 processes running. Not using any business software right now.

    Where is the problem?

    Pete
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you explain more?

    What you've described seems a bit dangerous. What if an exploit attempts to load a malicious DLL using rundll32.exe? You will get no alert?

    Or would that be covered under "child process?"


    thanks,


    ----
    rich
     
  14. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Each parent commandline string is unique.
    ERP will alert you every time you run a child process.
    If you are sure it is safe and not malware, you can avoid future popups for that specific process by whitelisting its commandline.
     
    Last edited: Mar 1, 2013
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    @Rmus

    ERP has a new option that consist in creating a list (so called AlertList) of "sensitive" system processes, for example cmd.exe, regsvr32.exe, rundll32.exe, etc, they are all processes that may be used by malicious software to load malicious PE files. All processes present in this list, when executed, will generate always the alert-dialog, that allows user to allow/block/etc the execution, plus there is an option "Whitelist Commandline" that can be used to whitelist only the commandline string, for example "rundll32.exe /load C:\Program Files\Test\Safe.dll" so the user will not receive again any alert related to that commandline string, but he will always receive alerts for unknown commandline strings executed by the "sensitive" system processes present in the AlertList.
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the explanation!

    Regards,


    ----
    rich
     
  17. DX2

    DX2 Guest

    I just use NoVirusThanks and Windows 7 FW, with some on demands. I don't have Java installed. Just seeing if anyone had a virus bypass there Anti Exe setup.
     
  18. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I am not surprised as thats like trying to break through a brick wall just to find tungsten steel behind it.:p
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    ROFL. But it's light weight, no scanning, and best of all, It Works!!!

    Pete
     
  20. DX2

    DX2 Guest

    Not to sound noobish, but what is ERP?
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    EPIC! :thumb:
     
  22. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,804
  23. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I never had to clean malware with sandbox or Apguard but since my wife and kids can't rap there head around it,I had to resort to simplistic Antivirus and let automatic transmission work,since none can drive stick shift other then me.:blink: God forbid I put ERP on all executables would be allow.Trying to teach them is like trying to teach a hamster to stop running on his wheel at night when I am trying to sleep.
     
    Last edited: Mar 1, 2013
  24. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    No problem. Just joking around. :cautious:
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Likewise I was kidding about the problem part, but the setup sure does work.
     
Loading...
Thread Status:
Not open for further replies.