AppDefend and Ask User?

I know this is a really technical question which might have different resualts, but I want to compare them.

Which programs specifically and\or windows components should be handled with allow once option instead of allways allow to minimize threats? Knowing that the program wont run until allow once is pressed each and every time repeatedly and may become annoying for some users. This is in reguards to execution only as for the program needs that first in order to go down the protected list.

dja2k

 

Hi, I can think of two, rundll32.exe & svchost.exe. In AppDefend I would normally have the allow once / ask user. By doing this each instance of a program installing using each of these will create a specific rule for that app only.
I am sure others will also add to this basic information

Pilli
__________________

 

Thanks, I followed your advice on those two and have done the changes. Just to be right, the rundll32.exe that you first allow is the one with cmd line windows\system32\rundll32, then you say you put ask user \ allow under execution ?

Same with svchost cmd line windows\system32\svchost.exe?

Off topic in reguards to my first post, but I have explorer.exe blocked always to do process modification, is that safe ? I noticed that most of the time, explorer.exe tries to modify some programs, but if I block it, they still work.

dja2k

 

Yes, you will find that the AD list will aquire various unique command lines for bothe rundll32 and svchosts

This may not always be advisable as Windows explorer is a fundamental element of the OS, treat with care, as you have noticed no down side on your machine it may be OK but beware,

Pilli

 

Yes I have noticed the various cmd line names. And about explorer.exe, well I will allow them instead. Any others that may come to you as you keep using appdefend, post please.

dja2k

 

I see others using allow once ask user for regsvr32.exe, services.exe, regedit.exe, and regedt32.exe. Anyone know if these are advisable?

dja2k

 

Hi dja2k.

My full list of permit once appz is-

c:\windows\hh.exe
c:\windows\regedit.exe
c:\windows\winhlp32.exe
c:\windows\system32\cmd.exe
c:\windows\system32\cscript.exe
c:\windows\system32\ftp.exe
c:\windows\system32\ipconfig.exe
c:\windows\system32\javaw.exe
c:\windows\system32\mshta.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\net.exe
c:\windows\system32\net1.exe
c:\windows\system32\netsh.exe
c:\windows\system32\ntvdm.exe
c:\windows\system32\regsvr32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\services.exe
c:\windows\system32\tftp.exe
c:\windows\system32\winhlp32.exe
c:\windows\system32\wscript.exe
c:\windows\system32\wbem\wmiadap.exe

The list i have carried over from Process Guard,but AD remembers cmd lines used and stores them with the app info (not all appz though),the two main ones are rundll32 and svchost,i have list of 12 entries for rundll32,and 4 for svchost,each with a differant cmd line.
The list is pretty extensive,and you probably don't need all of them. I would say the most important ones would be -

c:\windows\regedit.exe
c:\windows\system32\cmd.exe
c:\windows\system32\cscript.exe
c:\windows\system32\javaw.exe
c:\windows\system32\regsvr32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\services.exe
c:\windows\system32\wscript.exe

Hopefully someone else can verify the short list.

 

I did have some of those but had to verify, but once again Thanks, Tonyjl

dja2k

 

What is your opinion on explorer.exe? I have noticed the access physical memory thing a lot even when I am just clicking on a avi file to be played. Should physical memory be allowed?

dja2k

 

This issue of "a lot" of physical memory alerts should be fixed in the newest beta. It has to do with your graphics card drivers (not that there is anything wrong with what its doing...) and the way they work at the lowest level.

 

Okay thanks Jason for the update... will be waiting for the new release.

dja2k