...looking for an alternative!

Discussion in 'other software & services' started by marzametal, May 13, 2016.

  1. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    So... in a bit of a pickle; nothing major, just irritating... looking for a program that (there is criteria to consider... *sighs*):
    • notifies me if certain executables are called (similar to how ERP and SS provide notifications)
    • its settings are carried over from Administrator Account to Standard/Limited User Account
    • no DNS callouts to Microsoft
    Secure Folders, XOSLAB Easy File Locker and Gilisoft EXE Lock are already used; each has a specific purpose.

    You may be thinking, "hang on, you know of these apps already!?". Yes, but...
    • NVT ERP - settings do not respect Standard/Limited User Account (in virtual machine they do)
    • SpyShelter - have licence, but settings do not respect Standard/Limited User Account
    • AppGuard - have licence, but not interested in DNS callouts to Microsoft
    • Pumpernickel/MemProtect - not interested in DNS callouts to Microsoft

    Here is the list of remaining files I would like to address...
    C:\Windows\System32\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\System32\regsvr32.exe
    C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\System32\dllhost.exe
    C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\System32\conhost.exe
    C:\Windows\System32\mmc.exe
    C:\Windows\SysWOW64\mmc.exe
    C:\Windows\System32\ipconfig.exe
    C:\Windows\SysWOW64\ipconfig.exe
    C:\Windows\System32\net.exe
    C:\Windows\SysWOW64\net.exe
    C:\Windows\System32\netsh.exe
    C:\Windows\SysWOW64\netsh.exe
    C:\Windows\System32\ARP.EXE
    C:\Windows\SysWOW64\ARP.EXE
    C:\Windows\System32\at.exe
    C:\Windows\SysWOW64\at.exe
    C:\Windows\System32\sc.exe
    C:\Windows\SysWOW64\sc.exe

    Any ideas? Thanks in advance...
     
  2. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    870
    How does it "call Microsoft"? The driver itself isn't able to connect to the internet.
    Or are you using the following executables:
    MemProtectSignalCheck.exe / PumpernickelSignalCheck.exe?
    Because they can do it.
     
  3. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    It isn't really Pumpernickel & MemProtect doing it... it is the KB update required for certificate checks that causes the callouts (crl.xxxxxx and/or ctl.xxxxxxx). I think W7HP can't fully shut off the certificate checks, so stuck I am... even after making changes to the HP version of Group Policy (Certificate Path Validation Settings).
     
  4. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    870
  5. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    I've got those and a hell of a lot more in a custom HOSTS file, generated by Acrylic DNS Proxy... so the callouts go to 127.0.0.1, which Acrylic automatically binds to 0.0.0.0
    So essentially, nothing is really being transmitted outdoors; just annoying to see the entries pop up in the Hit Log.
     
  6. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    I stumbled across this while browsing on MT in a thread about disabling Windows Services. Although small, and sorta' not mature... it still does the trick. So far I have populated it with system and non-system exe and com files; am yet to try dll.

    Relatively easy to use, drag n drop files into the GUI, click the purple tick to finalise the list. Each entry has a tick box, untick and click purple tick to finalise, then tick and click purple tick when finished with unblocked files. One good thing about this app that others similars don't cater to is the "one filename fits all" rule. Example, 4 entries for dllhost.exe; 2 in WINSXS, 1 in SYSTEM32 and 1 in SYSWOW64. With RB, dragging any entry into the GUI blocks all 4 :)

    It won't accept conhost.exe; Explorer can't find it but 3rd party search programs can, so had to push this block back to Secure Folders. Also, if conhost is blocked, RB cannot finalise list. A little nasty I found out the hard way (was scratching my head... thinking, wth is this error) hahahaha

    Little example of how files look like when entered...
    runblocker.jpg
     
  7. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    870
    Nice little tool. I'm gonna test it in a VM.
    I think the resource usage isn't high with that tiny executable.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Are ARP.exe, at.exe and sc.exe risks? Are they used by malware ITW?
     
  9. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    I'm just going off of the 3 websites that talked about vulnerable processes. I think @hjlbx mentioned them initially.

    Although it isn't a critical process, ARP.exe is responsible mapping IP addresses to MAC addresses. It also has the ability to display, add and delete network interfaces, and it could be used in conjunction with tools responsible for ARP poisoning and ARP spoofing (pretend to be the computer you are communicating with, essentially a MitM sorta' thing...). ARP, most likely isn't the first cab off the rank to target, and usually isn't in the top section of the exe list to exploit... but hey, it still is possible.

    In regards to ITW, your imagination is as good as mine. Routers & Network Interface Cards spit out and swallow ARP requests on a regular basis. They can be switched off/lowered to Gratuitous ARP which removes most of the repeat requests (once a request has been acknowledged and response received, no calls for a while)... but it can't be fully shut off, don't quote me on this... just running off what I have seen in Wireshark while mucking around with settings.

    In regards to sc.exe, this one is more of an after-thought than anything else. It's once they are inside, that they can wreak havoc.. if that makes sense? I guess the same applies for at.exe?

    I tend to go all out on this stuff, hence blocking/restricting a lot of processes isn't new to me.
     
  10. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,158
    Location:
    in a remote land :)
    the main problem is that , hard to find a well coded soft that would distinguish a single user using 2 accounts (one for admin tasks and one for daily use) from 2 users using the same computer...

    Microsoft doing secondary accounts stupidly, during installation of the OS, an admin account and an SUA related to it should have been made simultaneously.
     
  11. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I'm guessing UAC max on your admin account isn't enough?

    If it prompts for a password I'm assuming it'll be functionally identical (or at least very similar) to sudo right?
     
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,158
    Location:
    in a remote land :)
    hehe you spotted me, indeed i added password request to my admin account.

    That is what i'm trying to emulate ;)
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    OK I see, thanks for the info. These so called "vulnerable processes" are indeed a bit risky, I do monitor the most known ones with ERP. The problem is that trusted system processes do sometimes need to run these apps, and you don't want to be prompted everytime. So I'm still looking for a tool that can monitor parent-child process control, like SSM back in the days.
     
  14. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    Apart from finding the ideal piece of software... I "guess" the only way to do this properly would be to have child PCs dedicated to specific tasks which are locked out of Admin Elevation (eg: disable Windows Services such as Application Information, Secondary Logon)... connected to a parent PC which runs as Admin... <---sounded good in my head at the time of typing!

    -----
    EDIT: Just remembered why I decided to lock ARP.exe; it's because I use a VPN, and ARP is called when waking up/activating the TAP Adapter and finalising VPN connection.
    -----
    Yep, trusted processes sometimes do need to run these apps. It depends on how far you desire to push the "control" envelope. The whole notification side of things became stale very quickly on my end. Interaction is one thing, permission/approval/confirmation is another. Sometimes it would be so repetitive, your hair would scream to be torn out at its roots!

    Some of our forum members use default-deny while browsing, some use default-deny as soon as they turn their PC on, along with blacklist vs whitelist and 3rd party apps vs policy/permission. I haven't made use of an active/real-time AV/AM app since November 2015. This lead me down the path of policy/permission/escalation. IMO, stopping here still left me somewhat exposed, and the challenge wasn't challenging enough. We've all seen stories/reports about UAC being bypassed, and it doesn't help matters that Windows has Services that allow for escalation of privileges.

    I felt I wanted more... but was limited in what I could accomplish because I use Home Premium. I was stuck with a custom-created Group Policy which didn't have all the juicy changes available in the Professional version, and there was no access to Applocker/Bitlocker either. So, I enhanced (some would say complicated) things further by introducing process locks. As expected, one app wouldn't cover all, so I had to use "a collection". Ugh, but... after the dust has settled, I believe I now have a hardened LUA... a properly-hardened LUA.

    It helps when you sorta' know that your PC is finalised. The only thing left to do is collect updates for apps and designate a day for backups and updates. Sorry for the rant!
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes, that's what I meant. You don't want to break things and interfere with legit behavior. It's probably best if security tools would allow these so called "vulnerable processes" to run only when launched by system applications that reside inside C:\Windows. If other apps try to run them, then you should be alerted.

    And even explorer.exe and svchost.exe are often abused by malware. A lot of ransomware will startup them in suspended state in order to inject code (process hollowing), which will render a lot of HIPS powerless, since malicious actions are now done by a trusted system process. In other words, they should be also monitored closely, at least when launched by non-system apps.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    BTW, turns out that SpyShelter Firewall already does this, it will alert about all child processes being launched.
     
Loading...