New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,620
    Location:
    Mexico
  2. hjlbx

    hjlbx Guest

    He might have listed for XP - perhaps ?
     
  3. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    I was just whitelisting command lines. I had not interest in knowing what programs were allowed or not since AppGuard treats the PC as if it is already infected... so why bother? Thoughts.
     
  4. hjlbx

    hjlbx Guest

    Let's be completely honest here... anything added to AppGuard is very likely just plain overkill.

    That being said, an anti-exploit, virtualization, web content filtering, outbound notifications and on-demand AV scanner are judicious supplements to AppGuard - but not absolutely necessary.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,534
    Not sure exactly what you mean here?
     
  6. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Whatever app I run is already guarded in AppGuard. Whatever executables that app spawns inherits protection as well. Therefore, why whitelist executables when the same protection lies in another app? Why not just whitelist the command lines exe/dll/sys (whatever else falls in the ERP net) files use?
     
  7. guest

    guest Guest

    Unless those apps are located in any non-system partitions/drives/ramdisks, then AG can't protect them for the moment; only ERP will do the job.
     
  8. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Doesn't all that come under User Space, whether it's sucked into "Removable Media", or entered manually (D:\, E:\, etc...)? Unless something has changed in the beta builds... I am still using current stable. Sorry, haven't been paying attention to beta posts.
     
  9. silver0066

    silver0066 Registered Member

    Joined:
    Dec 31, 2004
    Posts:
    984
    Where can I find Peters security config?
     
  10. guest

    guest Guest

    In fact , AG never protected any apps located outside the system partition, but with the previous versions, it didn't warn about that.
    In the betas, it now warns that any non-system located rules are erroneous.

    User-space rules are valid ONLY if the path is in the system partition.

    If you tried the betas, you would see that you still can add partitions/drives/folders in the User-Space tab but then any rules with non-system partition's paths will from now on generate an error.

    Also folders outside the system partition can't be protected or made private.

    So to resume:

    Anything not located on the system partition isn't protected by AG.
     
    Last edited by a moderator: Feb 17, 2016
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,534
    I run ERP full bore simply because although I love appguard, I have to turn it off when the system is most vulnerable, on install of new software
    See PM
     
  12. guest

    guest Guest

    In fact running ERP alongside AG will protect other partitions unlike AG.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,534
    True enough
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    I already asked for some info in the VS thread. But it's a bit confusing, so you're saying that ERP and VS were bypassed, but in the VS thread the developer says it stopped the payload?
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    It depends on the way you look at. The reason why I don't like AG, is because the concept is harder to grasp.

    My approach:

    If apps are not on the white-list, they can't run, no need to think about system and user space, ERP doesn't care. If I don't trust some app, I run it virtualized with SBIE, it can't touch the registry, file system, and can't communicate with or modify processes running outside the sandbox. If I'm ready to run some app on the real system, I monitor it with HIPS like SpyShelter. It will block behavior related to keyloggers, rootkits, trojans and can also protect private data against ransomware.
     
  16. hjlbx

    hjlbx Guest

    That is sound mult-layered approach.
     
  17. hjlbx

    hjlbx Guest

    Contrary to what others might state, my native Chinese speaking contact states that both VS and ERP were bypassed - since the webpage exploit abused white-listed, but vulnerable processes - like PresentationHost.exe - to circumvent the white-list.

    You have to read Chinese to fully understand everything that is presented.
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,620
    Location:
    Mexico
    Are you still inflating your vuln proc list? I can't wait to have a copy of it :D
     
  19. hjlbx

    hjlbx Guest

    @MisterX - from Florian @ Excubits

    Add from these locations: C:\Windows - System32, SysWOW64, MicrosoftNet\Framework, MicrosoftNET\Framework64

    Note: For NET items you must add them for all versions in which the file resides = search the version folders, if file found, add it to vulnerable process list.

    When adding all these items to vulnerable process list, Alert Mode is recommended.

    Everything below is Florian's words...

    *InstallUtil*
    *Regsvcs*
    *RegAsm*
    *wusa*
    ?:\$Recycle*
    *reg.exe
    *vssadmin.exe
    *aspnet_compiler.exe
    *csc.exe
    *jsc.exe
    *vbc.exe
    *ilasm.exe
    *MSBuild.exe
    *script.exe
    *journal.exe
    *msiexec.exe
    *bitsadmin*
    *iexpress.exe
    *mshta.exe
    *systemreset.exe
    *bcdedit.exe
    *mstsc.exe
    *powershell.exe
    *powershell_ise.exe
    *hh.exe
    *set.exe *
    setx.exe
    *InstallUtil.exe
    *IEExec.exe
    *DFsvc.exe
    *dfshim.dll - NOTE: Adding to NVT ERP Vulnerable Process list is NOT supported - and should not be added (@novirusthanks)
    *PresentationHost.exe
    C:\Windows\ADFS\*
    C:\Windows\Fonts\*
    C:\Windows\Minidump\*
    C:\Windows\Offline Web Pages\*
    C:\Windows\tracing\* C:\Windows\Tasks\*

    I also suggest that you restrict write access permissions on

    C:\Windows\ADFS\*
    C:\Windows\Fonts\*
    C:\Windows\Minidump\*
    C:\Windows\Offline Web Pages\*
    C:\Windows\tracing\*
    C:\Windows\Temp\*
    C:\Windows\Tasks\* - NOTE: When installing some apps, they will need access to this folder to schedule start, updates, etc.
    C:\ProgramData\*

    such, that you - as a default/normal user - cannot copy (or write) files into one of these folders. Please note, ensure that Windows Update (or the Trusted Installer and Admin) are still able to write into these folders or you gonna end up in some trouble
     
    Last edited by a moderator: Feb 22, 2016
  20. hjlbx

    hjlbx Guest

  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,620
    Location:
    Mexico
    @hjlbx

    Thank you very much.
     
  22. hjlbx

    hjlbx Guest

    @Mister X - you are welcome.

    I would use Alert Mode until you are confident that enabling Lock Down mode will not smash your system.

    Remember about Windows updates - sometimes they might need NET Assemblies - so when perform Windows update - you might have to enable Allow mode.

    Anyhow, I have run into no problems yet adding everything on the list - except I didn't do the write access to folders - since I can't use Secure Folders on my system.
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,620
    Location:
    Mexico
    Got it, thanks. :thumb:
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    OK, so the VS developer misunderstood? I wonder why he's saying that the ransomware payload was still blocked though.

    A lot of them are already in my vulnerable processes list. But I'm not really that worried, because my browsers are all running sandboxed.
     
  25. hjlbx

    hjlbx Guest

    I think he is misunderstanding parts of translated page; must read webpage in Chinese to fully understand.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.