New Antiexecutable: NoVirusThanks EXE Radar Pro

the Blacklist should have the highest priority...., Blacklist 'overrules' Vulnerable and Whitelist.

 

Any changes or additions upon the occasion of Microsoft's win10 anniversary gift?

 

Hey guys, just printed some recipes and I get a cmdline alert each time...

Now I tried to put a wildcard symbol in place of the text in bold letters (above) but I still get a cmdline alert when I start printing. Is there a way to fix this so I don't get anymore alerts? The system it's on is in shadow mode (sd) and in lockdown mode (erp) 24/7 so it gets wiped away at reboot and it doesn't stop printing, but I still would like to figure it out.
btw, not sure why the smiley replaces my text in my quote

 

if you don't want that smileys appear, you can enclose it with CODE. PLAIN is another alternative (and it's good for "unlinking" http-links).

(BTW.: i used QUOTE and then PLAIN)

Code:

RunDLL32.exe C:\Windows\system32\spool\DRIVERS\W32X86\3\hpinkstsC611.dll,RunDLLEntry*
RunDLL32.exe C:\Windows\system32\spool\DRIVERS\W32X86\3\hpinkstsC611.dll,RunDLLEntry FRIENDLYNAME=HP Officejet 4630 series*

Try one of these and give some feedback if it worked (or not)

 

Thanks! I'll try these out soon and get back to you

EDIT:The first one seems to be working. Thanks!

 

I have been thinking, and I wonder if it's really worth to monitor certain processes like regsvr32.exe and rundll32.exe. I have been installing a lot of apps last week, and I came to the conclusion that I didn't have a clue if it was risky to allow apps to run certain system processes. I ended up allowing them all, in order to avoid breaking functionality. So perhaps it's not worth the hassle.

 

I'm not in the know enough, to know one way or the other. I've added to Vulnerable as per others suggest and a few items, I want to monitor.

 

* with using of Rundll32 blacklisted executables can be started without problems.
* with using of Regsvr32 DLL's/shell-extensions can be registered into the system that are executed every time you rightclick a simple file.

Code:

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Rasheed\Local\Temp\Malware.dll"

And more can be done with Regsvr32.exe:

-------
IMHO Locked Down and blocking all unknown executables (without monitoring regsvr32.exe and rundll32.exe) is not enough.

 

best method is to whitelist the command line.
if that doesn't work, you can whitelist the exe as a "parent process". this will allow it to run other processes without triggering an alert. It is slightly less secure, but saves your sanity.

if a process keeps producing alerts, safest method is to whitelist the command line.
but if that doesn't work, you can whitelist the exe -- for instance, the hp printer file -- as a "parent process".
this designation will allow it to run other processes without triggering an alert. It is slightly less secure, but saves your sanity.
you can't do that to a vulnerable process, but you can do it to the process that wants to run the vulnerable one.

 

I got it working thanks post #5304

 

what happens if you don't allow signed processes?
Do your apps get blocked every time they update?
And what happens when there is a Windows update?

 

I noticed that vulnerable processes are identified by their hash.
Does that mean that after a major Windows update, the vulnerable processes list needs to be redone?
Or does ERP look at the file name and location, and then automatically adjust the hash?

 

I noticed that too when I upgraded from 8.1 to 10 1511, and found that I had to redo the list, although IIRC some did come up as already included.

I forgot about that.

With my recent upgrade to 1607, I suppose I'll need to do it again. A PITA, especially because one can't use wildcards. In my case a reason not include these in ERP, but only in AppGuard.

 

you just have to manually whitelist more stuff then if you were using signed processes/trusted vendors

 

Oh, i see that some files in my vulnerable list are not protected at the moment
I quickly have to add new hashes for them.
-------
Files in the whitelist are "monitored", but not in the vulnerable list
Btw.: And don't forget about the Blacklist. If files are updated, they have to be added again with new hashes.

 

I know there is risk involved, but my point is: how to know if it's malicious or no? There is no way to know for sure, because it's way too common for apps to use regsvr32.exe and rundll32.exe, especially when being installed.

That's my whole philosophy, if you can not make a good decision about certain monitored behavior, you might as well not monitor it. Of course, I would still advise to monitor powershell.exe, cmd.exe and others, because that is a lot less common. Legit apps almost never need to launch them.

 

Good point.
For installations of applications it is expected so i whitelist the command-lines (or: Install-Mode).
But for situations i don't expect it, for example opening a pdf-file or surfing to a website, it is suspicious if rundll32.exe wants to do something.

It's the same for monitoring powershell.exe/cmd.exe. If you want to execute cmd.exe i think you're gonna click on "Allow".
But if it happens after opening an email, you click on "Deny" because you didn't expected it and it's suspicious too.

 

my biggest problem is obscure windows processes that run from time to time, and they trigger a pop-up because of rundll or the like. I think these processes often have to do with telemetry or maintenance.
How can I know whether they are legit?
I suppose I could just block when unsure, and I probably won't suffer as a result. Windows will eventually let me know if I missed something important.
But it would be nice if Windows could just function properly.

 

I assume that the whitelist should be refreshed after something like the Anniversary Update. But what about regular and cumulative Windows updates? Are they likely to affect the whitelist?

 

@mood Is there a 'clever' way of adding the new hashes for each vulnerable process when one moves to a new build of Windows, or does one have to 'Add new ...' for each vulnerable process again. (That is what I did when 'upgrading' from Win 8 to 10.
My list of vulnerable processes is quite long, based on that shared by @hjlbx, and largely based on that identified by Florian / Excubits.
Hoping there is a simpler way, else it's quite time-consuming, especially if one has to re-do with every build.

 

It doesn't matter if you add any new hashes for vulnerable processes - because NVT ERP is gonna generate an alert upon execution of any process on the vulnerable process list - no matter what. - even if the hash is current. It is designed to function that way.

You can set NVT ERP to delete old hashes in Settings.

Keeping two rules - one with old hash and the other with new hash is bad idea - in case someone reinstalls an old version of a process that was updated precisely because it was vulnerable. For example, having rule for both IE 11 and IE 5 (Good grief...).

You might have some changes in NET Framework - if AU installed a new version of NET Framework. Otherwise everything is essentially the same old file paths - System32 and\or SysWOW64.

Besides, I would expect few hash changes for most of the processes on the vulnerable process list between W10 and W8 - or even W7.

Some vulnerable processes shipped with Windows have not been updated\changed since XP - if not Windows 95.

 

OK, sincerely hope you are right for vulnerable processes. Lot less work ! Are you sure? Because when I re-added the processes with the new hashes in when going from 8 to 10, and it seemed to generate new alerts whereas it had gone 'quiet'. I noticed most of the processes had new hashes. I deleted the processes with the old hashes when re-adding.

You can set NVT ERP to delete old hashes in Settings. Do you mean under General 'Purge old hashes when a process is whitelisted / blacklisted'? That is ticked (by default). Does this also apply to vulnerable processes list?

But yes - would need to check for new .NET versions.

 

If vulnerable processes goes "silent," then something is wrong - but you can always test it by executing cmd.exe or powershell.exe. Easy enough...

With newly updated processes with different hashes, you should get a "process has changed" alert (yellow).

Automatic hash deletion applies to all processes.

 

Vulnerable List: "regular updates" shouldn't affect this list that much. But if you do bigger updates, or upgrade to a newer windows 10-version, it may be the case and you have to add new hashes. But it's rare.

But not if this is enabled: [X] Allow Microsoft Windows system protected processes.
If the vulnerable process is in the Windows-directory, the user gets No "Vulnerable application detected"-Alert if the file has been changed.
(new hash is not on the vulnerable list = no alert). The user has to add the new hash.

If this is enabled: [X] Allow processes signed only by Trusted Vendors
The user updates an application signed from a specific vendor that the user added to Trusted Vendors.
If the user executes it (Trusted Vendor, new hash is not on the vulnerable list) = No "Vulnerable application detected"-Alert.
And again, the user has to add the new checksum manually to the vulnerable list to get alerts.

Regarding the normal whitelist = old hashes can be (should be) removed, that's fine.
But not regarding the vulnerable list. Because if the user removes old hashes from the vulnerable list, ERP is not asking about them anymore.
If for example the user downgraded an application to an older version (that was on the vulnerable list), or after deinstalling windows-updates, etc.
I think Hashes shouldn't be removed from the vulnerable list, but they can be removed from the normal whitelist.

If you get alerts if windows is doing maintenance then you can be relatively sure that you can whitelist these command-lines.

Maybe you can go to each directory of your vulnerable files with a filemanager (or within ERP: "show file properties") and see if one of your files in the list was updated. But this can be time-consuming too
But if you did a windows-update and you see in the windows-directory that only cmd.exe was updated (and no other windows-process), then you only have to add cmd.exe and you're done.

 

This is not how NVT ERP works on my specific system.

Adding a process to the vulnerable process list over-rides any whitelisting - both Allowed Microsoft Windows system protected processes and Trusted Vendors. If it didn't, then the NVT ERP default list of vulnerable processes wouldn't generate any alerts upon execution of cmd.exe, powershell.exe, etc.

Also, upon first execution of a newly introduced file to the system without an existing rule, NVT ERP always generates an alert.

Any time a process on the vulnerable process list executes - NVT ERP generates an alert - even when the file has been modified\changed by an update.

During the update process or immediately afterwards or after reboot for updates that require a reboot, NVT ERP will generate a "File has Changed" (yellow) alert so user can create a new rule or keep using the old rule.