New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. guest

    guest Guest

    "Do not check if a process is signed (save bandwith)"
    Unknown process (no signature-check) = Prompt/Alert
    "Do not allow signed processes"
    Unknown signed process = Prompt/Alert
    Unknown unsigned process = Prompt/Alert
    "Allow all processes signed with a valid certificate"
    Unknown signed process = No Prompt/No Alert
    Unknown unsigned process = Prompt/Alert
    "Allow processes signed only by Trusted Vendors"
    Unknown signed process (Trusted Vendor) = No Prompt/No Alert
    Unknown signed process (not a Trusted Vendor) = Prompt/Alert
    Unknown unsigned process = Prompt/Alert
     
    Last edited by a moderator: Sep 28, 2016
  2. paulescobar

    paulescobar Registered Member

    Joined:
    Sep 22, 2008
    Posts:
    197
    Brilliant breakdown!
     
  3. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    now i feel lazy :)
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I think it's a bit overkill, and I didn't want to cause problems, so that's why I decided not to add a lot of apps to the list. The problem is that there is no way to know whether it's normal for apps to run certain system tools. That's why ERP should have offered parent-child process control. A browser has of course no business to run most vulnerable apps, but for installers it's most of the time quite normal.
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,793
    Location:
    .
    I always run installers, trusted and untrusted, on shadow mode (Shadow Defender) and ERP install mode for trusted and click "Allow" or "Block" every time ERP alerts a new process for untrusted.
    Next I monitor my system for a while, mostly 5 hrs. average, if I consider everything seems to be fine I reboot the machine same day or next day and system boots non shadow mode and permanently install the wanted program from the installers I previously run in shadow mode.

    I know a parent-child process control is still needed so I'm waiting and watching ReHIPS development so someday I'll incorporate it to my system.

    Edit: besides I don't use to install new programs in my main personal computer, I'm basically very conservative.
     
    Last edited: Oct 1, 2016
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    No it shouldn't. It's not now nor ever was designed to be a HIPS. It's strictly an Anti Executable, and like Faronics AE, it is just that and nothing more.
     
  7. @Mister X When you have Windows 8.1 Enterprise, why not use AppLocker in stead of NVT?
     
  8. guest

    guest Guest

    it is what i would do to.
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,793
    Location:
    .
    I'm not used to cause never run it before. Besides I started using and studying ERP couple of years now? Can't recall. Point is I feel comfortable with ERP and know how to utilize it. I'm not the kind of guy who are testing lots of products, sort of conservative I am.
     
  10. @Mister X

    I was just asking. Security is a process and a state of mind, so when you are happy with it, it is the best option for you. ;)

    Regards Kees
     
  11. hjlbx

    hjlbx Guest

    AppLocker bypass is trivial without proper config.

    Use Florian's most recent vulnerable Windows process list and block vulnerable file types by default.

    Not difficult... Just time intensive.
     
  12. @hjlbx

    Your comment to add dangerous command protection is sound practice and I fully agree that it is better to add that, just in case.

    On the other hand I don't understand how most of those trival bypass stories work in real life circumstances. Take for instance the trival XML AppLocker bypass with regsrv misuse. When I ignore smartscreen and UAC this XML file just launches notepad (which I have as my XML editor). So pardon my ignorance to take these trival bypasses with a grain of salt. Most trival bypasses work in synthetic test environments, specially configured for that PoC.

    Until now I only took a counter measure when Didier Stevens disclosed the AppLocker/SRP bypass he found link, So when you know of more please respond.

    Regards Kees
     
  13. hjlbx

    hjlbx Guest

    Statistically in day-to-day use the probability of a trivial AppLocker bypass is low. And yes, at least some are synthetic, Proof of Concepts. So I agree with you in these regards. On top of it all, malc0ders don't "target" AppLocker protected systems to any statistically significant degree - even with all the open source AppLocker bypasses on the web. Like most day-to-day computer use, it is the very small probabilities that are what is really protecting the typical user.

    However, if one is going to rely upon AppLocker it stands to reason that they should bolster it by configuring it to prevent its known vulnerabilities.
    [And I am befuddled as to Microsoft's persistent inattention to fixing AppLocker - but that is a completely different topic].

    Malware testing has proven, time and again, that if a user does get into trouble - it much more often due to abuse of at least one of the whitelisted vulnerable processes that are shipped with Windows. Disabling those processes significantly increases system security with relatively minimal effort.

    I look at AppLocker tweaks the same as OS tweaks.

    That way the user can combo AppLocker with a good adblocker and need essentially nothing else for high-level protection.

    It is probably much more a case of learning how AppLocker works and how to configure it properly. The end result is a solid, minimal "just-in-case" security configuration...

    * * * * *

    It is the same with other whitelisting (SRP\Anti-Executables) solutions. They all need to be properly tweaked to prevent the rare bypass - some need to be tweaked more than others.

    I suppose it all depends upon whether or not a user is security conscious, paranoid, or obsessively-compulsive paranoid.

    My thoughts are "just-in-case" is the better option. Set-it and forget-it... then go about using your system. You have done everything you can within AppLocker's capabilities, known issues
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,793
    Location:
    .
    Yes I know. That process is in a "suspended" state by the time being as I'm happy with my setup. However, as soon as things go differently with software, threats, malware, etc and need to change my setup, I'll do it. Pretty obvious, right? LOL
    I've already done that and thank you for bringing that list here to Wilders.
     
  15. guest

    guest Guest

    Good is, you don't have to install Applocker.
    It's already included in the OS (except in home-editions, of course)
    But there is no "interaction" with the user like: "Do you want to allow c:\windows\temp\temp1.exe?"
    Yes, even if the user has no security apps installed, Applocker can provide some protection for the user.
     
  16. I value your comments, so I looked at her setup and was forgotten that I had added some form of dangerous commands protection (link) :blink:
     
    Last edited by a moderator: Oct 3, 2016
  17. hjlbx

    hjlbx Guest

    I also forgot to mention that AppLocker is basically on its way out... now its only available to Enterprise and Education licensees on W10.

    I suppose Microsoft figures not enough Pro users took advantage of it on W8.1 and 7 -- or maybe the Redmond master-minds concluded it was too complicated for the average Joe Pro user.

    * * * * *

    I have Pentium P6100 - 3 GB RAM - 320 GB HDD W7 Ultimate system. Use it just for browsing, light text editing\PDF viewing and occasional online video\movie viewing. (1) browser, (1) PDF reader, (1) office suite, (1) file search utility installed on it. Otherwise all empty disk space...

    I don't use it to store the U.S. nuclear arsenal launch codes... so I keep it simple.

    All I have to do to protect the system is AppLock it out, EMET the browser, PDF reader and office suite, make a few system\OS tweaks, and add a decent adblocker (sometimes I like uBlock Origin, other times I opt for Adguard). SRP security causes so very few problems and is so simple (not complex) that it is brilliant. Plus using all MS protections just makes for less problem-prone system.

    This is not difficult...
     
    Last edited by a moderator: Oct 3, 2016
  18. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    I'm curious, what rules do you create? My MIL has an extremely slow laptop so SRP would be great for her.
     
  19. @Overkill

    Only default ;) rules see link posts 1, 2 and 18

    regards Kees
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    AppLocker is still available in Windows 10 Pro, as I was testing it just recently. Although I don't think it is available in anything lower than Pro.
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @SHvFl Thank you for clarifying, my apologies.
     
  22. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,793
    Location:
    .
    Well mate, we have read more reasons to not use AppLocker, at least for me. I'm happy with my current setup.
     
  23. hjlbx

    hjlbx Guest

    And there is every indication that it will remain that way -- just like everything else that is shipped with Windows consumer, but deactivated\unavailable -- sitting there needlessly eating up your disk space...
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,793
    Location:
    .
    M$ doesn't love that much its AppLocker, it seems so. :argh:
     
  25. hjlbx

    hjlbx Guest

    I don't know why... it is the best Microsoft-developed, dedicated security protection that has ever shipped with Windows...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.