New Antiexecutable: NoVirusThanks EXE Radar Pro

lol the start of a drama for a dead product...come on guys...

 

I was talking about the feature itself. I don't know if NVT would have difficulty implementing it, only he can answer this.

I already answered this, you never know if he picks up development again, and there is nothing wrong with a little bit of brainstorming.

These guys just don't give up.

 

Code:

"C:\Users\Mike\AppData\Local\Google\Chrome\User Data\SwReporter\13.79.1\software_reporter_tool.exe" --crash-handler "--database=c:\users\mike\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32

"C:\Users\Mike\AppData\Local\Google\Chrome\User Data\SwReporter\13.79.1\software_reporter_tool.exe" --crash-handler "--database=c:\users\mike\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=13.79.1 --handshake-handle=0x128

I have been getting these alerts when opening chrome, where would I put a wildcard so they won't bug me anymore?

 

I exchanged the user and version-number with a wildcard "*". So this command-line is valid for all users and different versions of this tool.
3 Suggestions:

Code:

"C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\*\software_reporter_tool.exe" --crash-handler "--database=c:\users\*\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32*
"C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\*\software_reporter_tool.exe" --crash-handler "--database=c:\users\*\appdata\local\Google\Software Reporter Tool"*
"C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\*\software_reporter_tool.exe"*

 

Cool! Thanks...I am trying the shortest line first

 

"Dead"? Hmmm... I wonder. ERP still works just fine for me, & never fails to notify me when I try to do something stupid (reminds me of my wife, come to think of it).

 

"Dead" means no development to me.

 

lol according to the developer it is not going to happen, because there is no business case for a paid Anti-Executable in the consumer market.

wondering how SecureAplus and Voodooshield are doing with their free and fremium offer to consumers.

 

Same here

 

Well, VS seems to be doing just fine. But for me it offers a bit too much. And strangely enough, ERP is still for sale on the NVT page, I thought it turned into freeware, not sure what's going on.

I'm not trying to be funny, but are you sure? I mean, you're also running EIS, HMPA and AG. BTW, here is an example of how process hollowing could be used to bypass white-listing, the new feature that I proposed would stop this.

https://isc.sans.edu/forums/diary/Hancitor Maldoc Bypasses Application Whitelisting/21683/

 

the beta is freeware (donationware), not the release on the website.

 

Yes, I also agree about layers. But what I meant is that you probably don't need ERP, because HMPA and AG already have the capability to block exploits. So I'm not sure why you consider it to be key protection.

I still think it's weird, I think all versions should be either freeware or payware.

 

The development was stopped, and a newer release-version (which should be freeware) is not yet available for publishing on the website.
So they leave the old release (payware) on the website.

 

Except for your explanation, I understand everything you said.

 

I mean, the new version (=freeware) is not finished yet. They can't publish it yet on their website.

 

ERP actual stable version = paid
ERP beta (which all of us use) = free
ERP Next (if any) stable version = supposed to be free.

 

how can you tell when dism.exe is legit?
I just saw it run from a random location in Temp, and I whitelisted the command string with wildcards.
But how is the user to know what is going on?
Looked like this:
C:\Users\user\AppData\Local\Temp\B4B0D6C4-7FD4-4235-AA5A-257A70DB42FE\dismhost.exe {C069EC4C-D58E-4A1C-B960-1709CFEAE85D}

 

Do you have these files in your whitelist?

Code:

"C:\Windows\System32\Dism\DismHost.exe"
"C:\Windows\SysWOW64\Dism\DismHost.exe"

If not, that may be a reason, why you get an alert for Dismhost.exe.

 

Instead of whitelisting all those processes, I ticked "Allow Microsoft Windows system protected processes", it is in settings/general.

The reason I am getting a prompt is because it is not running from system32, or syswow64, rather it is running from a Temp folder in app data.

 

Ok, in that case you get an alert.

To be sure that only a legit dismhost.exe is executed in your temporary directory, better add those 2 files mentioned above to your whitelist (instead of whitelisting it with a command-line)
The path of whitelisted applications is not important, but the hash. This means, whitelisted applications are allowed "everywhere", assuming the hash is the same.
Compare the hash of dismhost.exe that was executed in your temporary directory with the file in your windows-directory. They should have the same hash.

With this approach "legit" dismhost.exe files are allowed, and for non-legit files you get an alert.

 

thanks. That will indeed save me from fake dismhosts.
But to tell you the truth, I am more concerned about malware exploiting the real dismhost.

 

to answer my own concern, the key is to look at the parent process:
[Parent: [3996]C:\WINDOWS\system32\cleanmgr.exe]
since the parent is a known, legit Windows process, located where it should be, this indicates that the command line is safe.