New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Some ERP users have 100+ processes in their Vulnerable Process list. They want a way to update the Vulnerable Process list within an alert as opposed to having to rebuild that list manually everytime the processes are modified by W10 updates.
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,534
    Location:
    Mexico
    This type of alert dialog is paramount for appropriate maintenance of the Vuln. Proc. list. A must have, in my opinion.
    Thanks for considering such a feature.
     
  3. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    If you guys want this, then you better keep telling @novirusthanks
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,346
    what's wrong with having a super-simple format like:
    */powershell*.exe
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,500
    Location:
    Under a bushel ...
    I agree 100% :thumb: Hope it is not to difficult to implement.
    Thanks @Lockdown for chipping in here re the necessity of this :thumb:.
     
  6. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    @novirusthanks

    That would be a fine solution if only Microsoft would digitally sign all the vulnerable processes they ship with Windows
     
  7. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    When using the double * wildcard you have to be careful not to whitelist User Space

    I blacklist or restrict privileges using *<process_name>* as it is system wide, and never use it to whitelist

    Malware can copy a vulnerable process in System Space and paste it to User Space or just supply a legitimate working copy of the process - among a bunch of other techniques
     
    Last edited: Feb 22, 2017
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,739
    Location:
    Europe then Asia
    Yes they wan't something like in ReHIPS where you can "ignore file changes" and the possibility to overwrite the old checksum with the new.
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,346
    good, so the new ERP should support the wildcard format in the VPL and the blacklist, but not in the whitelist.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,763
    Location:
    The Netherlands
  11. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,739
    Location:
    Europe then Asia
    @Rasheed187 i didn't even noticed it ^^
    Personally, i expect a proper compatibility with SUA.
     
  12. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    832
    Location:
    Land o fruits and nuts, and more crime.
    off topic, I keep getting hit with C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 30EAABE7A3B1081B6F5DDE4A1C0305D2
    Is this legit or what?
     
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,739
    Location:
    Europe then Asia
    i don't have ERP installed but does mscorsvw.exe is a vulnerable process, if yes? you can do nothing except allowing it (and further iterations) by creating a rule syntaxed as :
    Code:
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe*
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,534
    Location:
    Mexico
    Browse to its location and look for digital sign. It should be Microsoft's.
     
  15. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    832
    Location:
    Land o fruits and nuts, and more crime.
    No. I would not allow it, no negative effects.
    Would like to know why it would be blocked? I have digital sign turned off. hash: 30EAABE7A3B1081B6F5DDE4A1C0305D2
    Thanks
     
    Last edited: Feb 22, 2017
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,690
    mscorsvw.exe = .NET Runtime Optimization Service
    I my logs i can see it nearly each day, right after this maintenance-task is started: .NET Framework NGEN v4.0.30319 x64
     
  17. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    832
    Location:
    Land o fruits and nuts, and more crime.
    Thanks, but that's not answer to my question.
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,690
    @novirusthanks
    Is ERP switching to a more secure file hash like SHA-256 in the next version?
     
  19. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    412
    Looking for help.
    I have tried to whitelist the following command line but it doesn't seem to work, so any suggestions on how I could shorten it effectively?
    C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\LastPass\nplastpass.exe" --parent-window=0 chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/ < \\.\pipe\chrome.nativeMessaging.in.508d7d9d1d4d4000 > \\.\pipe\chrome.nativeMessaging.out.508d7d9d1d4d4000
    [the previous time was C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\LastPass\nplastpass.exe" --parent-window=0 chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/ < \\.\pipe\chrome.nativeMessaging.in.7fbcad5b5dbf2eb7 > \\.\pipe\chrome.nativeMessaging.out.7fbcad5b5dbf2eb7]
    thanks
     
    Last edited: Feb 24, 2017
  20. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Use * wildcard:

    C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\LastPass\nplastpass.exe" --parent-window=0 chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/ < \\.\pipe\chrome.nativeMessaging.in.* > \\.\pipe\chrome.nativeMessaging.out.*
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,763
    Location:
    The Netherlands
    It's one of my biggest annoyances of Windows. The person who "invented" this should be in jail. Weird that M$ never decided to remove this useless "feature", it's so freaking ugly. And yes, security tools should be able to run correctly inside SUA.
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,739
    Location:
    Europe then Asia
    Uh you are kidding right? remove SUA?

    Do you know why Linux is safer than Windows? because of the multi-user architecture, on Linux you have to enter a password when doing admin task, Windows is nicer , you just have to click "yes or no" on UAC.
    If on Windows, you can tolerate SUA , i don't even imagine your reaction on Linux , you will burn your computer after 5mn. :argh:
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,763
    Location:
    The Netherlands
    I think you misread, I was speaking about the ugly focus rectangle. Scroll down to the first pic (UAC alert), even in Win 10 it's still visible, disgusting:

    https://github.com/securitywithoutborders/hardentools
     
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,739
    Location:
    Europe then Asia
    oh ok, i misread, then , sorry.

    Yes the rectangle isn't the nicest thing i saw.
     
  25. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,739
    Location:
    Europe then Asia
    Hope so, because MD5 is obsolete and bypassable.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.