New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    413
    Thanks Lockdown!
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,879
    Location:
    The Netherlands
    BTW, can you please implement a strict "parent-child process control" feature? This means that apps shouldn't be allowed to run the browser or explorer and svchost.exe as a child process. And BTW, I have decided to remove msiexec.exe from the "vulnerable apps" list, because even in "Install Mode" you keep getting alerts about it, so now it's monitored by Sandboxie.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,391
    I'll respond in the Opposite Andreas please keep it an AE and not a HIPS
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,879
    Location:
    The Netherlands
    We already spoke about this, ERP is all about process control, so this feature makes sense. It's more of an AE than a HIPS feature. Plus it would help against malware that are using process hollowing and network leakage to bypass HIPS, AV and firewall. It should also be optional for people who don't need it.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,391
    Well I am for leaving it up to Andreas
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,879
    Location:
    The Netherlands
    To clarify, it wouldn't cause any annoyance, because it wouldn't work any different than the "vulnerable processes" feature. The only difference is that ERP should be programmed to only allow explorer.exe, services.exe and svchost.exe to launch other system tools and the browser. Of course, so called "multiple process" browsers should also be allowed to run their own child process browser.
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    16,193
    Something like this:
    * Chrome.exe is allowed to execute Chrome.exe, all other processes are blocked.
    * Sumatrapdf.exe isn't allowed to execute other applications.
    Or:
    * Chrome can execute other applications except applications in the c:\windows\-directory.
    * Applications in C:\Program Files\* aren't allowed to execute applications in C:\Windows\*

    Btw.: SOB is already able to do this.
    First we create a block-rule to disallow chrome.exe from opening all other processes (*), then we create an exclude-rule (chrome.exe can only execute chrome.exe, and both must be digitally signed from Google):
    Code:
    Block-rule:
    [%PROCESS%: *] [%PARENTFILENAME%: chrome.exe]
    Exclude-rule:
    [%PROCESS%: *\chrome.exe] [%FILESIGNER%: Google Inc] [%PARENTFILENAME%: chrome.exe] [%PARENTSIGNER%: Google Inc]
     
  8. guest

    guest Guest

    In fact im more excited to get a GUI-based SoB than new ERP :D
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,391
    Patience, but I know it's exciting to have Andreas back working on this stuff.
     
  10. guest

    guest Guest

    yes at least we know he is still alive lol
     
  11. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,611
    Yes!! I like this pattern best.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,342
    Location:
    U.S.A. (South)
    That might actually bring my own self back to SOB again. Just can't help it.

    GUI anything gets top billing for my safety apps and after all NVT does fashion them quite well in this department IMO.
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    16,193
    Me too :)
    The syntax will be a little bit different, but rules in the coming version of ERP can be enabled/disabled with a simple mouse-click and: "- All will be focused in a super easy way to manage rules" :thumb:
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,595
    Location:
    Mexico
    I think both ideas are great. New ERP written from scratch and new SOB gui based. I hope Andreas can make our wish come true.
     
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,027
    Location:
    Italy
    @mood

    ERP will use SHA-256 hash.

    @Rasheed187

    With the new ERP's rules structure you can do that like this:

    Code:
    [proc.parent = "*\chrome.exe"] [proc.signer = "Google Inc."] [proc.action = "allow"]
    [proc.parent = "C:\WINDOWS\Explorer.exe"] [proc.name = "C:\Test\*"] [proc.action = "block"]
    [proc.parent = "C:\WINDOWS\System32\svchost.exe"] [proc.name = "C:\Test\*"] [proc.action = "block"]
    
    So with those rules you can control parent->child processes.

    @guest @EASTER @mood @Mister X

    Yes, we can work on a SOB-GUI version after the new ERP has been released.

    ERP will use some of the SOB technology for rules creation and process monitoring, so lets see first how they perform on ERP-GUI.
     
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,595
    Location:
    Mexico
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    16,193
    Very nice :thumb:
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,342
    Location:
    U.S.A. (South)
    Wow. That was a better answer then I was expecting. Gee Whiz @novirusthanks :)
     
  19. guest

    guest Guest

    Nice, thank you. ;)
     
  20. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,611
    Wonderful. Like Rasheed, I keep wishing for the parent-child jobs.
    I hope we will not have to write strings. Will there be an alert "Test wants to run svchost" (or the other way around (I'm not sure how to read the examples))?
     
  21. Deckard

    Deckard Registered Member

    Joined:
    Dec 13, 2016
    Posts:
    46
    Location:
    France
    Blake2 is not very common. Apparently, it is more efficient, and especially on 64-bit processor but not used in Bouncer, etc.
    Don't know why.
    https://blake2.net
     
  22. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,690
    Still following....I have a version from a couple of years ago, installed on my XP desktop. Can't wait to try a new version when released on my Surface Book.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,879
    Location:
    The Netherlands
    Looks very nice. I wouldn't want to be alerted about every child process, because that would be annoying, but you should be able to auto-block loading of certain child processes. :thumb:
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,391
    Please do keep it as simple as the current version.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,879
    Location:
    The Netherlands
    I believe it will work exactly the same, but with more options for monitoring certain child processes. For obvious reasons, you can currently not add explorer.exe, svchost.exe and browsers to the "vulnerable apps" list, because that would cause problems. This new feature would fix that.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.