Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.
Nice. "Some clicks" with the mouse and the rule is (nearly) done
No he's not alone.
Is that sweet or not.
I think most of us regularly posting in this thread are waiting to test it lol
This does look good.
I assume the new ERP will come with defaults and learning mode like the previous version, which we will then be able to add / modify using the 'rules builder' e.g. additional vulnerable processes?
Is it gona be only Paid version or maybe Free (with some limitation)?
I guess it will be a paid-only version:
I LIKE paid software. The lifespan of many (not all) companies that give away too much of their hard work is often only slightly longer than that of a butterfly.
I assume the same. I hope it'll be like this. Can't wait.
I wonder which Windows will be supported.
I like FREE software. Especially the x64 bit type that spans over several platforms and keeps it's effectiveness.
However PAID security software can be even more desirable where the developer especially see's to his customer's/users complete satisfaction & support without end.
Could you perhaps explain a bit more about this, is it about parent-child process control?
It is about creating very tight rules of any kind, you can select some or all options, to create a very customized whitelist; just by seeing that screenshot,i can see lot of possibilities to make ERP hardly bypassable. Very promising.
LOL, i will copyright it , and sell it high price
Indeed it is sure to sport enormous possibilities.
ERP has become for my systems a tough cookie and a close companion in the way it watches over and REACTS instantly to process signals etc.
Curious though but I must ask, is it at all possible that a rule can be fashioned/set in it to even Alert/Stop folder creations too?
In case I missed that part. My old HIPS you could do that.
From the screenshot, i'm not sure, maybe blocking all processes using wildcard * and including in the rule the command line that create a folder is possible; but i don't think it is necessary if the parent process is blocked from the start. (Remember that in Lockdown Mode, all non-whitelisted processes are auto-blocked.)
**possibly offensive phrase removed
@novirusthanks Andreas , an attack that abuse Powershell whitelisting of many products. Old version of ERP at default setting sure but the vector has to be considered. The exploit can use dll or python.
Video + discussion at MT : https://malwaretips.com/threads/bypassing-novirusthanks-exe-radar-pro.70623/
(Posting direct link to youtests is forbidden here if i recall well)
i asked several questions about it to the tester on the video comment. Emsisoft will add detection for this kind of indirect bypass in their next build.
Blocking of folder creations with ERP?
Well, it does stops processes well enough right? (just reaching)
That Rule Editor/Layout for configuration is going to make a big difference and also keep to the simplicity for sure.
(which is been forcefully expressed)
After it was released and we have full access to the rule builder and other added/new features, we'll see what all can be done.
ERP will be definitely more powerful than the previous version.
Absolutely and the anticipation is exciting over this to say the least!
Knowing Andreas exceptional talents in overseeing and/or fashioning these improvements it's a sure bet something will also be thrown in just as a surprise extra for us to salivate over.
Hey fellas, I am new to Wilders forums and in particular this thread about ERP. I installed this program maybe 3 weeks ago on my main laptop and beast of a desktop PC. I leave both comps on 24/7 and have nothing but adoration for this program already! I'm simply blown away at how simple it is to use and configure without annoying the ever living crap outta me like other anti-executables or even HIPS. Wow!!! Thank you to all of you guys/gals working on this software. I hope that it has continued development but even without it it seems that I haven't experienced any real incompatibilities. Can't wait to see what the future holds. Last thing I wanted to mention, I noticed that NoVirusThanks offers like a trillion other programs on the company's website. It's likely why more time is required to work on each program since so many are quite possibly being actively developed? I can appreciate that for sure
I'm running Windows 8 x64 and LOVING the protection ERP offers. I forget that it's even running and my computer is not lagging which is a nice change since antivirus especially can do this. I think I'll just stick to this and running on a limited user account coupled with making intelligent web browsing decisions =) Thanks a million guys! A lot of great info on this massive topic, I've much to read!
We should have the new ERP version ready for testing in a few weeks.
Last thing we've added, option to "read data from file" and auto-complete the available fields:
I checked the video but it misses a few things:
- He doesn't show the list of vulnerable processes. Most MS Office exploits uses PowerShell.exe or cmd.exe to download and\or run the .exe payload, so if he removed PowerShell.exe or rundll32.exe (used to load DLLs) from vulnerable processes is another story
- He used an older version of ERP (the beta version was improved a lot, including the process detection technology)
Would have been much better if he could show these details and provide more information.
However, we'll try to take a look at that.
Thanks a lot for your feedback!
Follow this thread as we'll release a new ERP version for testing soon
Thank you for this gem Andreas. You make me happy
Indeed, we even think he even removed Cmd.exe from vulnerable processes; because Empire uses Powershell or Cmd to exploit the system. When i asked what form of Empire was used , he didn't answered.
yes i pointed it , in the Youtube comments. The old version doesn't have powershell as vulnerable processes. Also he use Windows7 with powershell v1-2.
I checked other videos from him, seems he "arranged" the tests to allow the attack to be successful. note that he is a Cylance reseller and we all knows how Cylance arranged videos to bash rivals vendors.
Basically all his videos are arranged to allow the attack .
- on Panda Adaptive 360, he unblocked an exe to allow the attack to continue.
- on ERP , seems cmd was removed from vulnerable processes, no answers when i asked about it.
- on Comodo , he set it at Paranoid mode but turned off alerts and set those to "Allow Requests" plus he sets "Create rules for safe apps". Why put paranoid mode then modify the 2 settings that make paranoid efficient.
Those settings set as he did will auto-allows powershell to execute...
My conclusion: just a reseller that promote his company and services as security "advisor" by using rigged videos to scare users/customers. I don't believe his attack will be effective on win10 and ERP latest version (i pointed that to him).