New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,344
    Location:
    U.S.A. (South)
    Looks like things are going along nicely in the Lab with the new improvements.

    It should be quite the stir when the first one is put out for testing.
     
  2. guest

    guest Guest

    ERP is not fully compatible with SUA, some major bugs are present (like the settings that reset every boot). I hope Andreas will fix that on the new version.
     
  3. bberkey1

    bberkey1 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    243
    Location:
    United States
    Screenshots look great. Can't wait to test the new program in the near future. Keep up the good work!
     
  4. Brian Patterson

    Brian Patterson Registered Member

    Joined:
    Apr 21, 2017
    Posts:
    2
    Location:
    USA
    Screen shots look excellent! Thank you for sharing them. I highly anticipate the next release
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,041
    Location:
    The Netherlands
    Yes I understand, but I couldn't picture it. I think it's best if all crucial system processes are allowed to run automatically. But they are only allowed if the parent process is another system process. This means that malware can't use them for process hollowing attacks. The browser should also only be able to launch if the parent is explorer.exe or the browser itself.
     
  6. guest

    guest Guest

    I think it is no a good idea. As you know, the most important feature of ERP is the VPL (Vulnerable Process List) , it include most of the known exploitable processes, those always triggers an alert even if whitelisted.
    That is the main strength of ERP, every process added in this list will always trigger an alert.

    If you watched the video of the attack i posted above (link to MT), it uses PowershellEmpire to abuse whitelisting of many AVs/softs , Empire can use a dll (ERP doesn't monitor dlls) to load powershell without using its windows process itself. Once the system compromised, the c&c can load script directly to the machine through powershell.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,041
    Location:
    The Netherlands
    You clearly misunderstood, I was talking about crucial system processes that the OS needs to function. I was not talking about system processes that could be used in attacks. The Vulnerable Process List will always be needed.
     
  8. guest

    guest Guest

    I see. i think i quoted the right part, do i ?
    ERP can do it already, no?
    I never used ERP by default settings, only after a clean install (with my own whitelist/vendors list) in lockdown mode , so i may never encountered the situation you described because all exe outside the system one and my whitelist are auto-blocked.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,041
    Location:
    The Netherlands
    To be honest, I have never tested what happens if you disable: "allow protected system processes", I assume the OS will continue to work? ERP must always allow certain system processes for obvious reasons, see link. But anyway, I hope it will be possible to make rules like:

    - Only explorer.exe and chrome.exe are allowed to run chrome.exe as child process
    - Only explorer.exe and svchost.exe are allowed to run explorer.exe as child process

    http://sysforensics.org/2014/01/know-your-windows-processes/
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    18,628
    The OS will "continue to work".
    If svchost.exe is in the whitelist it will be allowed, and if it is not in the whitelist, you'll get a prompt for it.
    But it should be in the whitelist.
    This will be possible.
    Or: Allow the execution of svchost.exe, only if the parent process is located in C:\Program Files\* or C:\Windows\*
    Or: Deny the execution of files in C:\Windows\* if the parent process is located in a temporary directory.
    There are a lot of possibilities.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,041
    Location:
    The Netherlands
    OK I see, so system processes are already white-listed.

    OK cool, it's just that I couldn't picture it based on the screenshots.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,344
    Location:
    U.S.A. (South)
    Thanks for the linkie.

    Simple but not always so simple if left to roam about unmonitored in some fashion. Speaking of svchost.exe.

    I feel like I been chasing that notorious systems file around for ages. I once was able to read and trace back to a hidden driver that used that filename process without affecting system stability.

    I suppose this little app is ok for identification purposes too.
    Process Explorer remains the best though I think.
    https://svchostviewer.codeplex.com/
     
    Last edited: Apr 23, 2017
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,612
    Location:
    Mexico
  14. guest

    guest Guest

    Cool, new ERP will now fully support SUA :)
     
  15. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Yay!
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,041
    Location:
    The Netherlands
    BTW to clarify, I posted the link because system processes should be standard in the white-list, you shouldn't be able to remove those rules, to avoid problems. So ERP should be able to recognize the most important system processes that are needed by the OS.

    http://sysforensics.org/2014/01/know-your-windows-processes/
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,612
    Location:
    Mexico
    Thanks for the link. Now studying Windows Exploratory Surgery with Process Hacker by Jason Fossen
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,477
    I disagree. It makes stopping some of them harder, like diagtrackrunner and comptelrunner.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,344
    Location:
    U.S.A. (South)
    And thanks for the mention to Process Hacker.

    Just updated mine to 2.39
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,041
    Location:
    The Netherlands
    I'm not sure what you mean. What I'm saying is that crucial system processes should always be allowed, no matter if they are white-listed or not. But they should only be allowed if launched by the Windows OS itself, if other apps try to run them, then you're probably dealing with process hollowing, and the new ERP will stop this.

    Cool, I have downloaded the PDF document, this will learn me a lot about Win internals. :thumb:
     
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,612
    Location:
    Mexico
    Yes. It has taught me about basic and fundamental processes in such an easy friendly way that I strongly recommend this book for anyone.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,477
    Well the two processes are system processes launched by windows and I don't want them run PERIOD.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,041
    Location:
    The Netherlands
    No offense, but what part about crucial don't you understand? The system processes that I'm talking about were mentioned in this article:

    http://sysforensics.org/2014/01/know-your-windows-processes/
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,344
    Location:
    U.S.A. (South)
    Important distinction on this process. Good info to bring to the surface.



    SVCHOST.EXE - Service Hosting Process

    • Multiple instances of svchost.exe can/do exist/run
    • %SystemRoot%\System32\svchost.exe
    • Username: Should only be one of three options: NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE
    • Should always have a parent of services.exe
    • Base Priority of 8
    • Often mimicked (scvhost, svch0st, etc.) When they are mimicked they will not be running as children to services.exe.
    • Command Line: svchost.exe -k <name>
    • -k <name> values should exist within the Software\Microsoft\Windows NT\CurrentVersion\Svchost registry key
    • Often times when malware uses the actual svchost.exe to load their malicious service they will not include -k command line parameters and be running under a username that does not match on of the three listed in bullet 3.
    • They should all be running within session 0
     
  25. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    23
    Location:
    United States
    Can't wait to see this!
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.