New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,983
    Location:
    when i can counter-troll
    From the screenshot, i'm not sure, maybe blocking all processes using wildcard * and including in the rule the command line that create a folder is possible; but i don't think it is necessary if the parent process is blocked from the start. (Remember that in Lockdown Mode, all non-whitelisted processes are auto-blocked.)

    **possibly offensive phrase removed
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,983
    Location:
    when i can counter-troll
    @novirusthanks Andreas , an attack that abuse Powershell whitelisting of many products. Old version of ERP at default setting sure but the vector has to be considered. The exploit can use dll or python.
    Video + discussion at MT : https://malwaretips.com/threads/bypassing-novirusthanks-exe-radar-pro.70623/

    (Posting direct link to youtests is forbidden here if i recall well)

    i asked several questions about it to the tester on the video comment. Emsisoft will add detection for this kind of indirect bypass in their next build.
     
    Last edited: Apr 17, 2017
  3. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,743
    Blocking of folder creations with ERP? :cautious:
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,823
    Location:
    U.S.A. (South)
    Well, it does stops processes well enough right? (just reaching) :rolleyes:

    That Rule Editor/Layout for configuration is going to make a big difference and also keep to the simplicity for sure.
    (which is been forcefully expressed)
     
  5. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,743
    After it was released and we have full access to the rule builder and other added/new features, we'll see what all can be done.
    ERP will be definitely more powerful than the previous version.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,823
    Location:
    U.S.A. (South)
    Absolutely and the anticipation is exciting over this to say the least!

    Knowing Andreas exceptional talents in overseeing and/or fashioning these improvements it's a sure bet something will also be thrown in just as a surprise extra for us to salivate over.
     
  7. Brian Patterson

    Brian Patterson Registered Member

    Joined:
    Friday
    Posts:
    2
    Location:
    USA
    Hey fellas, I am new to Wilders forums and in particular this thread about ERP. I installed this program maybe 3 weeks ago on my main laptop and beast of a desktop PC. I leave both comps on 24/7 and have nothing but adoration for this program already! I'm simply blown away at how simple it is to use and configure without annoying the ever living crap outta me like other anti-executables or even HIPS. Wow!!! Thank you to all of you guys/gals working on this software. I hope that it has continued development but even without it it seems that I haven't experienced any real incompatibilities. Can't wait to see what the future holds. Last thing I wanted to mention, I noticed that NoVirusThanks offers like a trillion other programs on the company's website. It's likely why more time is required to work on each program since so many are quite possibly being actively developed? I can appreciate that for sure

    I'm running Windows 8 x64 and LOVING the protection ERP offers. I forget that it's even running and my computer is not lagging which is a nice change since antivirus especially can do this. I think I'll just stick to this and running on a limited user account coupled with making intelligent web browsing decisions =) Thanks a million guys! A lot of great info on this massive topic, I've much to read! :)
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    737
    Location:
    Italy
    We should have the new ERP version ready for testing in a few weeks.

    Last thing we've added, option to "read data from file" and auto-complete the available fields:

    erp.png

    @Umbra

    I checked the video but it misses a few things:

    - He doesn't show the list of vulnerable processes. Most MS Office exploits uses PowerShell.exe or cmd.exe to download and\or run the .exe payload, so if he removed PowerShell.exe or rundll32.exe (used to load DLLs) from vulnerable processes is another story

    - He used an older version of ERP (the beta version was improved a lot, including the process detection technology)

    Would have been much better if he could show these details and provide more information.

    However, we'll try to take a look at that.

    @Brian Patterson

    Thanks a lot for your feedback!

    Follow this thread as we'll release a new ERP version for testing soon :)
     
  9. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,285
    Location:
    Mexico
    Thank you for this gem Andreas. You make me happy :geek:
     
  10. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,983
    Location:
    when i can counter-troll
    Indeed, we even think he even removed Cmd.exe from vulnerable processes; because Empire uses Powershell or Cmd to exploit the system. When i asked what form of Empire was used , he didn't answered.

    yes i pointed it , in the Youtube comments. The old version doesn't have powershell as vulnerable processes. Also he use Windows7 with powershell v1-2.

    I checked other videos from him, seems he "arranged" the tests to allow the attack to be successful. note that he is a Cylance reseller and we all knows how Cylance arranged videos to bash rivals vendors.
    Basically all his videos are arranged to allow the attack .

    - on Panda Adaptive 360, he unblocked an exe to allow the attack to continue.
    - on ERP , seems cmd was removed from vulnerable processes, no answers when i asked about it.
    - on Comodo , he set it at Paranoid mode but turned off alerts and set those to "Allow Requests" plus he sets "Create rules for safe apps". Why put paranoid mode then modify the 2 settings that make paranoid efficient.
    Those settings set as he did will auto-allows powershell to execute...


    My conclusion: just a reseller that promote his company and services as security "advisor" by using rigged videos to scare users/customers. I don't believe his attack will be effective on win10 and ERP latest version (i pointed that to him).
     
    Last edited: Apr 21, 2017 at 1:00 PM
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,823
    Location:
    U.S.A. (South)
    Looks like things are going along nicely in the Lab with the new improvements.

    It should be quite the stir when the first one is put out for testing.
     
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,983
    Location:
    when i can counter-troll
    ERP is not fully compatible with SUA, some major bugs are present (like the settings that reset every boot). I hope Andreas will fix that on the new version.
     
  13. bberkey1

    bberkey1 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    237
    Location:
    United States
    Screenshots look great. Can't wait to test the new program in the near future. Keep up the good work!
     
  14. Brian Patterson

    Brian Patterson Registered Member

    Joined:
    Friday
    Posts:
    2
    Location:
    USA
    Screen shots look excellent! Thank you for sharing them. I highly anticipate the next release
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,692
    Location:
    The Netherlands
    Yes I understand, but I couldn't picture it. I think it's best if all crucial system processes are allowed to run automatically. But they are only allowed if the parent process is another system process. This means that malware can't use them for process hollowing attacks. The browser should also only be able to launch if the parent is explorer.exe or the browser itself.
     
  16. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,983
    Location:
    when i can counter-troll
    I think it is no a good idea. As you know, the most important feature of ERP is the VPL (Vulnerable Process List) , it include most of the known exploitable processes, those always triggers an alert even if whitelisted.
    That is the main strength of ERP, every process added in this list will always trigger an alert.

    If you watched the video of the attack i posted above (link to MT), it uses PowershellEmpire to abuse whitelisting of many AVs/softs , Empire can use a dll (ERP doesn't monitor dlls) to load powershell without using its windows process itself. Once the system compromised, the c&c can load script directly to the machine through powershell.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,692
    Location:
    The Netherlands
    You clearly misunderstood, I was talking about crucial system processes that the OS needs to function. I was not talking about system processes that could be used in attacks. The Vulnerable Process List will always be needed.
     
  18. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,983
    Location:
    when i can counter-troll
    I see. i think i quoted the right part, do i ?
    ERP can do it already, no?
    I never used ERP by default settings, only after a clean install (with my own whitelist/vendors list) in lockdown mode , so i may never encountered the situation you described because all exe outside the system one and my whitelist are auto-blocked.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,692
    Location:
    The Netherlands
    To be honest, I have never tested what happens if you disable: "allow protected system processes", I assume the OS will continue to work? ERP must always allow certain system processes for obvious reasons, see link. But anyway, I hope it will be possible to make rules like:

    - Only explorer.exe and chrome.exe are allowed to run chrome.exe as child process
    - Only explorer.exe and svchost.exe are allowed to run explorer.exe as child process

    http://sysforensics.org/2014/01/know-your-windows-processes/
     
  20. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,743
    The OS will "continue to work".
    If svchost.exe is in the whitelist it will be allowed, and if it is not in the whitelist, you'll get a prompt for it.
    But it should be in the whitelist.
    This will be possible.
    Or: Allow the execution of svchost.exe, only if the parent process is located in C:\Program Files\* or C:\Windows\*
    Or: Deny the execution of files in C:\Windows\* if the parent process is located in a temporary directory.
    There are a lot of possibilities.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,692
    Location:
    The Netherlands
    OK I see, so system processes are already white-listed.

    OK cool, it's just that I couldn't picture it based on the screenshots.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,823
    Location:
    U.S.A. (South)
    Thanks for the linkie.

    Simple but not always so simple if left to roam about unmonitored in some fashion. Speaking of svchost.exe.

    I feel like I been chasing that notorious systems file around for ages. I once was able to read and trace back to a hidden driver that used that filename process without affecting system stability.

    I suppose this little app is ok for identification purposes too.
    Process Explorer remains the best though I think.
    https://svchostviewer.codeplex.com/
     
    Last edited: Apr 23, 2017 at 7:11 PM
  23. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,285
    Location:
    Mexico
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,983
    Location:
    when i can counter-troll
    Cool, new ERP will now fully support SUA :)
     
Loading...