New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    BTW to clarify, I posted the link because system processes should be standard in the white-list, you shouldn't be able to remove those rules, to avoid problems. So ERP should be able to recognize the most important system processes that are needed by the OS.

    http://sysforensics.org/2014/01/know-your-windows-processes/
     
  2. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,695
    Location:
    Mexico
    Thanks for the link. Now studying Windows Exploratory Surgery with Process Hacker by Jason Fossen
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,996
    I disagree. It makes stopping some of them harder, like diagtrackrunner and comptelrunner.
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,453
    Location:
    U.S.A. (South)
    And thanks for the mention to Process Hacker.

    Just updated mine to 2.39
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    I'm not sure what you mean. What I'm saying is that crucial system processes should always be allowed, no matter if they are white-listed or not. But they should only be allowed if launched by the Windows OS itself, if other apps try to run them, then you're probably dealing with process hollowing, and the new ERP will stop this.

    Cool, I have downloaded the PDF document, this will learn me a lot about Win internals. :thumb:
     
  6. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,695
    Location:
    Mexico
    Yes. It has taught me about basic and fundamental processes in such an easy friendly way that I strongly recommend this book for anyone.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,996
    Well the two processes are system processes launched by windows and I don't want them run PERIOD.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    No offense, but what part about crucial don't you understand? The system processes that I'm talking about were mentioned in this article:

    http://sysforensics.org/2014/01/know-your-windows-processes/
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,453
    Location:
    U.S.A. (South)
    Important distinction on this process. Good info to bring to the surface.



    SVCHOST.EXE - Service Hosting Process

    • Multiple instances of svchost.exe can/do exist/run
    • %SystemRoot%\System32\svchost.exe
    • Username: Should only be one of three options: NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE
    • Should always have a parent of services.exe
    • Base Priority of 8
    • Often mimicked (scvhost, svch0st, etc.) When they are mimicked they will not be running as children to services.exe.
    • Command Line: svchost.exe -k <name>
    • -k <name> values should exist within the Software\Microsoft\Windows NT\CurrentVersion\Svchost registry key
    • Often times when malware uses the actual svchost.exe to load their malicious service they will not include -k command line parameters and be running under a username that does not match on of the three listed in bullet 3.
    • They should all be running within session 0
     
  10. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    19
    Location:
    United States
    Can't wait to see this!
     
  11. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,829
    Location:
    Europe then Asia
    You should mention that since Win10 AU some instances are run under the user's name (ComputerName/UserName) associated to UnistackSvcGroup services. Seems to be related to some telemetry and the app store.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,453
    Location:
    U.S.A. (South)
    Good point. Thanks or bringing that up.

    It would useful to have some updated info entered on that page because paths DO change on occasion as you mention with with the new platform.
     
  13. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,091
    I don't think I've mentioned this before, but I think there is a memory leak bug in the ERP driver of the current latest beta version. My laptop has often been running for days on end, and although both ERP processes don't show high memory usage, the overall memory usage is high, and when I quit both ERP processes, the memory usage drops.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    What's the status? I can't wait to test it!
     
  15. bberkey1

    bberkey1 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    242
    Location:
    United States
    Sounds exciting, Can't wait to test it out. Have a VM with a fresh install just sittings idly by for just such a cause
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,453
    Location:
    U.S.A. (South)
    It's a real workhorse and hope to see other new additions whatever might be added to it.

    After a lot of hard work and effort finally have pieced together a useful enough HDD just for hammering it with foulware.

    I don't use VM's, I like it RAW and when worse comes to worse overwrite the thing with backups.

    When it comes to what it's designed for, ERP sure is been a delight.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,219
    Location:
    USA
    ERP worked great with AppGaurd on Windows 7 X64, but after I upgraded to Windows 10 I experienced system lockups just after installing ERP. The lockup occurred just as the desktop was beginning to load. I had to do hard shutdowns. I never reported them because development had already started on the new version. I hope that does not occur with the new version. ERP is such a nice Gem!
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,996
    Andreas already said it's going to be strictly an AE. That's what the investors want
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,996
    Hi CE

    I have problems when I upgraded systems to Win 10 with ERP also. Then I did one thing i did fixed it. I went into the add new stuff and had it add everything from Windows, Program files and Program filex x86 Since then no troubles at all.

    Pete
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,219
    Location:
    USA
    I thought ERP automatically build a whitelist of the System, and excluded Program Files. Hmm.. That's strange.
     
  21. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    294
    Location:
    SE Asia
    @Cutting_Edgetech

    You can use Learning Mode (one of the Protection Modes) for that. On a new installation, I always turn on Learning Mode for the 1st couple of reboots, and then set it to Alert mode.
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,829
    Location:
    Europe then Asia
    this is the safest method after a clean install , it is what i do then set ERP to Lockdown Mode.
     
  23. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    460
    Simply whitelisting Windows folder and programs folder might not fix it, if the problem is a command line. This is a common problem on my slightly weird system. In such cases, training mode is the cure.
     
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,829
    Location:
    Europe then Asia
    It is why using obsolete products on newest OS is asking for issues...some can be solved by workarounds, others can't .
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,173
    Location:
    The etherlands
    FWIW I have never had any issues running ERP alongside AppGuard on Windows 10 x 64 (now on Creator's Update), after originally upgrading from Windows 8.1.
     
Loading...