New Antiexecutable: NoVirusThanks EXE Radar Pro

BTW to clarify, I posted the link because system processes should be standard in the white-list, you shouldn't be able to remove those rules, to avoid problems. So ERP should be able to recognize the most important system processes that are needed by the OS.

http://sysforensics.org/2014/01/know-your-windows-processes/

 

Thanks for the link. Now studying Windows Exploratory Surgery with Process Hacker by Jason Fossen

 

And thanks for the mention to Process Hacker.

Just updated mine to 2.39

 

I'm not sure what you mean. What I'm saying is that crucial system processes should always be allowed, no matter if they are white-listed or not. But they should only be allowed if launched by the Windows OS itself, if other apps try to run them, then you're probably dealing with process hollowing, and the new ERP will stop this.

Cool, I have downloaded the PDF document, this will learn me a lot about Win internals.

 

Yes. It has taught me about basic and fundamental processes in such an easy friendly way that I strongly recommend this book for anyone.

 

No offense, but what part about crucial don't you understand? The system processes that I'm talking about were mentioned in this article:

http://sysforensics.org/2014/01/know-your-windows-processes/

 

Important distinction on this process. Good info to bring to the surface.



SVCHOST.EXE - Service Hosting Process

• Multiple instances of svchost.exe can/do exist/run
• %SystemRoot%\System32\svchost.exe
• Username: Should only be one of three options: NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE
• Should always have a parent of services.exe
• Base Priority of 8
• Often mimicked (scvhost, svch0st, etc.) When they are mimicked they will not be running as children to services.exe.
• Command Line: svchost.exe -k <name>
• -k <name> values should exist within the Software\Microsoft\Windows NT\CurrentVersion\Svchost registry key
• Often times when malware uses the actual svchost.exe to load their malicious service they will not include -k command line parameters and be running under a username that does not match on of the three listed in bullet 3.
• They should all be running within session 0

 

Can't wait to see this!

 

You should mention that since Win10 AU some instances are run under the user's name (ComputerName/UserName) associated to UnistackSvcGroup services. Seems to be related to some telemetry and the app store.

 

Good point. Thanks or bringing that up.

It would useful to have some updated info entered on that page because paths DO change on occasion as you mention with with the new platform.

 

I don't think I've mentioned this before, but I think there is a memory leak bug in the ERP driver of the current latest beta version. My laptop has often been running for days on end, and although both ERP processes don't show high memory usage, the overall memory usage is high, and when I quit both ERP processes, the memory usage drops.

 

What's the status? I can't wait to test it!

 

Sounds exciting, Can't wait to test it out. Have a VM with a fresh install just sittings idly by for just such a cause

 

It's a real workhorse and hope to see other new additions whatever might be added to it.

After a lot of hard work and effort finally have pieced together a useful enough HDD just for hammering it with foulware.

I don't use VM's, I like it RAW and when worse comes to worse overwrite the thing with backups.

When it comes to what it's designed for, ERP sure is been a delight.

 

ERP worked great with AppGaurd on Windows 7 X64, but after I upgraded to Windows 10 I experienced system lockups just after installing ERP. The lockup occurred just as the desktop was beginning to load. I had to do hard shutdowns. I never reported them because development had already started on the new version. I hope that does not occur with the new version. ERP is such a nice Gem!

 

I thought ERP automatically build a whitelist of the System, and excluded Program Files. Hmm.. That's strange.

 

@Cutting_Edgetech

You can use Learning Mode (one of the Protection Modes) for that. On a new installation, I always turn on Learning Mode for the 1st couple of reboots, and then set it to Alert mode.

 

this is the safest method after a clean install , it is what i do then set ERP to Lockdown Mode.

 

Simply whitelisting Windows folder and programs folder might not fix it, if the problem is a command line. This is a common problem on my slightly weird system. In such cases, training mode is the cure.

 

It is why using obsolete products on newest OS is asking for issues...some can be solved by workarounds, others can't .

 

FWIW I have never had any issues running ERP alongside AppGuard on Windows 10 x 64 (now on Creator's Update), after originally upgrading from Windows 8.1.