New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    Anyone else have an HP printer? I am having a hard time getting ERP to honor the HP command lines with wildcards, even though I am using "like to"
    The HP print to fax is working (although it is usually more problematic) but the regular print job (HP officejet) is just not honoring the wildcards.

    EDIT:
    For instance:
    C:\WINDOWS\system32\Rundll32.exe Prnntfy.dll,AsyncUILoaderEntry Local\{*}_ASYNCUI

    I think I see the problem now. There does not seem to be a parent process and a child process, instead, rundll32 is just loading a dll.
     
    Last edited: Mar 1, 2018
  2. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    399
    Is it possible to make an Allow rule which will allow my hotkeymanager.exe to launch any exe? This doesn't work:

    Parent.png
     
  3. newone

    newone Registered Member

    Joined:
    Oct 14, 2006
    Posts:
    71
    Location:
    UK
    thank you will give version 4 a try :)
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,342
    Location:
    U.S.A. (South)
    I side with this user on that concern.

    Maybe cosmetic only of sorts but is there any chance to return user preference of a custom audio instead of the horrid system beep when alerting?
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I have been using diskpart utility lately. If someone was able to use it remotely in an attack then the results could be devastating. I would add it to the vulnerable process list set to ask user, or deny upon execution attempts.
     
  6. guest

    guest Guest

    You can set almost 100+ Windows processes to the vulnerable processes.
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,608
    Location:
    Mexico
    The Ultra-paranoid Vulnerable Processes List. Could share it please?
    One of these days and just for the sake of feeling anxiety and despair, I'm going to try and get locked out from my computer. :D
     
  8. guest

    guest Guest

    it is somewhere on the Bouncer thread; i didn't implemented it yet on ERP.
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    Have fun! And if you are on Windows 10, there is lots of extra fun waiting for you, if you want to boot into safe mode in order to save your system, but you can't get to the lock screen...
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,342
    Location:
    U.S.A. (South)
    The expression builder is awesome but right now out of my control. Still trying to catch on to so many areas of configurations.

    Andreas will surely chime in for you on that. And thank you for bringing it up since am still digging into the granularity of it all myself.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,444
    I am still missing something here. Re installed and imported the vulnerable process list. Checked all the windows processes and program files. Rebooted and all looked good. Then a ran a somewhat nasty piece of cerber stuff past it. V3 would never have let it run. With V4 it just took the system down and trashed it. So what am I not getting.
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    Maybe because the VPL is not finished yet. It is a work in progress.
    For instance, the first VPL had the obvious omission of wscript and cscript, so if you were still using that initial csv when you ran your test, you need look no further.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,444
    It wasn't a script, it was an exe. Never caught. It's okay its an early beta. Just not sure it's ready to be relied on for security
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    17,366
    In addition rules with (Action = Allow) seem to have a higher priority than (Action = Deny) :cautious:
    This means that Allow-rules are setting Ask + Deny-rules out of action.

    With ERP 3.x processes can be set as a Vulnerable Process and an alert can be seen if it is executed (even if whitelisted)
    But with ERP 4.x this alert isn't available anymore if the process is already included in another Allow-rule.

    If a specific Publisher is blocked (Deny, "[Proc.Signer = Nir Sofer] [Action = Deny]") they should stay blocked. Allow-rules and even Ask-rules shouldn't affect it.
    Or: If the user is "protecting" a directory with a simple deny-rule, launching of executables in this directory shouldn't be possible.
    Code:
    Created Rules:
    Deny, "[Proc.Path LIKE c:\examples\Deny*] [Action = Deny]
    Ask, "[Proc.Path LIKE c:\examples\ask*] [Action = Ask]
    Allow, "[Proc.Path LIKE c:\examples*] [Action = Allow]
    Directories:
    c:\examples\allow\
    c:\examples\ask\ (=Alert dialog should appear)
    c:\examples\deny\ (=Execution should be denied)
    
    Result:
    Code:
    C:\examples\allow\test.exe = Allowed (ok)
    C:\examples\ask\test.exe = Allowed (?) (allowed by the rule: Expression : [Proc.Path LIKE c:\examples*] [Action = Allow]) - (Expected: Action = Ask)
    C:\examples\Deny\test.exe = Allowed (?) (allowed by the rule: Expression : [Proc.Path LIKE c:\examples*] [Action = Allow]) - (Expected: Action = Deny)
    
    The way of how ERP 4.x seems to handle rules (Priority) is:
    1) Allow
    2) Ask
    3) Deny

    (In Theory:)
    After setting the priority to for example:
    1) Deny
    2) Ask
    3) Allow
    and after launching the above mentioned executables again, files are allowed/denied as expected:
    Code:
    C:\examples\allow\test.exe = Allowed
    C:\examples\ask\test.exe = Alert dialog
    C:\examples\Deny\test.exe = Denied
    -------------------

    Issue #1: "Export rules" / missing "do you want to overwrite the existing file?"-dialog
    An existing file "Rules.csv" is simply overwritten. ERP should ask beforehand...
    Issue #2: The GUI of ERP is opened in the background (doubleclick on the tray-icon)
    Issue #2b: sometimes the alert is opened in the background too
     
  15. AMD

    AMD Registered Member

    Joined:
    Jul 9, 2012
    Posts:
    92
    Location:
    UK
    mood, I noticed this too. Quoting part of your thread :

    "With ERP 3.x processes can be set as a Vulnerable Process and an alert can be seen if it is executed (even if whitelisted)
    But with ERP 4.x this alert isn't available anymore if the process is already included in another Allow-rule.
    "
    I imported the default vulnerable processes, 33 in total and after whitelisting some processes, the vulnerable list had dropped itself by one to 32
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    I saw this too, when you get a prompt and the parent process is on the VPL, you need to resist the temptation to permanently allow it, and instead you need to make a command line rule.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,444
    I hope this just means Andreas hasn't gotten to it yet. There have been several programs that have had these "rules" thingy's added, and I for one don't like them
     
  18. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    399
    Maybe there should be hierarchy, so the rules above are stronger than rules below.
     
  19. AMD

    AMD Registered Member

    Joined:
    Jul 9, 2012
    Posts:
    92
    Location:
    UK
    I customised the alert and then saved it to allow it as a whitelisted process thinking that this would be a unique rule but it seemed to reduce the vulnerable process list by one.
     
  20. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,305
    Location:
    North Carolina, USA
    Hello,

    I am having issues with vulnerable processes. I have imported the list as outlined in @novirusthanks post. No matter how I configure the rules I add, I cannot get the rules I add to work. I keep getting allow/block prompts. I am probably doing something wrong but I can not figure it out. I will give two examples (both have multiple similar cmd.exe alerts so I am using wildcards when I create the rule.

    First example:
    From the logs:
    Date/Time : 2018-03-04 14:21:55.793
    Action : Ask/Allow Once
    Expression : -
    Category : Alert Dialog
    PID : 5712
    Process : C:\Windows\System32\cmd.exe
    SHA1 : 3585B37200EF3321262B0977401183694A3C15C6
    Signer :
    Command : "cmd.exe" /c route -4 PRINT
    Parent : C:\Program Files\AirVPN\AirVPN.exe
    Parent SHA1 : FAA8F7FAAEBC14660900D394FD494269CD482E0A
    Parent Signer: AIR DI PAOLO BRINI
    Rule that I created:
    AirVPN Allow [Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.Hash = 3585B37200EF3321262B0977401183694A3C15C6] [Proc.CmdLine LIKE "cmd.exe" /c route*] [Parent.Name = C:\Program Files\AirVPN\AirVPN.exe] [Parent.Signer = AIR DI PAOLO BRINI] [Parent.Hash = FAA8F7FAAEBC14660900D394FD494269CD482E0A] [Action = Allow] 1

    Second example:
    From the logs:
    Date/Time : 2018-03-04 14:22:24.112
    Action : Ask/Allow Once
    Expression : -
    Category : Alert Dialog
    PID : 10452
    Process : C:\Windows\System32\cmd.exe
    SHA1 : 3585B37200EF3321262B0977401183694A3C15C6
    Signer :
    Command : "cmd.exe" /c ipconfig /flushdns
    Parent : C:\Program Files\AirVPN\AirVPN.exe
    Parent SHA1 : FAA8F7FAAEBC14660900D394FD494269CD482E0A
    Parent Signer: AIR DI PAOLO BRINI
    Rule that I created:
    AirVPN Allow [Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.Hash = 3585B37200EF3321262B0977401183694A3C15C6] [Proc.CmdLine LIKE "cmd.exe" /c ipconfig*] [Parent.Name = C:\Program Files\AirVPN\AirVPN.exe] [Parent.Signer = AIR DI PAOLO BRINI] [Parent.Hash = FAA8F7FAAEBC14660900D394FD494269CD482E0A] [Action = Allow] 1

    I have tried with and without wildcards, with and without command lines...
    What am I doing wrong? Any help will be greatly appreciated...
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,444
    Kent, this is exactly why I hate rules.
     
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    try enabling "similar to" (I think that is what it is called) by the command line.
    That enables wildcard support, and makes it so you don't need the full path.
     
  23. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,305
    Location:
    North Carolina, USA
    Hello,

    @Peter2150 - Same here...
    @shmu26 - You are probably referring to "Like to" which I already have selected for those command lines (See the rules I posted above).
     
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    You are right, I see what you mean.
    This might be similar to the problem I was having with rundll32.
    In my case, rundll32 was not executing another process, just loading a dll.
    Also in your case, cmd.exe is not executing another process.
    My guess is that the rules maker is not yet set up for that kind of command line.
    Awaiting clarification from Andreas.
     
  25. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    17,366
    Suggestion - Enhancing of the "readability" of rules shown in the GUI.
    We can optimize it a little bit and only a quick view on the rules is needed to know what the rule is all about, and it is much better to read.
    Old:
    ERP_rules.png
    Optimized:
    ERP_rules_optimized.png
    =
    a) Name/ Signer / Hash / Path / etc. is now added as a column.
    One big advantage: Rules can be sorted by Hash / by Signer, etc.
    b) Instead of mentioning of [Proc.Path ...], etc. in each rule it is now only mentioned in the header of the column. Only the most important is now displayed in the GUI.
    Before: [Proc.Signer = Nir Sofer] [Action = Deny]
    After: Nir Sofer

    Regarding the old style:
    a) In the case of for example: [Proc.Path LIKE c:\*]
    = 'LIKE c:\' can be shown in a different colour (or bold?) and is distinguishable from the rest of the rule.
    (the part of the rule which can be changed by the user is shown in a different way)
    Before: [Proc.Path LIKE c:\*] [Proc.Signer = Nir Sofer]
    After: [Proc.Path LIKE c:\*] [Proc.Signer = Nir Sofer]

    Ideas:
    a) Painting of Deny/Ask rules in a different color...(?)
    a2) Painting of disabled rules in a lighter color = Better distinction between enabled/disabled rules.
    b) Setting: Showing of Grid Lines (changeable by the user? Setting: on/off)
    b2) Setting: Mark Odd/Even rows (changeable by the user? Setting: on/off)
    b3) Setting: Automatic Column Size (changeable by the user? Setting: Fixed Size/By Column Values)
    = for example "Hash" is consuming a lot of space, would be nice if the user can change it (and other columns) to a fixed size (and it should stay like that)
    c) Support of CTRL-C
    = After selecting of rules and pressing CTRL-C, selected rules are copied to the clipboard and the user can paste it somewhere else.

    Regarding painting of rules in different colors, Illustration:
    ERP_rules_optimized_illustration.png
    = For example a quick look on "Nir Sofer" reveals that it is an enabled Deny-rule, "Nir Sofer" would be a disabled Deny-rule.
    Now there is no need to look back and forth between the "Enabled" and "Action"-column.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.