New Antiexecutable: NoVirusThanks EXE Radar Pro

PresentationHost.exe is already on excubits' blacklist

Here's a list of Excubits exe blacklist combined with NVT's default 42 vulnerable processes, as well as some custom processes I've added, annotated by !!!

[Bouncer] means the rule is in my Bouncer .ini

Spoiler

aspnet_compiler.exe
at.exe
attrib.exe
auditpol.exe
bash.exe
bcdboot.exe
bcdedit.exe
bginfo.exe
*bitsadmin* [Bouncer]
bitsadmin.exe
bootcfg.exe
bootim.exe
bootsect.exe
ByteCodeGenerator.exe
cacls.exe
cdb.exe
certutil.exe
cmd.exe
!!!cmdtool.exe
!!!control.exe
csc.exe
cscript.exe
csi.exe
cvtres.exe
dbghost.exe
dbgsvc.exe
debug.exe
DFsvc.exe
diskpart.exe
dnx.exe
eventvwr.exe
fsi.exe
fsiAnyCpu.exe
hh.exe
icacls.exe
IEExec.exe
iexplore.exe
iexpress.exe
ilasm.exe
infdefaultinstall.exe
*InstallUtil* [Bouncer]
installutil.exe
java.exe
javaw.exe
journal.exe
jsc.exe
*jscript*.dll* [Bouncer]
kd.exe
*lpkinstall* [Bouncer]
lxrun.exe
*LxssManager*.dll [Bouncer]
!!!Microsoft.Workflow.Compiler.exe
!!!mmc.exe
msbuild.exe
mshta.exe
msiexec.exe
MSPUB.exe
msra.exe
mstsc.exe
net.exe
net1.exe
netsh.exe
netstat.exe
!!!notepad.exe
!!!notepad++.exe
ntkd.exe
ntsd.exe
odbcconf.exe
powershell.exe
powershell_ise.exe
PresentationHost.exe
quser.exe
rcsi.exe
reg.exe
*RegAsm* [Bouncer]
regasm.exe
!!!regedit.exe
regini.exe
*Regsvcs* [Bouncer]
regsvcs.exe
regsvr32.exe
!!!robocopy.exe
rundll32.exe
RunLegacyCPLElevated.exe
runonce.exe
runscripthelper.exe
sc.exe
schtasks.exe
scrcons.exe
script.exe
sdbinst.exe
sdclt.exe
set.exe
setx.exe
shutdown.exe
*Stash* [Bouncer]
syskey.exe
*System.Management.Automation* [Bouncer]
systemreset.exe
takeown.exe
taskkill.exe
UserAccountControlSettings.exe
utilman.exe
vbc.exe
visualuiaverifynative.exe
vssadmin.exe
wbemtest.exe
wevtutil.exe
whoami.exe
windbg.exe
wmic.exe
wscript.exe
xcacls.exe
xcopy.exe

Combine this with my list of unassociated file extensions from the bouncer thread and your PC will be rock-hard!

Of course, if you are like me and you've unchecked every single thing from NVT Exe Radar Pro 4's security settings, namely:

Allow System Files
Allow All Microsoft-Signed Processes
Allow Microsoft Windows "Apps"
Allow All Software From Program Files Folder
Allow All Signed Processes
Allow Known Safe Process Behaviors
Allow Processes Signed by Trusted Vendors

Then you don't need a vulnerable processes list, because everything is not-whitelisted by default, and everything will need to be allowed explicitly to run. This is the GOD mode in NVT Exe Radar Pro 4, where you control everything on your pc, other than processes started before NVT Exe Radar Pro 4's driver, such as wininit.exe or winlogon.exe , but you don't want to block those processes anyway, not with this software

 

Hi @ NVT

On my Home tab Version 26 it says I have 243 Processes Analysed, 243 Allowed processes, 0 Blocked.

Yet when I go to the rules tab and screen by Deny it shows 10 Vulnerable Processes denied. Is this correct? How can you have 0 blocked when 10 are denied?

Thanks

Terry

 

This number doesn't depend on how much deny rules you have in the rules tab.
Look at the Events tab. If you see no blocked processes, "0 Blocked" is correct.
As soon as a process is blocked (Action=Deny / Action=Ask/Deny One), the number goes higher.

 

Yeah I wonder what he was thinking, @TerryWood do you have 243 allowed rules?

 

Now that you mention it, I think the exact same issue exists with OSArmor, in custom block rules and exclusions.
For instance, I have a signer like this: Toggl OÜ
But in "exclusions", it appears like this: [%FILESIGNER%: Toggl O?]

 

I mean, it's not like you're gonna encounter malicious file whose signer is named Toggle OO or something like that (thus bypassing your Toggl O? rule)
Perhaps that's how the dev implemented those other languages

And if you do wanna be as close to as 100% safe as possible, then whitelisting by hash, combined with all other stuff, is best (rather than relying on just signer whitelisting for example)

 

Yes it is and doesn't take into account those latest changes though.

 

A quick update:

Here is a new v4.0 (pre-release) test27:
https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test27.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

Build 27
+ Fixed exporting of rules that contain unicode characters
+ On "Trusted Vendors" dialog the column "Signer" now shows the number of items, i.e "Signers (1234)"
+ Fixed Details shown in "File Information" on Alert Dialog are not trimmed
+ Improved "Allow Known Safe Process Behaviors"
+ Minor fixes and improvements

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@Rasheed187

Couldn't reproduce it here, will retry later.

@EASTER

Yes we're discussing that to see how we can implement it now that many processes fields can be combined.

We may show that maybe only for rules that have the process path+name and the hash.

@iammike

Thanks, added now to safe behaviors.

@Cutting_Edgetech

Not added yet, I'll need to better test it to make sure there are no issues and then we can add it in case.

@Mr.X

Thanks for sharing the list.

@shmu26

Good find, will fix that on OSA too in a few days.

 

Rulles/Vendors will be exported to a file which is not in a Unicode format and therefore Unicode characters will get lost.

OS Armor is also affected and Unicode characters will be shown as "?" because the file Exclusions.db and CustomBlock.db are by default not in a Unicode format.
Edit: A new build (test27) has been posted some moments ago, i'll test it again with the new build (Result: Exporting of rules [with Unicode characters] has been fixed).

 

@mood

We posted almost at the same time

Yes that issue with exporting rules is fixed on test 27 (see link on my previous post).

Will fix OSA asap.

 

No problem Andreas.
Btw did you look at my post in the other thread, perhaps yes, but I want to know cause I know you have a lot of work to do and forum's mentions and alerts could be easily mislaid/overlooked. I apologize for the off topic but that matter's so important to me: https://www.wilderssecurity.com/threads/anti-autoexec.393019/#post-2777900

Anything you want to reply do it there please.

 

Thanks @novirusthanks for your reply-and also the new 27 test version as well.

@mood- @Mr.X and other contributors- Many and much thanks for your attention to intricate details.

 

@EASTER
You're welcome and same for you, thanks for your comments as well.

 

Yep! I want this one too!
I completely forgot to mention here...

 

I already have it on my list also. I've never seen it used except by malware. I would have to do some digging to find out what users may need it.

 

I fully uninstalled test26 as usual plus manually deleting any leftovers and installed test27 but can't import my backed up rules. Is that happening due to the XML file encoding? I can see my back ups are ANSI and new XML file is encoded as UCS-2 LE BOM.

 

Re-encoding Rules XML file (back up) to UCS-2 LE BOM did the trick as I was able to re-import my rules and ERP's happy again...

 

Amazing

 

I've been using test 27 all day on Windows 10 x64 version 1709. No problems to report so far.

 

+1,or at least put a tickbox.

 

Covered by OSArmor's "block processes executed from USB" since there's no Trusted Vendors there (not by default at least, you can make exclusions for Signers which is kinda the same thing)

 

+1

 

This is ERP here...
If you use ERP, you don't necessarily needs or want to use OSA.

 

But you should use it anyway cuz it's THAT good Realistically, if you're using NVT ERP, that means you need/want an anti-exe (and it's not like you have a huge choice either), and if you need an anti-exe, OSArmor is a perfect addition. Like, when would you need to use NVT ERP without OSArmor being a great boost in security in addition to it? Unless you're like me using NVT ERP's GOD mode, and even then OSArmor doesn't hurt cuz it's just so light it might as well not be there in terms of performance, then yeah

I just can't think of a situation where a PC will lack NVT ERP's security protections, but will "have" OSArmor's, so to speak, maybe you know one
And if that's the case, then the person using/setting up the PC is (supposedly) knowledgeable enough to work around your proposed "drawback" (putting the quotes cuz of everything I said)

I'm sure the dev will implement what you're saying sooner or later, I'm just saying that in the meantime you should use OSArmor, it's just a great product without any performance drawback whatsoever, you're losing out if you're not using it

 

@Floyd 57 I dont say it is not useful or working to have both OSA & ERP, just that in a ERP thread giving a solution to a feature request by pointing to another software is not what we want or need.

The way you replied is like you go in a restaurant and order a steak then you ask "may i have some sauce?" then the waiter said "you should go to the restaurant next to us, they have sauce"...
Got my point?

My main security solution is AppGuard (an SRP), i use ERP and/or OSA alongside it mostly to cover a specific situation.
If you read my signature, you would have noticed that i use OSA already (since its first release, btw).

you can have a more granular control of the system with ERP than OSA.
OSA, which is originally oriented to Average Joe (unlike ERP), have pre-made rules which are set as default or can be activated via a checkbox. In ERP, you must "create" them.
ERP will prompt for every executable launched, while OSA will directly block those not in its list.
As you said there is no harm to use both together if people like to (i do in 2 of my systems) but with ERP you don't need OSA.

yeah i know plenty: for people who can't handle ERP prompts, reason of existence of OSA, because prompt-less.
OSA is set and forget, ERP isn't at all.

Remember some of us are long time beta-testers, we don't think just about our point of view, needs or knowledge, but we have to put ourselves in place of a more classic user.
A classic user may not need/know OSA but still need ERP to block all process launching from USBs even if part of the TVL and rules.