New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,515
    Location:
    USA
    Many of us long time users requested that SHA-1 or SHA-256 be used. That's why he changed from using MD5. There's a very slight chance of MD5 collisions outside the lab in the near future.

    Edited: 11-19-18 @ 11:39
     
  2. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    This is overkill. It is a totally unrealistic attack scenario that someone is going to through the lengths to create a working malicious executable that has the same MD5 hash and still works. You have to make the file executable. And maybe that starting point is where it gets impossible to find a file that has the same hash as the original, and that isn't suddenly 100 MB big due to all the random bytes.
    Also, better use sha-512 instead 256. It's two times as fast as 256 in 64bit systems, and nobody should really still be using 32bit OSs.

    xxHash or similar should be enough. It's just a database thing and should have nothing to do with security.
     
  3. BananaMoe

    BananaMoe Registered Member

    Joined:
    Sep 8, 2018
    Posts:
    6
    Location:
    Universe
    Well, would it make sense to have a "Disable Completely" mode to match the old behaviour from ERP3?
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,515
    Location:
    USA
    There's not enough impact using SHA-1 vs MD5 to bother me. I haven't ever experienced a collision with MD5, only MD4, but I prefer we use SHA-1, that's my preference.

    Yes, SHA-512 performs better than SHA-256. I wasn't aware of that a few years back when I suggested it.

    Edited: 11/22/18 @ 11:27
     
  5. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    467
    Location:
    Europe
    I actually like NVT ERP precisely (not just cuz ofc) because it doesn't use VT... Voodooshield was so much slower with it scanning each process. So toggle option would be best
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,515
    Location:
    USA
    I don't think you have to use SHA-256 with VT for it to work. I thought you did at the time, but they also calculate the MD5, and SHA-1 hashes so i'm not sure what they require if you use their API.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,515
    Location:
    USA
    Btw.. The only way I like using VT is on-demand, it does have a big impact when compared to not using it at all.
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,484
    Location:
    Mexico
    Sharing my new vuln proc rules, based on Florian's list:
    Code:
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Xwizard.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = xcacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Wscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wmic.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = windbg.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wbemtest.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Wab.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vssadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vsjitdebugger.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = visualuiaverifynative.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vbc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = utilman.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = UserAccountControlSettings.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Tracker.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = te.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = taskkill.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = takeown.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = systemreset.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = syskey.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = SyncAppvPublishingServer.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Stash.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = SQLToolsPS.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Sqlps.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Sqldumper.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = setx.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = set.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdclt.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdbinst.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Scriptrunner.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = script.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = scrcons.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runscripthelper.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runonce.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RunLegacyCPLElevated.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Rpcping.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Replace.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Regsvcs.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Register-cimprovider.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regini.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Regedit.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RegAsm.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = reg.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rcsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = quser.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Print.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = PresentationHost.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell_ise.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Pcwrun.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Pcalua.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = odbcconf.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntsd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntkd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netstat.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netsh.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msxsl.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mstsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msra.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mspub.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msiexec.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mshta.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msdt.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msdeploy.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = MSBuild.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mmc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msconfig.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Microsoft.Workflow.r.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Microsoft.Workflow.Compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Mftrace.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Mavinject.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Makecab.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = lpkinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = kd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = jsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = js.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = journal.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = InstallUtil.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = infdefaultinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ilasm.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexpress.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexplore.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = IEExec.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Ie4unit.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = hh.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Gpscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsiAnyCpu.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Forfiles.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Findstr.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = eventvwr.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Extrac32.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Extexport.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Expand.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Esentutl.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Dxcap.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dnx.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Dnscmd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Diskshadow.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = diskpart.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = DFsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = debug.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbgsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbghost.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cvtres.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csi.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Control.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cmstp.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Commit.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = CmdTool.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cmdkey.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = certutil.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cdb.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ByteCodeGenerator.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootsect.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootim.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootcfg.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bitsadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bginfo.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdedit.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdboot.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bash.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = auditpol.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = attrib.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Atbroker.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = aspnet_compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = appvlp.exe] [Action = Ask]</> <enabled>1</> <comment></>
     
  9. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    Not much, no. But if he'd use xxHash there would be no impact at all. And maybe that is causing all the delays people describe.
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,379
    Location:
    Under a bushel ...
    Thanks @Mr.X
     
  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,484
    Location:
    Mexico
    You're welcome.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,515
    Location:
    USA
    It may be a good ideal to change wevtutil.exe from deny to ask. Microsoft Office ClickToRun uses wevtutil.exe. I just had it blocked 5 times in a row. The maintenance task it was running could not continue after that. Below are the ClickToRun command lines I was initially prompted for before wevtutil.exe was blocked. The event log is attached below.

    schtasks.exe /Create /tn "Microsoft\Office\OfficeBackgroundTaskHandlerLogon" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeBackgroundTaskHandlerLogon.xml"
    schtasks.exe /Create /tn "Microsoft\Office\OfficeBackgroundTaskHandlerRegistration" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeBackgroundTaskHandlerRegistration.xml"
    schtasks.exe /Create /tn "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml"

    Using Windows 10 x64 Pro, and ERP build 31.
     

    Attached Files:

  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,197
    Hi @Mr.X, does this list stand on its own, or does it supplement your AppGuard protection?
    Really I am asking like this: if you didn't use any other advanced security app, is there something you would add to this list?
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,484
    Location:
    Mexico
    Stands on its own. Nothing handled by AppGuard for vuln proc.
    Nothing to add to this list for the time being until Florian releases a new one.

    Note that this list still have there deprecated processes Florian removes on newer lists. I don't care I leave them because they could come back in the future, who knows. This list covers, not that sure, Windows 7, 8.1, 10+, so anyone can use it on any Windows versions now. I mean it won't hurt to have them all in a Vuln Proc category even if one version does not have some exes and others have.

    My list is not path or hash dependent as you already seen. I think ERP could block and alert any run attempt from any location or file hash.
     
  15. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    467
    Location:
    Europe
    Why are you complaining, NVT dev is doing you a favor by blocking MS Office :D

    Or, you know, any process :isay:
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,515
    Location:
    USA
    LOL, I have to use it for school and work.
    What office suite do you use?
     
  17. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    467
    Location:
    Europe
    School and work LUL, they're overrated anyway

    Recently, like in a long time, I haven't needed to create or edit any office-related stuff, I use google drive for viewing. Get the link of the file, add drive.google.com/viewerng/viewer?url= before it, and voila. For local files, go to drive.google.com, upload your file by either dragging it or by clicking New, and then you can view it. Infinitely more convenient (and secure) than installing bloated MS Office
     
    Last edited: Nov 29, 2018
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,515
    Location:
    USA
    I also use Google Docs from time to time. It really just depends on who i'm corresponding with.
     
  19. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    error nvt exe radar.png
    I got this error after ERP blocked something. The program didn't crash though and everything was fine.
     
  20. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    If I understand correctly, It seems that NVT ERP does not have an "Admin bypass" option similar to what the native Windows SRP has. I wonder if anyone has suggested adding this as a feature into ERP 4.0 as one of the ON/OFF settings?

    Or has this idea already been discussed and abandoned? I tried searching this thread but did not find anything related - and I considered reading thru all 298 pages a bit too much of a job... :doubt:
     
  21. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    467
    Location:
    Europe
    If this is the path you want to take... then you can already use the "allow X" options on the back, that should cover like 98% of the "admin" programs (ofc can vary wildly, if you have a folder on your desktop full of unsigned admin-requiring tools, then yeah)
     
  22. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    Ok, that may be the solution... or not, I don't know yet.

    I wonder if there is some documentation available describing what e.g. "Allow known safe process behaviors" or "Allow System Files" exactly mean?

    My point was not focused on allowing specific "admin progams", but instead on allowing "processes with admin privileges" as specified within SRP ("bypass for local administrators"; I guess probably meaning high/system integrity levels).

    I'm not sure what the "Allow X"s mean in ERP - do they allow specific programs to be executed (regardless of who is trying to execute them), or do they allow programs to be run only by local administrators?
     
  23. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    467
    Location:
    Europe
    I'm not sure exactly how it works, you can test it yourself, I don't use any of the "Allow X" stuff, but if I know the dev well, he made it so that the "Allow X" options override the other rules. The known safe process behaviors is just a list of hardcoded rules that the dev continuously updates for common software, to avoid common false-positives. Allow system files is likely anything from C:\Windows, or maybe a combination of folders such as C:\Windows\System32, C:\Windows\SysWOW64 etc. again you can test this yourself

    ERP either blocks or allows process execution based on a certain criteria (or asks you), "who" is trying to execute them in this case is the parent process (path, hash, signer), but there is no criteria for "parent process integrity level"

    @novirusthanks Ideally, in the future the parent process will also have a name criteria, and integrity level criteria, maybe even a cmdline criteria (what cmdline was the parent process launched with when it was a child process), obviously you can't apply cmdline criteria to an already running process otherwise

    And all of the above, as well as more, are the reasons why I use the what I like to call "God mode", where all of the options "Allow ..." are unchecked and you decide what to do for each and every process (as long as it starts after ERP's driver) using Alert Mode
     
    Last edited: Dec 3, 2018
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,452
    Not everything in C:\Windows\* is allowed if "Allow System Files" is ticked.
    Regarding System Files:
    And "Allow X" options are not overriding all other rules. Ask/Deny rules still have a higher priority.
     
  25. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    467
    Location:
    Europe
    There are so many ways and APIs that "check" if a process is a system one, who knows that the dev is using, we can only hope he has implemented it well (well, I don't have to hope, cuz I don't use that)
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.