New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,316
    Location:
    Under a bushel ...
    :thumb:
     
  2. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,019
    Location:
    Italy
    @K3yRoX

    Will try to reproduce the delay issue you have with portable apps and see what we can do.

    @SHvFl

    Strange, until now it has never happened here (tray icon is always present when PC is booted).

    Will try to reproduce that issue asap.

    Nothing serious, basically MS changed a string in w10 1809 that was there from Windows XP, and thus we had to update all programs that control (allow/block) process executions (already done). Process Logger Service, Registry Guard Service, etc are not affected.

    @BananaMoe

    Correct, ven if ERP is disabled, it has to calculate process hash and other details to show them in the Events tab.

    @EASTER

    Yes, can be doable, wrote in the todo list.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,976
    Location:
    U.S.A. (South)
    @novirusthanks- Super dee duper. Looking forward to next roll out and keep up the good work.
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,117
    +1
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,316
    Location:
    Under a bushel ...
    Apologies if I have asked this before, but if I run NVT EXE Radar Pro (v4) and AppGuard (now SOLO v6) together, which would be the easier, else better, choice to incorporate Excubits' vulnerable process list? https://www.wilderssecurity.com/thr...-tuersteher-light.359127/page-74#post-2793889

    Previously I had these defined in both AppGuard v4 and ERP v3, and though it otherwise seemed easier to maintain the list in the latter, ERP was a bit 'hamstrung' due to the vulnerable process hashes changing with each new Win10 release.

    I would prefer to use one or the other, and maybe preferably ERP, to keep AppGuard 'uncluttered' ... any chirps from the intelligentsia here :geek: would be welcome :).
     
  6. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    877
    Depends. If someone can share his configuration files it's pretty easy to adapt from there. In that case, it's easier with erp because it has an export/import feature. On the other hand, you are an experienced user so replacing the xml file for appguard and then editing the rules from gui should also be easy for you.
    In the weird scenario that none wants to share his file then appguard is easier to create rules for as the format is less complex.
     
    Last edited: Nov 18, 2018
  7. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    @novirusthanks You could use MD5 instead of SHA1 for the hashes. This saves a few seconds with big files, like installers.
    Or better yet: Try the new xxHash32/64. It's as fast as RAM speeds: 6.8 GB/s / 13.8 GB/s, compared to SHA1s measily: 0.28 GB/s
    But have an option to calculate SHA1 and maybe others with a click so that we can compare them.
     
    Last edited: Nov 18, 2018
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    Using of MD5 is not a good idea:
     
  9. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    Isn't this very very rare? And it's not used in a password scenario. It's just a database management tool in this case. If it really was any important he would have changed to sha2
    I'd vote for xxHash. Or if you want 128bits, Murmurhash3
     
    Last edited: Nov 18, 2018
  10. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,994
    Location:
    Europe then Asia
    Appguard Solo is limited to 128 entries in user-space for now (i heavily requested for more) so the the whole Excubit list won't fit. However Appguard is supposed to block dlls, and some are in the excubit list.

    Since I use both too and OSA (because I want block many LOLbins) , I suggest to:

    1- if you use OSA, tick most of the advanced settings,
    2- add some folders and dlls in Appguard (remember AG by default have some user-space folders already restricted).
    3- add the LOLBins in ERP.

    Personally I tick OSA, fill AG put the rest on ERP.

    Note that you can add exclusions in OSA too

    Those steps will normally permit to put the whole excubit blacklist.
     
    Last edited: Nov 18, 2018
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,316
    Location:
    Under a bushel ...
    Thanks @SHvFl and @Umbra (yes, I have OSA).

    Useful inputs prior to attempting some sort of (progressive) implementation on my newer machine. This is for experimentation, rather than real need ...
    I was hoping to limit it to one tool, to make it easier to track and manage the (Excubits) vulnerable processes.

    I will have to see if I am up to this task e.g. parent checking for LOLbins (3). If it gets too complex :eek:, I can always just fall back to 'simpleton mode' (1) :D.
     
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,994
    Location:
    Europe then Asia
    @paulderdash now the Excubit list is a bit too much, it has extensions...
     
    Last edited: Nov 18, 2018
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,994
    Location:
    Europe then Asia
    You still can just use one, on one system i only use AG for this, you just need to know which LOLbins/folders are prioritary to be blocked.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,510
    Location:
    USA
    Many of us long time users requested that SHA-1 or SHA-256 be used. That's why he changed from using MD5. There's a very slight chance of MD5 collisions outside the lab in the near future.

    Edited: 11-19-18 @ 11:39
     
  15. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    This is overkill. It is a totally unrealistic attack scenario that someone is going to through the lengths to create a working malicious executable that has the same MD5 hash and still works. You have to make the file executable. And maybe that starting point is where it gets impossible to find a file that has the same hash as the original, and that isn't suddenly 100 MB big due to all the random bytes.
    Also, better use sha-512 instead 256. It's two times as fast as 256 in 64bit systems, and nobody should really still be using 32bit OSs.

    xxHash or similar should be enough. It's just a database thing and should have nothing to do with security.
     
  16. BananaMoe

    BananaMoe Registered Member

    Joined:
    Sep 8, 2018
    Posts:
    6
    Location:
    Universe
    Well, would it make sense to have a "Disable Completely" mode to match the old behaviour from ERP3?
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,510
    Location:
    USA
    There's not enough impact using SHA-1 vs MD5 to bother me. I haven't ever experienced a collision with MD5, only MD4, but I prefer we use SHA-1, that's my preference.

    Yes, SHA-512 performs better than SHA-256. I wasn't aware of that a few years back when I suggested it.

    Edited: 11/22/18 @ 11:27
     
  18. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    299
    Location:
    Europe
    I actually like NVT ERP precisely (not just cuz ofc) because it doesn't use VT... Voodooshield was so much slower with it scanning each process. So toggle option would be best
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,510
    Location:
    USA
    I don't think you have to use SHA-256 with VT for it to work. I thought you did at the time, but they also calculate the MD5, and SHA-1 hashes so i'm not sure what they require if you use their API.
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,510
    Location:
    USA
    Btw.. The only way I like using VT is on-demand, it does have a big impact when compared to not using it at all.
     
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,442
    Location:
    Mexico
    Sharing my new vuln proc rules, based on Florian's list:
    Code:
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Xwizard.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = xcacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Wscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wmic.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = windbg.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wbemtest.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Wab.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vssadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vsjitdebugger.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = visualuiaverifynative.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = vbc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = utilman.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = UserAccountControlSettings.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Tracker.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = te.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = taskkill.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = takeown.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = systemreset.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = syskey.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = SyncAppvPublishingServer.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Stash.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = SQLToolsPS.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Sqlps.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Sqldumper.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = setx.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = set.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdclt.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sdbinst.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Scriptrunner.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = script.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = scrcons.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = sc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runscripthelper.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = runonce.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RunLegacyCPLElevated.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Rpcping.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Replace.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Regsvcs.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Register-cimprovider.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regini.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Regedit.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = RegAsm.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = reg.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rcsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = quser.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Print.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = PresentationHost.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell_ise.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Pcwrun.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Pcalua.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = odbcconf.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntsd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ntkd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netstat.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = netsh.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msxsl.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mstsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msra.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mspub.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = msiexec.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mshta.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msdt.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msdeploy.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = MSBuild.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = mmc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Msconfig.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Microsoft.Workflow.r.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Microsoft.Workflow.Compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Mftrace.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Mavinject.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Makecab.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = lpkinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = kd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = jsc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = js.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = journal.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = InstallUtil.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = infdefaultinstall.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ilasm.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexpress.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = iexplore.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = IEExec.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Ie4unit.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = hh.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Gpscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsiAnyCpu.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = fsi.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Forfiles.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Findstr.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = eventvwr.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Extrac32.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Extexport.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Expand.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Esentutl.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Dxcap.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dnx.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Dnscmd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Diskshadow.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = diskpart.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = DFsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = debug.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbgsvc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = dbghost.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cvtres.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csi.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cscript.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = csc.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Control.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cmstp.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Commit.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = CmdTool.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Cmdkey.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = certutil.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cdb.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cacls.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = ByteCodeGenerator.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootsect.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootim.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bootcfg.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bitsadmin.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bginfo.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdedit.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bcdboot.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = bash.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = auditpol.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = attrib.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = Atbroker.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = aspnet_compiler.exe] [Action = Ask]</> <enabled>1</> <comment></>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = appvlp.exe] [Action = Ask]</> <enabled>1</> <comment></>
     
  22. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    Not much, no. But if he'd use xxHash there would be no impact at all. And maybe that is causing all the delays people describe.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,316
    Location:
    Under a bushel ...
    Thanks @Mr.X
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,442
    Location:
    Mexico
    You're welcome.
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,510
    Location:
    USA
    It may be a good ideal to change wevtutil.exe from deny to ask. Microsoft Office ClickToRun uses wevtutil.exe. I just had it blocked 5 times in a row. The maintenance task it was running could not continue after that. Below are the ClickToRun command lines I was initially prompted for before wevtutil.exe was blocked. The event log is attached below.

    schtasks.exe /Create /tn "Microsoft\Office\OfficeBackgroundTaskHandlerLogon" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeBackgroundTaskHandlerLogon.xml"
    schtasks.exe /Create /tn "Microsoft\Office\OfficeBackgroundTaskHandlerRegistration" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeBackgroundTaskHandlerRegistration.xml"
    schtasks.exe /Create /tn "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml"

    Using Windows 10 x64 Pro, and ERP build 31.
     

    Attached Files:

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.