Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.
accounts doesn't share the settings. Each user uses its own settings.
Hello. Could you please add an option to mass create rules like for example in Microsoft AppLocker where you can scan folder and its subfolders and generate hash based rules for every app it finds there?
You can already by using the rule editor and allowing/excluding the folder.
Could you point out where is this option? Because I can't find anything corresponding in Expression Builder on beta32.
if my memory is good (i dont have ERP installed at the moment):
select folder in Path with wildcard (i.e: D:\my apps\*) > action: exclude.
The user is proposing an Applocker-like feature.
After selecting of a folder, for example: "C:\Program Files", ERP is looking into this folder and subfolders and is adding each single file as a hash-based rule.
yes he wants the v3 feature, but adding each file that way is pointless unless they are LOLbins.
my method is the one i do trying to replicate the said v3 feature the easy and fast way.
ERP is anti-exe not SRP anyway.
Thank you for the clarification, that's exactly what I was asking for.
Afaik that is a path based rule and I am trying to create a hash or a signer rule.
Well, for me it is definitely not pointless because it can save my time. At present, if I want to add several hash or signer based rules I have to manually open an exe file every time which is very time consuming. It would help me a lot if there would be an option that I described above. As for path based rules there are two reasons why I don't want to use it, first, from time to time I run applications from external media, for example Directory Opus, that's why I want to be able to run my applications regardless of path changes, second, I don't find path based rules secure.
Security is in the eye of the beholder, some people might have 10 security programs on their PC and still feel like the NSA is gonna hack them, others know that malware isn't just going to magically appear on your PC. If you're the only one using your PC, there's nothing to worry about, as long as you trust what programs you're using and what you're running, and keep your OS and programs updated
In your example,you plug in a usb, you know what's in the usb, you know what programs you're executing, you use anti exe as a kinda of a warning thing, if the hash of the exes changes, you'll know, but guess what, that's not gonna happen by itself, the exes won't just magically change to some malicious ones, assuming the rest of your pc is clean, which you should know about
This will be a useful feature for sure, but it's by no means a mandatory thing in order to be "secure"
It works this way only if you're using removable media on your computers that are clean, in my case I am using my flash drive on other people PCs, and from my past experience file infectors like different variations of Sality can infect executables on usb drive pretty easily. There are other attack vectors that can utilize inborn vulnerability of path based rules that's why as rule of thumb I prefer using hash or signature based rules.
EXE Radar Pro or any anti-exe software or firewall solutions are all not mandatory to stay secure, for example you can always use an air gapped computer, the whole point of using them is because it is easier that way.
Ok, so what does NVT ERP have to do with this? If you use a flash drive on someone's pc, and they don't have NVT ERP, they won't be able to utilize the rules that you're asking for. What you could do, is use some program that checks the hashes of all files on the flash drive, something like https://www.nirsoft.net/utils/hash_my_files.html , then each time you plug in the flash drive, you can use that to make sure the files haven't been modified before you run them, and you'll use a clean txt/html/xml file for comparison by exporting the known-clean hashes and then comparing the resulted exported file with the known-clean one. Of course, this doesn't mean there won't be something like NVT ERP but instead malicious installed on the other PC, that intercepts api calls and the likes, and when you decide to run your exe file on the flash drive it instead decides to run another exe or do shenanigans like snoop on your exe etc. Also the program I linked uses md5/sha1 hashes which aren't the most secure ones, but I think it'll do the job, if you do a google search you'll likely find many similar programs. You can use something like text-compare.com to compare the contents of the exported files, or ironically, compare their hashes
@10sh1 Path-based rules are secure enough, and surely less an hassle than hash-based ones...do you plan to never update your apps? i don't think so...
And if you share work files on USBs with other computers, it is not an anti-exe that you need but a sandbox.
I am not trying to utilize NVT ERP rules on other people's PCs, I just need a hash or a signature check before an application runs in order to block infected executable. That's all.
Are you implying that hash based rules should be removed from NVT ERP? Sorry but I don't understand your point and I don't find it much of a problem to manually update hash after an application update.
no, i meant why asking for a feature to avoid adding hashes one by one, when you have to do the same to update the said hashes.
Updating rules for one or two applications once in a half year is not the same as adding a bulk of 30-40 applications at a time, you can also use signature based rules if you update your apps frequently.
It also would be great if you could add more granular approach in creation of signature based rules where it is possible to limit the rule to the specified version of the file, product name and publisher or to limit the rule to the specified product name and publisher etc, like it is shown on the screen shot of AppLocker below.
I've finally installed V4 to try out - looks good - just have a few minor comments/questions,,,
- the default Trusted Vendor list is pretty huge - I deleted these and used the scan function
- the 'add trusted vendor' button on the V3 alerts is gone? Did anyone else use this?
- temporarily changing modes is gone for some of the options - .e.g. "Protection modes - Allow mode - enable for xx minutes". I usually select this for App installs - I find 'install mode' often fails to disable ERP enough to enable the install... and I forget to change the setting back.
@novirusthanks- What's the chances on dressing up the Alert Box a little more. In some manner to make it stand out a bit stronger than what it stays at now.
On a different note it might not come as any surprise but v4 to date so far is still proved above board effectively accurate.
My setup gives ERP work to do each reboot/startup with as starters by way of a carefully crafted WiFi script which taps into both a CMD/VBS file combo where in series initiates Microsoft's Virtual WiFi Network with the least possible effort on the end user's side. ERP v4 rules settings offers protection by still alerting to the CMD (both times) without any necessity of assigning them by Allow Rules. Alert Rules is proven adequately sufficient despite the fact a manual Install action is the requirement I chose to apply to this procedure.
Keep up the great work and development. Should anything raise serious concern or present an opportunity to bring some attention to, rest assured i'll pass that up the chain for you of possible interests in better refining this fine piece of work.
I have seen this frustrating issue, too. I wish I could nail it down what the exact problem is, then it would be easier to fix.
I'm having a problem re-establishing ERP on here. It installs but as soon as I hit "Finish" there's an error box. It is logged in Event Viewer as Event 1000 Application error. I wrote to firstname.lastname@example.org but that was some days ago. I see similar events happened a few months ago, but nothing recently. Windows 10 17763.529 with Windows Defender and OSArmor/Sandboxie.
Spoiler: erp errors
ERP is still buggy as hell.
It was last updated over 4 years ago.
The official stable yes, the beta is way more recent and quite stable (to me) .
On my side too the beta has been quite stable on two different PC.
@novirusthanks ERP v4 test32 is buggy on my 1903, observed behaviors are;
- restart hanging
- when importing backup zip file , exiting and restarting ERP, ERP's GUI wont load instantly and rather lags then crashes.
Which version are you talking about? I have no problems on my Win 8 system. The thing that does bug me is that there is still no strict parent-child process control. I would like to add explorer.exe and svchost.exe to my vulnerable process list, but this isn't possible.
Separate names with a comma.