New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    BTW, here are some links to examples of common - Top 10 for 2021 - ransomware analysis:

    https://www.welivesecurity.com/2016/04/04/analysis-of-the-locky-infection-process/

    https://www.bitdefender.com/files/News/CaseStudies/study/154/Bitdefender-Whitepaper-GoldenEye.pdf

    https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/

    https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack

    They all utilize either scripting, such as .vbs or .js, or rundll32.exe to launch the malicious executable or DLL. OSArmor provides the protections to stop these initial stages in the attack chain, and with SRP (Software Restriction Policies) enabled, unauthorized executables are prevented from launching in userspace directories where they are typically dropped. And in the case of malicious Word documents in phishing emails, macros should be disabled by default, and even if allowed, the malicious script or rundll32.exe command line should be prevented.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Actually now that I think about it. Perhaps what I said about ERP being more secure than OSA, isn't even true. Because once a user gets tricked into downloading malware and AV's says the file is clean, he/she will allow it to run anyway, so whitelisting won't help. And as said before, OSA is designed to block exploits, so you don't need whitelisting for this either.
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    This is actually crucial. Anyone determined to run an executable can and probably will bypass the AE's defenses, and the same goes for OSA or similar security utilities. The final line of defense lies with the user, especially if antivirus scans fail.

    But what I was trying to clarify in my above posts is that OSA is far more effective than it's given credit for, as long as several of the key additional protections are enabled.
     
  4. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    Is NVT's anti exec redundant with OSA?
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    For the home user using OSA and some basic SRP measures, I think so, unless one wants to control which programs are allowed to be run on their device, in which case an anti executable could play a useful role in this capacity.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    That's exactly why I have always been interested in ''post execution'' security tools. AV's should identify and block malware from running, but what if they fail to do so? Then you will have to rely on your second line of defense, with tools like OSA, SpyShelter and AppCheck for example.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    Being nothing more than a rank beginner amateur in the field of malware infections, the following is my assessment:

    Taken from the following link which is an analysis of Locky ransomware: https://blog.avast.com/a-closer-look-at-the-locky-ransomware

    There is social engineering (user is tricked into enabling macros) and scripting used in the initial stages to launch the malicious binary.

    1. There has to be (should be) some responsibility upon the user to be suspicious of the email content, and avoid a click-happy response.
    2. failing the above, **SRP should prevent the script from launching the binary.
    3. failing 2 for some reason, SRP should prevent the binary from executing from user space, except the user's %TEMP% directory, where they are typically allowed to run so programs can be installed.
    It looks like Locky drops it into this folder, so it would probably succeed in compromising the victim at this stage.

    ** Before posting this, I realized it is SRP preventing the sample scripts I have from launching in my setup. Either way, with basic SRP and something like OSA, one or the other should prevent the scripts from running.

    The first screenshot shows SRP preventing the .VBS script:

    vbs 01.png

    After temporarily disabling SRP from within Hard_Configurator, the same script is now prevented by OSA:

    VBS 02.png

    Here is the command line taken from OSA logs where the script attempts to launch a common LOLBin wscript.exe: Command Line:

    Edit: sorry other way around. Wscript->.vbs script

    "C:\WINDOWS\System32\WScript.exe" "C:\Users\username\Desktop\ClsTS.vbs"
     

    Attached Files:

    Last edited: Oct 17, 2021
  8. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    There's a layered defense to Windows. SRP and an anti executable will kick in first for disallowed exes and processes and if that's somehow bypassed, your AV/AR should detect them and remove them.

    The most important factor in PC security is human common sense and never to download anything from an untrusted site, if your browser security extension doesn't already block you from going there.

    Prevention beats a cure every time.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Now that I think of it, why are hackers using malicious Office documents, is it to bypass AV protection? You would think they could simply mail the malware directly to users and convince them to open it. It's perhaps a silly question, but I don't read that many of these kind of articles anymore, I mean are people still so dumb to fall for this? And besides, AV's should block these samples easily, at least you would hope so.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    I think so. The .vbs file is obfuscated, and I think that's what makes it hard to detect by the AV's. And my guess is binary files can't be obfuscated?
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,773
    Location:
    U.S.A. (South)
    Personally I for one would enjoy seeing ERP really ramped up and not just your ordinary basic upgrade. The app is NOT insignificant by any stretch and holds it's compliment of effective protection/prevention very well in spite of it's seemingly complexity to some. Some overlook it as too configurable laden but that is the best part of it because once you set it to choice, then it really goes into action and is not noisy when you know where to look.
     
  12. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,215
    Location:
    Brooklyn, NY
    Has anyone experimented with this on Windows 11 yet? Last time I tried it in Windows 10, startup was so prolonged I was like: that's it.

    I love the concept of ERP. I would use this plus OSArmor with fewer rules enabled than now.

    On the website it says "Version 4 coming soon." Could someone give a less vague ETA?
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    Not really. The last v4 Beta release was January 2019: https://malwaretips.com/threads/exe-radar-pro-v4-beta.80310/page-15#post-790944

    Perhaps Andreas ( @novirusthanks ) can shed some light on this?
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Now that I think of it, I'm guessing that .exe files delivered via email are blocked from running in companies. So that's why they a trying to abuse Office documents, but this can also easily be blocked via process execution control, like you said.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    ERP v4 didn't work correctly for me on Win 10 either. But wait a minute, I now see that strangely enough ERP v3 is still being offered for download on the NVT website, and it's supposed to be compatible with Win 10? I believe NVT should correct this ASAP, because it simply isn't true.

    https://www.novirusthanks.org/products/exe-radar-pro/
     
  16. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742

    On some Windows 10/11 systems, its buggy. Hasn't beem

    No. The only other anti exe compatible with Windows 10/11 are VS and SAP.
     
  17. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,215
    Location:
    Brooklyn, NY
    Exactly. I find it curious that ERP was promised here and there to be updated to be more compatible but those promises never materialize. Must be some special considerations we're not privy to, otherwise we would have received a new version by now. One just has to be patient, I guess.

    Yes, thanks, my experience pretty much also. Slowed startup in particular.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,773
    Location:
    U.S.A. (South)
    Strange. on the only Windows 10 I have, a Dell with the latest hardware specs, ERP 4 is working just fine. It alerts as expected especially cmd.exe which a Dell Assist uses to update it's pieces on occasion. I always examine the origin and destination on the prompt to be sure whether to allow or not. Obviously I have that file in the Vulnerable List set to ASK.

    All the way around ERP 4 works well on my 10 and to be honest with WVSX and DefenderUIPro it's probably overlayered with more than enough security.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I think it makes NVT look bad, he should either make sure that ERP 3 and 4 work correctly on Win 10 and 11, or simply remove it from the website, especially since it's not freeware.

    Perhaps it depends on the Win 10 version that you're using, I'm using 1909.
     
  20. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    Windows 11 goes by build numbers.
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    That's the users fault and not ERP. I am positive that ERP will intercept more attacks than OSA when configured correctly because it denies everything that is not specifically whitelisted and it's command line monitoring can do anything that OSA can do. I am monitoring some very key vulnerable executables which were not monitored by OSA by default the last time I checked ( I have not checked OSAs command line monitoring for about 2 years). I'm not saying OSA is not a good product because I think it is an excellent product, but i choose ERP for a higher level of security.

    If the user allows malicious files to execute after being prompted then maybe ERP is not for them. I am well capable of knowing malicious behavior from normal system behavior or just some application attempting to do something it needs to do to function correctly. There is a very low chance of an attacker tricking me into allowing something malicious. I have an Associates Degree in Information Security and I have two semesters left before I complete my bachelors degree. I also have 20 years of beta testing security software, so I think you get the point. Also, ERP blocks by default in Lock-Down Mode instead of prompting the user, which I occasionally use.

    If you do a good job at configuring ERP then you will receive very few prompts. I had to whitelist 2 command lines for my VPN using Wildcards and I had to use 2 digital certificates so ERP would not interfere with some of my firmware. I use a total of 10 digital certificates, but I don't necessarily need all 10. I only remember receiving 2 prompts from ERP in the last 2 1/2 months.

    I should note that I removed route.exe, net.exe, net1.exe, and netsh.exe from the vulnerable process list because having those on the list will surely cause problems for users of VPNs, especially route.exe and netsh.exe. Monitoring command lines for those executables could cause your VPN to leak or completely fail in some cases.

    Edited: 09/10 @ 6:34
     
    Last edited: Nov 10, 2021
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,773
    Location:
    U.S.A. (South)
    That's potentially good info to be made aware of for user's of ERP in this instance. Thanks
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    My point is that OSA is designed to block malware from either running at all, or to block them from using so called LOLBins (see link) without the need for whitelisting. So if file-based malware gets delivered via exploit, it will be blocked. And if a user runs malware by mistake, it will be blocked in stage 2 of the attack. So my point is, you don't need whitelisting per se for extra security.

    https://lolbas-project.github.io
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,381
    Location:
    Canada
    Agreed. For instance, here's a recent phishing threat that uses MS Appinstaller to install a malicious executable payload disguised to look like an Adobe component:

    https://www.zdnet.com/article/bazarloader-now-abuses-windows-10-app-feature-in-call-me-back-attack/

    The targeted victim actually has not one, but two opportunities to prevent this attack if they are reasonably knowledgeable about email threats:

    1. they can hover the mouse pointer over the link to see the prefix "ms-appinstaller". - first red flag
    2. they are asked to allow the installation of "Adobe PDF component". - second red flag
    The above opportunities are there without the help of security programs.

    Of course there are not so knowledgeable click-happy users all over, so 3rd-party security can come into play. OSA has just added the protection against the malicious use of MS appinstaller:

    OSA-new protection.png


    This alert will occur before an anti-executable leaps into action. If this protection is not in play, then of course the anti-executable comes into play when the malicious PE (portable executable) attempts to install.

    The point in this example is that the anti-executable is the last line of defence. Not that this is a bad thing, but that this type of threat or similar can be stopped much earlier in the attack chain of events.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.