New Antiexecutable: NoVirusThanks EXE Radar Pro

@siketa

Good point, I have joined both regsvr32 and rundll32 in one checkbox.

Some screenshots of recently added options:

"Do not show popups for the following processes"

http://postimage.org/image/5833li9vd/

"Alert when rundll32 or regsvr32 tries to load a DLL/EXE"

http://postimage.org/image/5cu4lgnfz/

"Restore Lockdown Mode if disabled for more than"

http://postimage.org/image/fuowzgtuz/

One more week and v2.7.3 will be released

 

What can I say?
Superb, fantastic, simply the best support and developer(s)!

 

How do we add processes to the list?
Right click-Add in the form or is there an option in pop-up alert?

 

From the popup window:

http://postimage.org/image/9qihps9s1/

 

I am liking it!!

 

I got more likings than you two!!!

 

Question: How do we remove process from the list?
Right click-Remove?

 

I thought so.
Thanks, Pete!

 

Playing about with ERP again lately. Seems to do what it says on the tin well and is very light.

I have a problem though when the application is initializing at start up. it seems to take a long time - 30 seconds or so after the rest of the system is fully operational. No biggie really as long as it is just the GUI and protection is running. However, I seem to be able to launch executables not on the whitelist when I'm in lockdown mode, even blacklisted ones, during that delay.

Just me?

Thanks

 

Everything is fine here...but I'm sure nvt will check it...
In the meanwhile, telk us what other security products and what OS are you running...

 

nvt, what happened to ""Block Processes by File Extension" + Manage List" functionality in 1.3.3.2 and later versions?

Today I normally executed LibreOffice 4.0 msi installer from USB in Lockdown mode (no popup)!
"Automatically allow all signed software" option is turned off.
Here is the discussion from 2011 (read from post #285):
https://www.wilderssecurity.com/showthread.php?t=300552&page=12

Please add an option to block execution of .msi, .com, .jar, .ocx, .scr, .sys, .drv, .cpl, .pif, .bat and all other executable files.
https://www.wilderssecurity.com/showpost.php?p=1680883&postcount=269
Which one of these extensions are blocked now?

I think this option should be re-introduced (with mostly used extensions checked/enabled by default) for better security ASAP.
Users should have full control of executables in the system with ERP.

 

@siketa

MSI files are executed by C:\Windows\System32\msiexec.exe, please see if that process is in your whitelists.

See this image:

http://postimage.org/image/ql9sd0ge9/

As you see, the main process that is being executed is C:\Windows\System32\msiexec.exe and fromt he commandline string you see it uses the parameter:

So, if the MSI file is located in the USB, the commandline will be like:

C:\Windows\System32\msiexec.exe /i "E:\path\to\file.msi"

In this case, you need to check the commandline string to know where the .MSI file comes from and then allow or block it as you need. Best would be to not whitelist msiexec.exe if you want to control also .MSI executions better. Anyway I will think about something to be able to manage also MSI files more easily.

@chris1341

Yes, the startup-delay is known, in v2.7.3 it just takes 2 or 3 seconds to run, it has been fixed.

 

msiexec.exe is not in the whitelist but I use Lockdown mode with "Automatically allow Windows protected processes" turned on.

Can you share with us what extensions from this list are guarded by ERP?
https://www.wilderssecurity.com/showpost.php?p=1680883&postcount=269

 

@siketa

ERP monitors the execution of any process, without checking the file extension, for example, if a process named abc.abc will run, ERP can detect it. What can be said is that, for example, a .BAT file is executed by C:\WINDOWS\system32\cmd.exe, a .MSI file is executed by C:\Windows\System32\msiexec.exe, a .VBS or .JS file is executed by C:\WINDOWS\system32\WScript.exe, and so on.

Options:

1)
Now, an easy method to quickly monitor for these files, would be to always alert for "sensitive" processes, like cmd.exe, msiexec.exe, regsvr32.exe, rundll32.exe, wscript.exe, etc so you have always the possibility to analyze their commandline string to know what is the real file that is being executed by these MS processes.

2)
Or I can analyze all of these sensitive processes and add a simple table where an user can block the execution of file extension, for example, if you want to block .MSI execution, ERP will automatically analyze the commandline string checking for "msiexec.exe /i {file}.MSI" and block the MSI execution. Now what would happen if user runs this command: "msiexec.exe /i {file}.random_extension" ? Msiexec.exe would load that file as MSI file because even if you blocked .MSI file extension, the user loaded it with an extension different from the .MSI. Same for VBS files, WScript.exe can be used to load any file extension, WScript.exe can load a VBS script named malware.abcd, it is not needed that the file extension is .VBS to be loaded. For this reason I believe that monitoring for file extensions is weak.

Anyway, I will analyze both methods and I will see what is the best option (at the moment I would prefer the first one), of course if anyone has suggestions, let us know

 

@Novirusthanks, finally you have turned Orange

 

@ nvt: Thanks for detailed answer!

Option 1) looks better to me too ATM.

 

Good to know.

@siketa Win 8 x 64 and no other security apps installed while testing ERP.

 

I like #1 also

 

So, after this discussion, the solution should be something like this?


1) Rename "Alert when rundll32 or regsvr32 tries to load a DLL/EXE" option to "Alert when "sensitive" process tries to load a DLL/EXE"
2) Under "sensitive", next processes should be included: cmd.exe, msiexec.exe, regsvr32.exe, rundll32.exe, wscript.exe, etc.

 

I already integrated it in v2.7.3 (the english text and the TAB position needs to be changed), see this pic: http://postimage.org/image/5w9dcibpb/

Basically the AlertList overrides the whitelist, each process present in the AlertList, when is executed, ERP will show the alert-dialog where user can select what to do with that process. If you have the option "Always allow system protected processes" enabled, you can easily add to the "AlertList" all the sensitive processes.

 

Great!
Just make sure to also include msiexec.exe and wscript.exe in the default list at least (or is it going to be empty?).

Is pop-up still going to be shown even if ERP is running in Lockdown mode or process will be blocked automatically?

 

@siketa

I was thinking to have it empty, and recommend somehow to the users what they should add. Or I can add by default some of the sensitive processes, I will need to think about this.

Sure, it is showed also in Lockdown mode