New Antiexecutable: NoVirusThanks EXE Radar Pro

So, I guess it's safe to say that using the Whitelist Commandline of these processes is the best way to handle them (Of course if they're safe)?

Really? I've been able to add rundll to the Alertlist and have had no negative effects that you've mentioned.

 

If you trust the process, yes. I normally whitelist commandline process that are signed and I initiated. You'll still get the alert from alert list items even though you whitelist commandline it.

 

Ok, thank you.

I believe I heard that Applying wildcards to these AlertList processes isn't good, correct me if I'm wrong.

If that is true, then my only option is to Whitelist Commandline these processes.

If that is the case, then you've answered my question.

 

Exactly how do you use the wildcard option?

 

I wouldn't Auto allow any of these free reign

cmd.exe
regsvr32.exe
rundll32.exe
wscript.exe

As they can/have & are used by malware sometimes. Sure you might have other steps etc in place, but still

Maybe allow msiexec.exe or set to Prompt

 

Adding the commandline that you get under the events tab. You take the certain commandline and then modify it. You then copy it and add it to the whitelist/commandline wildcard list. Here is what I add for sandboxie when it deletes the sandbox.
C:\Windows\System32\cmd.exe /c rmdir /s /q "C:\Sandbox\kjdemuth\__Delete_Chrome_?"

 

Correct me if I'm wrong, but wouldn't blocking or blacklisting one of these processes disable the functionality of some legit executions?

I'm assuming that's what you meant...to block.

 

No you can choice block once or even block and quarantine. I actually Blocked and Quarantined a windows update process because I didn't recognize it. After I ran it through virus total and googled it, I restored it. Nice and easy.

 

Ok, let's say I took off/cleared all the below processes from my Alertlist and had nothing, would it still protect me from said processes/ones listed below?

C:\Windows\System32\cmd.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\msiexec.exe
C:\Windows\System32\wscript.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\wscript.exe

I assume the answer is no.

 

What do you do -- just Allow Once with each popup?

 

I believe if you have "Automatically allow all window protected processes" unchecked you should get alerts from them.

 

Yes if you Permanently chose Block.

No, just Prompt.

Yes, as i doubt if you would need to do this very often, so no big inconvenience

*

For the record. I'm not using NoVirusThanks EXE Radar Pro, but ProcessGuard. My advice applis to Any/All AntiExe's etc though

 

@RADEON0101

It is good that you have these processes in the AlertList:

C:\Windows\System32\cmd.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\msiexec.exe
C:\Windows\System32\wscript.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\wscript.exe

All these processes are regularly used by MS Windows and other applications for a legitimate use. But they can be used also from malicious applications to, for example, load a malicious DLL file using their commandline parameters. Since you have these processes in the AlertList, everytime they are executed you will get a popup. The best way to handle this is to WhiteList CommandLine string (or WhiteList CommandLine string using Wildcards), so you can whitelist only the frequently executed commandline strings of these processes, for example:

C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations
C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation

These two commandline strings are executed frequently in my OS, so I just click "WhiteList CommandLine" in the alert dialog and I will receive no more popups related to that commandline string. This is completely safe to whitelist legit commandline strings and it is a solution to reduce the popups. You can always use the "Events" tab to analyze the blocked processes and check their commandline string, if it is safe, you can always whitelist it.

In particular situations you may need to whitelist the Sandboxie commandline operations related to the deletion of the sandbox folder, for example (taken from @kjdemuth post):

C:\Windows\System32\cmd.exe /c rmdir /s /q "C:\Sandbox\kjdemuth\__Delete_Chrome_ABCHCHCCHCH"

Lets we assume the string "ABCHCHCCHCH" is always different, we can add a wildcard like this:

C:\Windows\System32\cmd.exe /c rmdir /s /q "C:\Sandbox\kjdemuth\__Delete_Chrome_*"

Adding the "*" means any character of any length, or you can add "?" that means any character of 1 char length, so if the "ABCHCHCCHCH" string has always the same length (12 characters), you can use:

C:\Windows\System32\cmd.exe /c rmdir /s /q "C:\Sandbox\kjdemuth\__Delete_Chrome_??"

So we add 12 times the "?" character.

 

Even if you have CMD.exe in the alert list? I though regardless of what the commandline wildcare says you'll always get an alert if on the alert list.

 

@kjdemuth

Yes, the AlertList overrides the WhiteList (Processes), so if you have CMD.exe process whitelisted you will always get an alert, but if the commandline string is whitelisted in the tab "WhiteList CommandLine" or "WhiteList CommandLine (Wildcard)" it will be allowed.

 

Thank you very much for the help, now I know what direction to take.

 

Think I would add C:/Windows/System32/cscript.exe, and C:/Windows/SysWOW64/cscript.exe if on a 64 bit system, on to that list as well, RADEON0101. .

Later...

 

How important is it to add wscript.exe to the Alert List?

 

cscript.exe and wscript.exe are script hosts. cscript is a command line script host and wscript is a graphical script host. They are used to execute scripts, obviously, like, for example, a *.vbs file.

Later...

Bob

 

Thank you Trespasser, just added it

 

I know AppGuard includes MBRGuard, but does it also protect the registry?

 

Sweet, I finally got everything in order.

EXE Radar Pro is finally configured the way I want it.

In case someone here may want to configure ERP this way, here are my settings.

Alertlist Tab (ADDED):

C:\Windows\System32\cmd.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\msiexec.exe
C:\Windows\System32\wscript.exe
C:\Windows\System32\cscript.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\wscript.exe
C:\Windows\SysWOW64\cscript.exe

Depending on the Alert, I'll Whitelist the Commandline of legitimate processes only.

Some I set to prompt at all times

Protected Processes Tab (ADDED):
C:\Windows\regedit.exe
C:\Windows\SysWOW64\regedit.exe

Settings, Advanced:
Automatically block processes executed from USB (Checked)

Settings, Policies:
Lockdown Mode (Checked)

Settings, Password:
Enable Master Password (Checked)
Password Protect Closing of EXE Radar Pro (Checked)
Password Protect Whitelisting Operations (Checked)
Password Protect Disabling of Protection (Checked)
Password Protect Disabling of Lockdown Mode (Checked)

Settings, Protection:
Restore Lockdown Mode if disabled for more than: 5 Minutes - Enabled, but currently not working in v2.7.3

THE REST OF THE SETTINGS ARE SET TO THEIR DEFAULT VALUES

Handling/The way I run thing's:

• If anything out of the ordinary comes arise, I don't allow execution, unless of course it's a process that I trust.

• 99.9% of the time, I keep EXE Radar Pro in Lockdown Mode.

• If I feel something is suspicious, I'll look into the "Processes" tab and the "Events" tab to investigate further.

• If unsure of a process, I "Search Process on Google" via right-click, Under Processes tab

• If unsure of a process, I "Search Hash on VirusTotal" via right-click, Under Processes tab

I'm in control of what runs on my systems and usually know what's being executed, it's extremely rare that I run into a process that I don't recognize.

But...

If an unknown process would ever execute in my systems....Then that's my fault.

Feel free to get ideas from my above configuration, but if any of you have anything you would add and or change, please give out your recommendations.
​

 

Hi Tom,

It protects the HKLM Registry Hives and the HKCU Run / RunOnce command, as described in the AppGuard Technology White Paper, which can be downloaded in PDF format from here: AppGuard Technology Computer Protection White Paper - PRWeb

To avoid taking this thread off topic, if you have any more questions regarding AppGuard, I suggest posting them in one of the active AppGuard threads.

Kind regards
pegr