Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.
Net command is not monitored.
Do you think to add a rule?
Installed here with custom settings and no problem.
Any chance to put a build # in the about section with the updates, also a auto update feature or something to check for updates would be useful.
It is working flawlessly - no false positives. I haven't been through a major Windows Update yet though, so we'll see.
I block cmd.exe, and I use cmd.exe sometimes. Therefore I just have to disable protection temporarily when using the cmd.exe. But that's it.
Solid piece of work for a test build beta/pre-release.
Planning to add these new rules to completely block other commonly abused system processes:
+ Block execution of sc.exe
+ Block execution of net\net1.exe
+ Block execution of wmic.exe
+ Block execution of netsh.exe
+ Block execution of bitsadmin.exe
+ Block execution of reg.exe
We don't have specific rules for net.exe yet.
Do you have any example of rules to add related to net.exe?
We plan to add check for update on next version (v1.5)
net user accountname /delete
The Net command will also delete the contents of the folders Documents, Images, Downloads, Music, Video, ...
net user accountname /add
net localgroup administrators account name /add
The Net commands will create an account with administrative rights.
net user accountname *
choice of password
For more info enter the command below:
net help user
What happens if an attacker set the Integrity Level to "Untrusted" for every file in the OSArmorDevSvc folder?
Usually the exe files stop working.
With CHML this is easily possible:
Please add PotPlayer on Anti-Exploit tab.
I already asked for it two times...
Does it have a digital signature? See: https://www.wilderssecurity.com/thr...-layer-of-defense.398859/page-38#post-2736211
Yes, PotPlayer is digitally signed.
If you launch cmd.exe the same way every time, all you have to do is make one exception rule when you get the block prompt, and you are good to go. You can launch cmd.exe, but malware can't.
Thanks! Something like this then?
[%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\system32\cmd.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows]
I reckon malware could not mimic that in any way. Parent process needs to be signed 'Microsoft Windows' and namned 'explorer.exe' in order to abuse my exclusion for cmd.exe now?
Well it depends on how paranoid you want to be about it. You see, explorer.exe is sometimes attacked by malware, so explorer>cmd is potentially abusable.
It would be safer, I think, to make an allow rule for an alternative search tool, such as Everything or Ultra Search, or maybe someone else has an even better and more paranoid idea...
True, but the exclusion doesn't whitelist any command lines. Wouldn't malware typically start cmd.exe with a command line?
Good point. I think you are right.
Build 40 running well with no issues for three days. Default with one additional setting.
We'll add the option "Block execution of net\net1.exe"
The processes net\net1.exe are rarely executed in general, and that rule would block net\net1.exe entirely (easiest choice).
Sys admins that need net.exe will need to exclude specific command-lines to use net\net1.exe
Will check it later and will see if will be added on this v1.4 or on next version.
That exclusion for cmd.exe is correct because you included also the parent process and the command-line.
It would just allow explorer.exe to launch cmd.exe (with no parameters) and is totally safe.
No, it should keep these 8 options (on Advanced tab) checked after you click on "Reset to Default" button:
Hmm. Just encountered problem too installing test40 - installed but was disabled, with no ability to change it.
Disabled EAM, installed successfully and I was able to set it to Passive Logging mode.
With EAM disabled you should be able to do a full install
After discovering the reset had me start over, I setup a really tight set up and a couple excludes handled everything, this is one powerful piece of software
"The time comes when you have to choose between what is easy and what is right."
Indeed, I have edited my post.
After a few days of running the latest build, same problem. Protection is disabled. Any way to fix this? What info do you need from me? I ended up just uninstalling it for now.
Separate names with a comma.