NVT EXE Radar Pro and NVT OSArmor: My Setup

Discussion in 'other anti-malware software' started by puff-m-d, Aug 3, 2018.

  1. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,558
    Location:
    North Carolina, USA
    Hello,

    This post will only help those that use both NVT EXE Radar Pro and NVT OSArmor side by side, and make use of some or all of the "Advanced" rules in the "Configurator". Your mileage may vary and you may or may not find this post useful. I just thought that I would post this setup as I have been doing a lot of tinkering with these apps the last few days.

    As the title implies, I use both NVTERP and NVTOSA. I do use the vulnerable process rules in NVTERP and have all options checked in the configuration of NVTOSA. I have not had any issues running this setup. There is only one minor annoyance of sometimes both apps jump in and prompt on the same item. I decided to try to set the apps up with NVTERP doing the main work and NVTOSA following close behind. I wanted to have the dual alerts cut down to a minimum while having as high a security level as possible. This setup is to be sure that the items that are in the vulnerable process rules covered by NVTERP are disabled in NVTOSA.
    Below is a list of rules that need to be disabled in NVTOSA to achieve this.
    All of these rules are found on the "Advanced" tab of the "Configurator":
    Be sure that the following rules are disabled in NVTOSA:
    "Smart PowerShell & Cmd Rules" section:
    • Block execution of Windows Command Prompt (cmd.exe)
    • Block execution of Windows PowerShell
    "Other Useful Block-Rules" section:
    • Block execution of javaw\java.exe
    "Block Specific System Processes" section:
    • Block execution of schtasks.exe
    • Block execution of taskkill.exe
    • Block execution of cacls\icacls\xcacls.exe
    • Block execution of takeown.exe
    • Block execution of regini.exe
    • Block execution of wscript\cscript.exe
    • Block execution of sc.exe
    • Block execution of net\net1.exe
    • Block execution of netsh.exe
    • Block execution of bitsadmin.exe
    • Block execution of wmic.exe
    • Block execution of xcopy\robocopy.exe
    • Block execution of reg.exe
    • Block execution of vssadmin.exe
    • Block execution of whoami.exe
    • Block execution of shutdown.exe
    • Block execution of lxrun.exe
    • Block execution of bash.exe
    • Block execution of at.exe
    "Attacks Mitigation Rules" section:
    • Block execution of C Sharp compiler (csc.exe)
    • Block execution of Visual Basic compiler (vbc.exe)
    Once you have ensured that all of the rules above are disabled in NVTOSA, you will need to add two rules to the NVTERP vulnerable process list as two of the rules that were disabled in NVTOSA contain multiple items (two of which are not in the NVTERP vulnerable process list). They are listed below:
    Add these to the NVTERP vulnerable process list:
    Code:
    [Proc.Name = robocopy.exe]
    [Proc.Name = xcacls.exe]
    You may set them to either "Ask" or "Deny", depending on your personal preference. I do not like auto-blocked events as I prefer to make the decision myself, so I use "Ask".
    The above is my initial setup. It will not completely eliminate both NVTERP and NVTOSA alerting at the same time but it does reduce it significantly while still maintaining the same level of security. I hope that this will be helpful to others as since I spent some time setting this up, I thought that I would share it in any case...
     
  2. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    674
    Thanks for this, but why not use one or the other and not both?
     
  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,558
    Location:
    North Carolina, USA
    Hello @Charyb,

    Basically, it is my personal preference to use both of these apps together. In my humble opinion, both apps differ in both what they do and how they do it, and they complement each other well. The best way, of course, to realize the differences is to try both apps for yourself and read through their respective threads here on the forums (New Antiexecutable: NoVirusThanks EXE Radar Pro and NoVirusThanks OSArmor: An Additional Layer of Defense). Their respective webpages also give a brief description as to what they both do.
    EXE Radar Pro
    OSArmor
    NVTERP is a pure anti-executable with very granular control aimed at a more advanced user.
    NVTOSA is not a true anti-executable in the same sense as NVTERP but does bring much more to the table. If you try NVTOSA, just look at the options available in the configurator. NVTOSA is aimed for a more casual user as it is primarily a set it and forget type of app. If you do run the two together, my setup helps to keep NVTOSA set it and forget, and I do not have to duplicate rules between the two apps.

    Since it is my personal opinion that the two apps do different things, they do have some areas of overlap though. The main area of overlap is the vulnerable process list in NVTERP. By disabling the rules in NVTOSA that correspond to the vulnerable process list, NVTOSA runs with very little prompts even with all of the other options in the configurator enabled. It is probably true that if you use NVTERP that you probably do not need NVTOSA. I like having NVTOSA covering NVTERP's back (so to speak) for two reasons. The first is it adds additional levels of protection that NVTERP does not directly cover and the second is if for some reason I create a bad rule in NVTERP, there is a good chance that NVTOSA will catch it.

    Running the both together is a personal choice for me. Is it necessary? Well, for me at least, I see benefits from doing so, but of course others may or may not agree with me and just prefer one or the other. Hence the part of the title - "My Setup" - as it is my personal preference and others are entitled to make their own choices.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.