Parsh

Level 25
Verified
Trusted
Malware Hunter
Yes. I have had those rules with OSArmor by the side.
However if you've disabled process execution from the wscripts and cscripts and disabled script execution itself, there's no need for these rules. You might not have the ntvdm.exe in your system. It's an old component that allows 16-bit applications on 32-bit Windows, as well as the execution of 16-bit and 32-bit DOS applications. You can disable execution of 16-bit NTVDM processes in OSArmor.

And if the script interpreters are executed from non-standard locations, OSArmor blocks them under "Suspicious Processes".
Still if you wish to set those HIPS rules, 'block a process' in either app only.
ESET's list is quite small and standard though. For RW protection, you can also refer to their FW recommendations if you haven't tried yet. SysHardener also has a good general list of processes to block in FW.

W.r.t. learning mode, make sure to not indulge into any risky or suspicious activity for the time being. And do it on a system you consider clean.
 

fabiobr

Level 9
Verified
Yes. I have had those rules with OSArmor by the side.
However if you've disabled process execution from the wscripts and cscripts and disabled script execution itself, there's no need for these rules. You might not have the ntvdm.exe in your system. It's an old component that allows 16-bit applications on 32-bit Windows, as well as the execution of 16-bit and 32-bit DOS applications. You can disable execution of 16-bit NTVDM processes in OSArmor.

And if the script interpreters are executed from non-standard locations, OSArmor blocks them under "Suspicious Processes".
Still if you wish to set those HIPS rules, 'block a process' in either app only.
ESET's list is quite small and standard though. For RW protection, you can also refer to their FW recommendations if you haven't tried yet. SysHardener also has a good general list of processes to block in FW.

W.r.t. learning mode, make sure to not indulge into any risky or suspicious activity for the time being. And do it on a system you consider clean.
I'm letting OSarmor by default since I installed it, it blocks by default process execution from the wscripts and cscripts and disabled script execution?

And yes, clean Windows installation.
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
I'm letting OSarmor by default since I installed it, it blocks by default process execution from the wscripts and cscripts and disabled script execution?
You can check the OSA configurator (main protections). Most common script formats are blocked by default. Some other (unrelated) script formats are not blocked (advanced settings) as some of them might create lots of FPs.
EDIT: One can block execution of these 2 interpreters in Advanced settings, this is disabled by default though. However any processes executed from them are blocked by default.

What you can do, keep the rest as it is and disable "block any processes executed from wscript/cscript" in OSA.
Then block the two of them (from System32 & SysWOW64) in ESET HIPS.
 
Last edited:

fabiobr

Level 9
Verified
You can check the OSA configurator (main protections). Most common script formats are blocked by default. Some other (unrelated) script formats are not blocked (advanced settings) as some of them might create lots of FPs.
As I can see, there are no rules to directly block execution of these 2 interpreters (one can create custom rules though if required). However any processes executed from them are blocked by default.

What you can do, keep the rest as it is and disable "block any processes executed from wscript/cscript" in OSA.
Then block the two of them (from System32 & SysWOW64) in ESET HIPS.
Thanks! A lot helpful :)
 
Top