- May 7, 2016
- 1,400
Can't import VulnerableProcesses_Rules.csv after a clean install of No virus Thanks new v4.0 (pre-release) test3.
Only XML files option is available.
Only XML files option is available.
Last edited:
Copy and paste the text below into Notepad (or similar) and save with name Rules.xml. Then import into ERP 4.Can't import VulnerableProcesses_Rules.csv after a clean install of No virus Thanks new v4.0 (pre-release) test3.
Only XML files option is available.
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]</> <enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Proc.Path = C:\Windows\System32\WindowsPowerShell\v1.0] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Proc.Path = C:\Windows\SysWOW64\WindowsPowerShell\v1.0] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rundll32.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rundll32.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = vssadmin.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = vssadmin.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = mshta.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = mshta.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = reg.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = reg.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = regini.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = regini.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = takeown.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = takeown.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = cacls.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = cacls.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = icacls.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = icacls.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wscript.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cscript.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = wbadmin.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wscript.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cscript.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = wevtutil.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = wevtutil.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
Sign into account A, switch to account B, sign out of B, and it's BSOD.
I think you didn't follow.@AMD1
The Trusted Vendors list cannot be edited for now, but we plan to allow it soon.
It has 150+ well known software vendors (signers) to the list.
@BoraMurdar
The option "Allow All Software from Program Files Folder" should only auto-allow programs located on:
C:\Program Files\*
C:\Program Files (x86)\*
Here is a screenshot:
View attachment 184369
The option "Allow System Files" should auto-allow C:\WINDOWS\Explorer.exe and other system processes.
I'll add an internal rule to auto-allow C:\WINDOWS\Explorer.exe when the PC is booted (safe way).
Yes, portable edition. It happens also with other tools.@BoraMurdar portable version of CPU-Z?
Allow processes signed by Trusted Vendors is ticked + Allow all soft from Program Files folder is ticked = you don't get any alert when running an app for which the rule doesn't exist and app's location is outside the Program Files folder.@BoraMurdar i tried it too, i don't even have alerts unless i untick "allow processes signed by trusted vendors"
Exact, no alerts. Same even in Lockdown Mode.Allow processes signed by Trusted Vendors is ticked + Allow all soft from Program Files folder is ticked = you don't get any alert when running an app for which the rule doesn't exist and app's location is outside the Program Files folder.
yesAnd when the Allow processes signed by trusted vendors is unticked then you are getting an alert under same circumstances?
Looks like your issue is that ERPv4 identifies the cpuz_x32.exe as if it is executed from Program Files folder but instead it is executed from Desktop folder, correct?
And it is allowed because the "Allow All Software from Program Files folder" is checked.
I cannot reproduce this behavior, ERP4 works exactly as advertised on my Win 10 Pro x64 PC with this setting ticked. Tested with same program (CPU-Z running from Desktop under Admin account) as @BoraMurdar.@BoraMurdar
I can't reproduce this strange behavior on W10 with Admin account, will test later on a W10 with LUA account.
Anyone can reproduce this behavior:
Program Files folder is not correctly identified by ERPv4 when "Allow All Software from Program Files folder" is checked, and executables from other locations are executed with Action = Allow/Program Files (on Events tab).