Have AppGuard and NVT ERP -- need AV?

Status
Not open for further replies.

Duotone

Level 10
Verified
Well-known
Mar 17, 2016
457
Great explanations made by @hjlbx and @FleischmannTV...

Going to keep NVTERP Alert mode(Beta) in my setup just realize yesterday it can detect invalid certificates even VT/Zemana didn't detect any sign of tampering.

AppGuard doesn't protect against browser hijacks - but fixing that is easy enough. In most cases, just run CCleaner. If that doesn't fix it, then it simply requires a manual inspection of C:\Users\User\* - and perhaps C:\Program Data.

Protecting against browser hijacks is the only benefit I personally can see an advantage to using Sandboxie. Otherwise, Sandboxie eventually always turns out to be a real annoyance when browser or OS updates mess with it - sometimes badly. I'm not saying Sandboxie is not worthwhile - because it certainly is worthwhile. I do like Sandboxie, but for me personally, I have no need of it - at least not based upon my computing habits.

True, OS or browser sometimes do mess up Sandboxie I can go without SBIE but I like a clean browser and if an exploit is blocked its only a matter of deleting the sandbox same goes for malware coming from other drives(USB).
 
D

Deleted member 178

No need AV with ERP + Appguard for the reason @hjlbx and @FleischmannTV gave. I have one (which is Windows Defender) because im in Win10, if i was was on Win7 i won't even thinking adding one.

ERP + Appguard properly configured are extremely hardly bypassable; and if on top you have HMPA and sandboxie as i do ; only yourself can infect your system.
 
  • Like
Reactions: Handsome Recluse

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
NVT ERP can be bypassed by abusing NET Framework and other vulnerable, but white-listed Windows processes. This can be greatly mitigated by adding those processes to the NVT ERP Vulnerable Process list. It's very simple to do...
could you suggest a list of processes that should be added to Vulnerable in NVT ERP?
that sounds like a good tweak.
windows 10 x64
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
could you suggest a list of processes that should be added to Vulnerable in NVT ERP?
that sounds like a good tweak.
windows 10 x64
Here's a list that @hjlbx posted sometime ago.
Vulnerable Processes

My suggestion would be to find out what each of those processes do before adding them, and if you do add them one at a time making sure your computer works okay.
Though I'm sure @Umbra will give you far better suggestion than me, so you should listen to him.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
No need for AV.

That is the concept of Anti-Exe Policy based where all you need is a good training eye for analysis. Rules will be the basis for the effective protection against possible intrusion.

The technicality of the program are already mentioned by our highly knowledgeable members, so its up to you if planning to remove AV due to obsolete techniques.
 

Davidov

Level 10
Verified
Well-known
Sep 9, 2012
470
ERP: I tried but so far found no bypass. Probably the dream never encounter in everyday life.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Your setup is already complete overkill as it is. AppGuard alone would be enough.
I am now revisiting AppGuard, this time with a little more understanding. Indeed, I now see that AppGuard alone is capable of doing the job, although adding NVT ERP does give you a more convenient way to monitor vulnerable processes.
HitmanPro.Alert and Sandboxie are not needed, in my opinion.
A simple AV like Windows Defender is a good safety net.
 

boredog

Level 9
Verified
Jul 5, 2016
416
Actually Windows Defender, Shadow Defender and Appguard are all anyone needs. Although as Cruelsister points out a good anti-key logger is a good idea if using Shadow Defender only.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
I am now revisiting AppGuard, this time with a little more understanding. Indeed, I now see that AppGuard alone is capable of doing the job, although adding NVT ERP does give you a more convenient way to monitor vulnerable processes.
HitmanPro.Alert and Sandboxie are not needed, in my opinion.
A simple AV like Windows Defender is a good safety net.
An AV can do like detecting and blocking a malicious file during downloading or immediate scanning after the file is being downloaded.

This is something that AppGuard and NVT ERP cannot do.

Consider the AV as a first line of defense.
 
Last edited:
  • Like
Reactions: shmu26 and Trooper
5

509322

I now see that AppGuard alone is capable of doing the job, although adding NVT ERP does give you a more convenient way to monitor vulnerable processes.

It is not so much a difference in protection as it is a difference in what the user wants. Some users want to disable stuff and have it blocked by default and the soft generate an alert. Others want silent blocking. Those options are available in both AppGuard and anti-executables. Such users already understand that something blocked is not something permanently broken - and are completely comfortable with it. They don't have nagging doubts that something blocked is damaging their system in some unknown, unwanted, damaging way.

There are those that desire the information feedback of an alert. Actually, AppGuard does give alerts and the user can tailor them. Anti-execs do the same.

Still others want the ability to regulate execution of certain processes. Those guys are rare as few people knowingly use vulnerable processes on any kind of regular basis.

So it all comes down to what the user wants. Silent blocking, blocking with alerts, use of alerts to control certain processes, etc.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I would keep Sandboxie, for browsing.
Now you have me intrigued. After memory protection and vulnerable process protection is in place, what credible threat to the browser is left?
 
  • Like
Reactions: HarborFront

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Now you have me intrigued. After memory protection and vulnerable process protection is in place, what credible threat to the browser is left?
Presuming if you do NOT want an AV, which forms the first line of defense, then the next line of defense will be offering protection when the malicious file is being accessed or loaded into memory.

Is it a good move to do away the AV? I mean protecting during in-process and outgoing? If we take a process it'll be like this

INCOMING ==> IN-PROCESS ==> OUTGOING

So, you let the malicious file to come in but you block it during accessed and/or kill it during in-process (in memory) and blocking it from calling home.

Would this be good enough for a system protection set up? I suppose having Shadow Defender (SD) would be best in case if in-process protection fails
 
  • Like
Reactions: shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Presuming if you do NOT want an AV, which forms the first line of defense, then the next line of defense will be offering protection when the malicious file is being accessed or loaded into memory.

Is it a good move to do away the AV? I mean protecting during in-process and outgoing? If we take a process it'll be like this

INCOMING ==> IN-PROCESS ==> OUTGOING

So, you let the malicious file to come in but you block it during accessed and/or kill it during in-process (in memory) and blocking it from calling home.

Would this be good enough for a system protection set up? I suppose having Shadow Defender (SD) would be best in case if in-process protection fails
Does this relate to sandboxing the browser, or is it a different point?
 

Peter2150

Level 7
Verified
Oct 24, 2015
280
Now you have me intrigued. After memory protection and vulnerable process protection is in place, what credible threat to the browser is left?

Two things.

1. It's another layer, and
2 Sbie does one thing none of the others do. It cleans up the junk left on your system I am sometimes amazed at how much there is.
 
  • Like
Reactions: shmu26
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top