NoVirusThanks EXE Radar Pro turns Freeware

shmu26 · Dec 7, 2016

Davidov said:
I have done everything according to your settings but unfortunately one malware can be written to disk.No malware is active but still managed to enroll.Can you advise me what settings do in novirustnx that this malware can not be written to disk thanks.Alternatively I could send a sample pm:
It is in fact my only defense.

vulnerable process standart
novirustnx

https://www.hybrid-analysis.com/sam...9b1f72e815e05337ba6c35ac298?environmentId=100

Hi, I can't analyse this in-depth, maybe @Umbra can handle it?

But I can tell you in a general way that NVT ERP does not block all types of executable files. It primarily blocks exe files, and in addition, the default vulnerable processes list will produce prompts whenever a script interpreter is invoked, unless you specifically whitelisted that particular command-line. So you are covered for the scripts, too.

But it will not block the rarer executable file types by default. For instance, HTA files are not blocked or prompted.
The tweak for this is to add the corresponding process to the vulnerable processes list.
For instance, in order to get a prompt everytime a HTA wants to execute, you would add MSHTA.exe to the VPL. You need to add it both in system32 and in syswow64.

I hope someone else can analyse what went wrong here.

Davidov · Dec 7, 2016

shmu26 said:
Hi, I can't analyse this in-depth, maybe @Umbra can handle it?

But I can tell you in a general way that NVT ERP does not block all types of executable files. It primarily blocks exe files, and in addition, the default vulnerable processes list will produce prompts whenever a script interpreter is invoked, unless you specifically whitelisted that particular command-line. So you are covered for the scripts, too.

But it will not block the rarer executable file types by default. For instance, HTA files are not blocked or prompted.
The tweak for this is to add the corresponding process to the vulnerable processes list.
For instance, in order to get a prompt everytime a HTA wants to execute, you would add MSHTA.exe to the VPL. You need to add it both in system32 and in syswow64.

I hope someone else can analyse what went wrong here.

Can you give me a screenshot to add Mshta.exe thanks to the VPL TNX.maybe voodooshield would be a better choice do not you think?

shmu26 · Dec 7, 2016

Davidov said:
Can you give me a screenshot to add Mshta.exe thanks to the VPL TNX.maybe voodooshield would be a better choice do not you think?

here is screenshot for mshta. Look at end of list, not at the process that I accidentally highlighted.
About VS: try it, see if you like it.
NVT ERP is more tweakable and you can achieve a higher level of control over your system. Also, it is easier to understand how it works and what it does.
VS is harder to understand. I have asked the dev a number of questions about how his product works, and I usually get a vague answer or no answer at all. But I can't knock it, it is a good product, and anyways, I like Dan!

.

Davidov · Dec 7, 2016

shmu26 said:
here is screenshot for mshta. Look at end of list, not at the process that I accidentally highlighted.
About VS: try it, see if you like it.
NVT ERP is more tweakable and you can achieve a higher level of control over your system. Also, it is easier to understand how it works and what it does.
VS is harder to understand. I have asked the dev a number of questions about how his product works, and I usually get a vague answer or no answer at all. But I can't knock it, it is a good productView attachment 126074 .

Thank you for the screenshot mam rad free products or lifetime licenses Thank you again for the quick reply.
We'll see what Umbro has also to be expressed.

shmu26 · Dec 7, 2016

Davidov said:
Thank you for the screenshot mam rad free products or lifetime licenses Thank you again for the quick reply.

sorry, I did not understand what you meant by "mam rad"
VS is free, but if you want to tweak it at all, you need the paid edition
NVT ERP free beta will probably stay exactly what it is, forever. Because the dev hasn't been working on it for a really long time. Fortunately for us, it still works, we just have to refresh the vulnerable processes list after a major windows update (because it identifies these processes by their hash value.)

about the test you did, where NVT ERP didn't block everything:
this is just an idea, but maybe the malware had a digital signature that is on your trusted vendors list?

509322 · Dec 7, 2016

Just because a new directory has been created does not mean the system has been compromised.

Anyhow...

Java.exe and Javaw.exe have not been added to the Vulnerable Process list.

Javaws.exe executes and creates the directory you see in the video:

javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)

2016-12-06 14:56:45,136 NtCreateFile ShareAccess: 3
FileName: C:\Documents and Settings\User\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU
DesiredAccess: 0x80100080
CreateDisposition: 1
FileHandle: 0x00000784
success 0x00000000

RED = Whitelisted = Allowed according the settings shown in the video

Analysed 27 processes in total (System Resource Monitor).

javaw.exe -jar "C:\OUR_RFQ_00132432_DR.jar" (PID: 3536)
- cmd.exe /C cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3428)
  - cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3868)
- cmd.exe /C cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2460)
  - cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2524)
- xcopy.exe xcopy "%PROGRAMFILES%\Java\jre1.8.0_25" "%APPDATA%\Oracle\" /e (PID: 2736)
- cmd.exe (PID: 3584)
- reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v oQVctnZIiYT /t REG_EXPAND_SZ /d "\"%APPDATA%\Oracle\bin\javaw.exe\" -jar \"%USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU\"" /f (PID: 3944)
- attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf\*.*" (PID: 3980)
- attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf" (PID: 3964)
- javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)
  - cmd.exe /C cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 4016)
    - cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 3996)
  - cmd.exe /C cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 600)
    - cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 1180)
  - cmd.exe (PID: 2504)
  - WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List (PID: 3532)
  - cmd.exe (PID: 1684)
    - reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3456)
  - cmd.exe (PID: 3212)
    - reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2172)
  - cmd.exe (PID: 2508)
    - reg.exe reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2088)
  - cmd.exe (PID: 3156)
    - reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3016)
  - cmd.exe (PID: 2608)
    - reg.exe reg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" (PID: 2640)

shmu26 · Dec 7, 2016

Jeff_T - Testing Group said:
Just because a new directory has been created does not mean the system has been compromised.

Anyhow...

Java.exe and Javaw.exe have not been added to the Vulnerable Process list.

Javaws.exe executes and creates the directory you see in the video:

javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)

2016-12-06 14:56:45,136 NtCreateFile ShareAccess: 3
FileName: C:\Documents and Settings\User\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU
DesiredAccess: 0x80100080
CreateDisposition: 1
FileHandle: 0x00000784
success 0x00000000

RED = Whitelisted = Allowed according the settings shown in the video

Analysed 27 processes in total (System Resource Monitor).

javaw.exe -jar "C:\OUR_RFQ_00132432_DR.jar" (PID: 3536)

cmd.exe /C cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3428)

cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3868)

cmd.exe /C cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2460)

cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2524)

xcopy.exe xcopy "%PROGRAMFILES%\Java\jre1.8.0_25" "%APPDATA%\Oracle\" /e (PID: 2736)

cmd.exe (PID: 3584)

reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v oQVctnZIiYT /t REG_EXPAND_SZ /d "\"%APPDATA%\Oracle\bin\javaw.exe\" -jar \"%USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU\"" /f (PID: 3944)

attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf\*.*" (PID: 3980)

attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf" (PID: 3964)

javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)

cmd.exe /C cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 4016)

cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 3996)

cmd.exe /C cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 600)

cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 1180)

cmd.exe (PID: 2504)

WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List (PID: 3532)

cmd.exe (PID: 1684)

reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3456)

cmd.exe (PID: 3212)

reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2172)

cmd.exe (PID: 2508)

reg.exe reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2088)

cmd.exe (PID: 3156)

reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3016)

cmd.exe (PID: 2608)

reg.exe reg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" (PID: 2640)

thanks for the awesome analysis!

Davidov · Dec 7, 2016

shmu26 said:
sorry, I did not understand what you meant by "mam rad"
VS is free, but if you want to tweak it at all, you need the paid edition
NVT ERP free beta will probably stay exactly what it is, forever. Because the dev hasn't been working on it for a really long time. Fortunately for us, it still works, we just have to refresh the vulnerable processes list after a major windows update (because it identifies these processes by their hash value.)

about the test you did, where NVT ERP didn't block everything:
this is just an idea, but maybe the malware had a digital signature that is on your trusted vendors list?

"mam rad" = I like. sory of not translated.. if it were signed malware probably would not show up novirustnx "blocked" it is my opinion.

Davidov · Dec 7, 2016

Jeff_T - Testing Group said:
Just because a new directory has been created does not mean the system has been compromised.

Anyhow...

Java.exe and Javaw.exe have not been added to the Vulnerable Process list.

Javaws.exe executes and creates the directory you see in the video:

javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)

2016-12-06 14:56:45,136 NtCreateFile ShareAccess: 3
FileName: C:\Documents and Settings\User\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU
DesiredAccess: 0x80100080
CreateDisposition: 1
FileHandle: 0x00000784
success 0x00000000

RED = Whitelisted = Allowed according the settings shown in the video

Analysed 27 processes in total (System Resource Monitor).

javaw.exe -jar "C:\OUR_RFQ_00132432_DR.jar" (PID: 3536)

cmd.exe /C cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3428)

cscript.exe %TEMP%\Retrive1058460326490019966.vbs (PID: 3868)

cmd.exe /C cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2460)

cscript.exe %TEMP%\Retrive1149615568008974626.vbs (PID: 2524)

xcopy.exe xcopy "%PROGRAMFILES%\Java\jre1.8.0_25" "%APPDATA%\Oracle\" /e (PID: 2736)

cmd.exe (PID: 3584)

reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v oQVctnZIiYT /t REG_EXPAND_SZ /d "\"%APPDATA%\Oracle\bin\javaw.exe\" -jar \"%USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU\"" /f (PID: 3944)

attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf\*.*" (PID: 3980)

attrib.exe attrib +h "%USERPROFILE%\ciqrTxXDYEf" (PID: 3964)

javaw.exe -jar %USERPROFILE%\ciqrTxXDYEf\ibpsQYZrydg.LMyhXU (PID: 3968)

cmd.exe /C cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 4016)

cscript.exe %TEMP%\Retrive3984093991566103404.vbs (PID: 3996)

cmd.exe /C cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 600)

cscript.exe %TEMP%\Retrive7448424145153749442.vbs (PID: 1180)

cmd.exe (PID: 2504)

WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List (PID: 3532)

cmd.exe (PID: 1684)

reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3456)

cmd.exe (PID: 3212)

reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2172)

cmd.exe (PID: 2508)

reg.exe reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 2088)

cmd.exe (PID: 3156)

reg.exe reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" (PID: 3016)

cmd.exe (PID: 2608)

reg.exe reg query "HKEY_CURRENT_USER\Software\HeidiSQL\Servers" (PID: 2640)

thanks for analiza. No harmful process was not created just bothered me that malware was able to write to disk. What would you recommend for action? Insert into endangered java process? Will not create too popups?

shmu26 · Dec 7, 2016

Davidov said:
if it were signed malware probably would not show up novirustnx "blocked" it is my opinion.

you are right. It it is signed, and it is on the trusted vendors list (which is enabled by default, although you can modify the list, or even disable it if you wish), then you will get no prompt or message or anything.

shmu26 · Dec 7, 2016

Davidov said:
thanks for analiza. No harmful process was not created just bothered me that malware was able to write to disk. What would you recommend for action? Insert into endangered java process? Will not create too popups?

I don't have java installed on my computer, so I don't know if it will create a lot of pop-ups with your usage. But usually, you can solve that problem by editing the whitelisted command-line with wildcards.
Typically, this means replacing variables and random character strings with *. If you understand command lines and wildcards, you can create do more complex editing.

for instance, I had a commandline string like this:
"C:\Program Files (x86)\Zipware\Zipware.exe" "from-contextmenu-C:\ProgramData\Zipware\Working\SelectedItems-2016120612030774.txt"

after editing, it is like this:
"C:\Program Files (x86)\Zipware\Zipware.exe" "from-contextmenu-C:\ProgramData\Zipware\Working\SelectedItems-*.txt"

Davidov · Dec 7, 2016

I can write me somewhere along the way I might in Java to process vulnerable thank you very much.

I do not know if this is correct.

C:\ProgramData\Oracle\Java\javapath\javaw.exe

C:\ProgramData\Oracle\Java\javapath\javaws.exe

shmu26 · Dec 8, 2016

Davidov said:
I can write me somewhere along the way I might in Java to process vulnerable thank you very much.

I do not know if this is correct.

C:\ProgramData\Oracle\Java\javapath\javaw.exe

C:\ProgramData\Oracle\Java\javapath\javaws.exe

it looks right to me, but I don't have java on my computer, so I cannot actually check.
If you were able to find the files at those paths, then they must be right.
The general rule is that windows system files will very often be found in two locations: system32 and syswow64. But program files are not like that. If you found them once, that's it. You got them.

Av Gurus · Dec 8, 2016

Can we make a summery (If I want to prepare NVTERP for Lockdown Mode):

Installation: Recommended or Custom?

If we choose Custom, what settings?

In settings:

"General", what to check/un-check (if we whitelist C:\Program Files, C:\Program Files (x86), C:\Windows, Custom folders)?

"Signed Processes" (for max security)?

"External Devices" check all?

"Lockdown Mode" default or...?

Add to "Vulnerable Processes", something else?
C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe

Whitelist all .exe in:
C:\Program Files
C:\Program Files (x86)
C:\Windows
Custom folders

Davidov · Dec 8, 2016

Av Gurus said:
Can we make a summery (If I want to prepare NVTERP for Lockdown Mode):

Installation: Recommended or Custom?
View attachment 126270

If we choose Custom, what settings?
View attachment 126271

In settings:

"General", what to check/un-check (if we whitelist C:\Program Files, C:\Program Files (x86), C:\Windows, Custom folders)?
View attachment 126272

"Signed Processes" (for max security)?
View attachment 126273 View attachment 126280

"External Devices" check all?
View attachment 126274

"Lockdown Mode" default or...?
View attachment 126275

Add to "Vulnerable Processes", something else?
C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe
View attachment 126276

Whitelist all .exe in:
C:\Program Files
C:\Program Files (x86)
C:\Windows
Custom folders
View attachment 126277 View attachment 126278 View attachment 126279

OK to set it according to you tnx

shmu26 · Dec 8, 2016

Av Gurus said:
Can we make a summery (If I want to prepare NVTERP for Lockdown Mode):

Installation: Recommended or Custom?
View attachment 126270

If we choose Custom, what settings?
View attachment 126271

In settings:

"General", what to check/un-check (if we whitelist C:\Program Files, C:\Program Files (x86), C:\Windows, Custom folders)?
View attachment 126272

"Signed Processes" (for max security)?
View attachment 126273 View attachment 126280

"External Devices" check all?
View attachment 126274

"Lockdown Mode" default or...?
View attachment 126275

Add to "Vulnerable Processes", something else?
C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe
View attachment 126276

Whitelist all .exe in:
C:\Program Files
C:\Program Files (x86)
C:\Windows
Custom folders
View attachment 126277 View attachment 126278 View attachment 126279

if you want lockdown mode, so first make sure your system is absolutely clean, because you are about to whitelist everything you got!

on the applications tab, whitelist the entire contents of your various programs folders, including subfolders.
do the same with Windows folder.

then, untick allow system processes, and untick allow program folder, and put the tick by don't trust signed processes.

you can add whatever you want to the vulnerable processes list. The basics are already there.

I think that should do it.

I did not recognize a lot of your screenshots. We must not be on the same version.

Davidov · Dec 8, 2016

shmu26 said:
if you want lockdown mode, so first make sure your system is absolutely clean, because you are about to whitelist everything you got!

on the applications tab, whitelist the entire contents of your various programs folders, including subfolders.
do the same with Windows folder.

then, untick allow system processes, and untick allow program folder, and put the tick by don't trust signed processes.

you can add whatever you want to the vulnerable processes list. The basics are already there.

I think that should do it.

I did not recognize a lot of your screenshots. We must not be on the same version.

Ok Thanks for your patience and valuable advice.

shmu26 · Dec 8, 2016

Davidov said:
Ok Thanks for your patience and valuable advice.

you are welcome, enjoy!

Av Gurus · Dec 8, 2016

shmu26 said:
if you want lockdown mode, so first make sure your system is absolutely clean, because you are about to whitelist everything you got!

1.untick allow system processes, and untick allow program folder
2.put the tick by don't trust signed processes.

I did not recognize a lot of your screenshots. We must not be on the same version.

1.Like this

2. Like this

Version is 3.1 (24062015)

shmu26 · Dec 8, 2016

@Av Gurus: about mshta, yes, you are right, the place to add it is vulnerable processes.
Anything that you add to that list will produce a prompt, even if you have whitelisted it somewhere else.
The only way to stop prompting for something on the VPL is to whitelist a particular command-line string.

NoVirusThanks EXE Radar Pro turns Freeware

Level 85

Level 10

Level 85

Level 10

Level 85

509322

Level 85

Level 10

Level 10

Level 85

Level 85

Level 10

Level 85

Level 29

Level 10

Level 85

Level 10

Level 85

Level 29

Level 85

Similar threads