For ex.@Av Gurus: about mshta, yes, you are right, the place to add it is vulnerable processes.
Anything that you add to that list will produce a prompt, even if you have whitelisted it somewhere else.
The only way to stop prompting for something on the VPL is to whitelist a particular command-line string.
So, everything that was detected in learning mode will be whitelisted when put in Lockdown Mode?one last thought: if it was me, before going into lockdown mode, I would put it in learning mode, and do a couple reboots, and sign in and out of all my user accounts. This will whitelist the crucial command lines, and save you headaches.
yes, lockdown mode will respect your whitelist.
Like this:yes, lockdown mode will respect your whitelist.
for installing new software, you can put it in alert mode if you are interested to see what is happening, or just disable, and whitelist the program after installation.
easiest way to whitelist after install is try to run it, let it get blocked, and then go to the log tab (or whatever they call it, I can't remember), and look for the red line, and right-click it and choose whitelist.
that's exactly right.
correct, ERP is purely an anti-executable. But remember that if the malware cannot execute, then you don't even need to block it in memory.But I read that ERP is unable to prevent the attack in memory
I don't have dismhost.exe in any of ERP's lists. If triggered or run somehow, then it will alert me and block it as I think dismhost.exe is not used by my system Windows 8.1 x64 ever.the way to do it is to whitelist it as a command line, and then edit the command line, replacing the string of random characters with an asterisk: *