shmu26

Level 80
Content Creator
Trusted
Verified
one last thought: if it was me, before going into lockdown mode, I would put it in learning mode, and do a couple reboots, and sign in and out of all my user accounts. This will whitelist the crucial command lines, and save you headaches.
I don't think @Umbra would do it this way, though. He is more hard-core than me.
 

Av Gurus

Level 29
Trusted
Malware Hunter
Verified
@Av Gurus: about mshta, yes, you are right, the place to add it is vulnerable processes.
Anything that you add to that list will produce a prompt, even if you have whitelisted it somewhere else.
The only way to stop prompting for something on the VPL is to whitelist a particular command-line string.
For ex.
1.jpg
 
  • Like
Reactions: AtlBo and XhenEd

Av Gurus

Level 29
Trusted
Malware Hunter
Verified
one last thought: if it was me, before going into lockdown mode, I would put it in learning mode, and do a couple reboots, and sign in and out of all my user accounts. This will whitelist the crucial command lines, and save you headaches.
So, everything that was detected in learning mode will be whitelisted when put in Lockdown Mode?
Tips for installing new software (know to be good)...put in Allow/Learning/Disable Mode?

Clipboard01.jpg
 

shmu26

Level 80
Content Creator
Trusted
Verified
So, everything that was detected in learning mode will be whitelisted when put in Lockdown Mode?
Tips for installing new software (know to be good)...put in Allow/Learning/Disable Mode?

View attachment 126288
yes, lockdown mode will respect your whitelist.

for installing new software, you can put it in alert mode if you are interested to see what is happening, or just disable, and whitelist the program after installation.
easiest way to whitelist after install is try to run it, let it get blocked, and then go to the log tab (or whatever they call it, I can't remember), and look for the red line, and right-click it and choose whitelist.
 

Av Gurus

Level 29
Trusted
Malware Hunter
Verified
yes, lockdown mode will respect your whitelist.

for installing new software, you can put it in alert mode if you are interested to see what is happening, or just disable, and whitelist the program after installation.
easiest way to whitelist after install is try to run it, let it get blocked, and then go to the log tab (or whatever they call it, I can't remember), and look for the red line, and right-click it and choose whitelist.
Like this:
Clipboard01.jpg
 
  • Like
Reactions: AtlBo

shmu26

Level 80
Content Creator
Trusted
Verified

Davidov

Level 10
But I read that ERP is unable to prevent the attack in memory, therefore, is to erp, AppGuard and voodooshield The advised malwaebites antiexploit or hitmen to alert or emet.
 
  • Like
Reactions: AtlBo

shmu26

Level 80
Content Creator
Trusted
Verified
But I read that ERP is unable to prevent the attack in memory
correct, ERP is purely an anti-executable. But remember that if the malware cannot execute, then you don't even need to block it in memory.

The exception to this rule is:
1 exploits that run purely in memory
2 dll attacks.

That is why ERP also has a vulnerable processes list: it prevents these from happening.

So ERP properly configured provides full protection.

But if you want multi-layered protection, then you can add the other software you mentioned.
VS will not add much protection. And MBAE is weak.
HitmanPro.Alert is a great app, as long as it does not cause hardware or software conflicts (which it does a lot)
Appguard is the ultimate app for hard-core security, but it is expensive, and has a learning curve.
EMET is not great and not terrible. I never used it, personally.
 

Davidov

Level 10
I also wanted AppGuard but the big prize for me otherwise I have also used micto novirustnx but is also good do not like antivirus.

PS:shmu26 You're also advise that you sleep sometimes .-))
 

Mr.X

Level 7
Pre-moderated
Verified
Should i whitehelist dismhost.exe?

View attachment 126353
the way to do it is to whitelist it as a command line, and then edit the command line, replacing the string of random characters with an asterisk: *
I don't have dismhost.exe in any of ERP's lists. If triggered or run somehow, then it will alert me and block it as I think dismhost.exe is not used by my system Windows 8.1 x64 ever.

It is used if I run dism.exe on purpose for various tasks such as:
- Cleaning SxS store
- Service a Windows install.wim image
etc.
 
Last edited: