NoVirusThanks OSArmor

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
@Telos

Are the alerts related to "Block suspicious processes" gone with build 47?
These disappeared for me with build 46. I'll keep an eye on 47. The majority of alerts I'm getting now are of my own making... such as "unsigned processes on Local AppData".

Installing 47 next...

EDIT1: This got me thinking... maybe I should drop back to the default settings as maybe settings such as "unsigned processes on Local AppData" are keeping the "Block suspicious processes" alerts from happening.
 
Last edited:
  • Like
Reactions: AtlBo

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
I upgraded Calibre launching the downloaded installer from the Firefox Downloads dropdown... I'm pretty sure the popup said "block suspicious processes"... but when I opened the log the trigger read "(Anti-Exploit) Protect Mozilla Firefox". FWIW, here's the log:

Date/Time: 4/2/2018 5:16:31 PM
Process: [5244]C:\WINDOWS\System32\msiexec.exe
Parent: [6656]D:\Program Files\Mozilla Firefox\firefox.exe
Rule: AntiExploitFirefox
Rule Name: (Anti-Exploit) Protect Mozilla Firefox
Command Line: "C:\WINDOWS\System32\msiexec.exe" /i "F:\Downloads\calibre-64bit-3.20.0.msi"
Signer:
Parent Signer: Mozilla Corporation
User/Domain: Telos/Domain
Integrity Level: Medium
 
Last edited:
  • Like
Reactions: AtlBo

bjm_

Level 15
Verified
Top Poster
Well-known
May 17, 2015
714
2612.png2610.png2613.png
@Telos > FWIW ~ I tried to reproduce in Firefox sandbox (calibre-64bit-3.20.0.msi" download from filehorse).
Date/Time: 4/2/2018 7:07:36 PM
Process: [7256]C:\Windows\System32\msiexec.exe
Parent: [7220]C:\Program Files\Mozilla Firefox\firefox.exe
Rule: AntiExploitFirefox
Rule Name: (Anti-Exploit) Protect Mozilla Firefox
Command Line: "C:\WINDOWS\System32\msiexec.exe" /i "C:\Users\bjms\Desktop\calibre-64bit-3.20.0.msi"
Signer:
Parent Signer: Mozilla Corporation
User/Domain: ANONYMOUS LOGON/NT AUTHORITY
Integrity Level: Untrusted
(test47 all rules checked)
 
Last edited:
  • Like
Reactions: codswollip

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
I mentioned this small thing some time ago... After alerting with a pop-up, the alert pop-up remains present in the "Alt-Tab". Window. Here's a screen grab and the only things present are Firefox and the alert pop-up from a few hours ago. Selecting the alert pop-up doesn't do anything and just returns me to ny Desktop. Only a reboot seems to clear its presence from the "Alt-Tab" window.

2018-04-02_19h48_14.png


If you look really hard, you'll also notice that the alert was "Suspicious Process Blocked" even though this was a "(Anti-Exploit) Protect Mozilla Firefox" alert.
 
  • Like
Reactions: AtlBo

Chimaira

Level 4
Verified
Well-known
Jan 5, 2018
163
I mentioned this small thing some time ago... After alerting with a pop-up, the alert pop-up remains present in the "Alt-Tab". Window. Here's a screen grab and the only things present are Firefox and the alert pop-up from a few hours ago. Selecting the alert pop-up doesn't do anything and just returns me to ny Desktop. Only a reboot seems to clear its presence from the "Alt-Tab" window.

View attachment 184634

If you look really hard, you'll also notice that the alert was "Suspicious Process Blocked" even though this was a "(Anti-Exploit) Protect Mozilla Firefox" alert.

This happens to me too but clicking the X button on the Alt-Tab window always clears it for me and it goes away.
 
  • Like
Reactions: AtlBo

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
This happens to me too but clicking the X button on the Alt-Tab window always clears it for me and it goes away.
I'm on Win 8.1 and I have no "x" on Alt-Tab. Still... that shouldn't be the solution. The "ghost" window should not appear in Alt-Tab.
 

Stas

Level 10
Verified
Well-known
Feb 21, 2015
456
FPs with Internet Download Manager

Date/Time: 4/04/2018 10:32:24 PM
Process: [4028]C:\Windows\System32\regsvr32.exe
Parent: [3556]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [2448]C:\Windows\System32\regsvr32.exe
Parent: [3672]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [3340]C:\Windows\System32\regsvr32.exe
Parent: [3416]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [2192]C:\Windows\System32\regsvr32.exe
Parent: [3984]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High
 
  • Like
Reactions: Gandalf_The_Grey
F

ForgottenSeer 58943

FPs with Internet Download Manager

Date/Time: 4/04/2018 10:32:24 PM
Process: [4028]C:\Windows\System32\regsvr32.exe
Parent: [3556]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [2448]C:\Windows\System32\regsvr32.exe
Parent: [3672]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [3340]C:\Windows\System32\regsvr32.exe
Parent: [3416]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [2192]C:\Windows\System32\regsvr32.exe
Parent: [3984]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

You are probably 1 out of 10 in the entire world still using a download speedup tool in 2018. Back when segmented downloads and acceleration weren't part of browsers I could see.. But now?
 

128BPM

Level 2
Verified
Feb 21, 2018
90
Question:

Are you guys having alerts\FPs with the option "Block suspicious processes" (build 47)?


Unfortunately I still have these messages in 47 :confused:

Date/Time: 30/03/2018 05:33:37 p.m.
Process: [4372]C:\Windows\System32\dllhost.exe
Parent: [760]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousSvchostBehaviors
Rule Name: Block suspicious Svchost.exe process behaviors
Command Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Signer:
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System

Date/Time: 30/03/2018 05:20:50 p.m.
Process: [3400]C:\Windows\System32\dllhost.exe
Parent: [772]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousSvchostBehaviors
Rule Name: Block suspicious Svchost.exe process behaviors
Command Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a new v1.4 (pre-release) test48:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test48.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed a typo on Exclusions.db and CustomBlock.db
+ New option: Block "ExecutionPolicy Unrestricted" on command-line (PowerShell)
+ Improved Prevent regsvr32.exe from loading .sct files
+ Improved Prevent rundll32.exe from using Control_RunDLL (shell32.dll)
+ Improved Block loading of .inf files via advpack.dll,LaunchINFSection
+ Improved Block "ExecutionPolicy Bypass" on command-line (PowerShell)
+ Improved Block suspicious command-lines
+ Improved Block suspicious Svchost.exe process behaviors
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@128BPM @Stas @bjm_ @Telos

FPs should be fixed now.
 

Stas

Level 10
Verified
Well-known
Feb 21, 2015
456
You are probably 1 out of 10 in the entire world still using a download speedup tool in 2018. Back when segmented downloads and acceleration weren't part of browsers I could see.. But now?
Download Managers are used by many ppl some use for resume support & acceleration some for grabbing audio & video from sites like youtube, browser will need additional add-ons to do that, I prefer IDM.
 

Stas

Level 10
Verified
Well-known
Feb 21, 2015
456
On test48 can't open explorer test47 was working:eek:

Date/Time: 5/04/2018 10:32:42 PM
Process: [3924]C:\Windows\explorer.exe
Parent: [804]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousSvchostBehaviors
Rule Name: Block suspicious Svchost.exe process behaviors
Command Line: C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High
 

128BPM

Level 2
Verified
Feb 21, 2018
90
@NoVirusThanks

Thanks, the previous FPs have been fixed but now I have this:

Date/Time: 04/04/2018 11:39:55 a.m.
Process: [3704]C:\Windows\System32\dllhost.exe
Parent: [764]C:\Windows\System32\svchost.exe
Rule: BlockUnknownProcessesOnWindowsFolder
Rule Name: Block unknown processes on Windows folder
Command Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium

Date/Time: 04/04/2018 11:55:39 a.m.
Process: [2340]C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Parent: [2652]C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\PC\AppData\Local\Temp\RES3C2F.tmp" "c:\Users\PC\AppData\Local\Temp\CSC3C2E.tmp"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: PC/PC
Integrity Level: Medium

Date/Time: 04/04/2018 11:50:20 a.m.
Process: [3944]C:\Windows\System32\control.exe
Parent: [1596]C:\Windows\explorer.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium
 
  • Like
Reactions: AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Date/Time: 04/04/2018 11:55:39 a.m.
Process: [2340]C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Parent: [2652]C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\PC\AppData\Local\Temp\RES3C2F.tmp" "c:\Users\PC\AppData\Local\Temp\CSC3C2E.tmp"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: PC/PC
Integrity Level: Medium

@128BPM, do you have the Intel Rapid Storage running on your system? It caused this same issue on two computers here by starting this process chain->starts csc.exe->starts cvtres.exe, leading to the .tmp drop.

Just a note for NVT, I mentioned I think before that this has been noted as a way to pass malware. The dirty work in this case (Intel Rapid Storage) happens out of the range of parent monitoring to the preceding process of the transaction parent. I guess it could happen with malware if it were started, but I don't know if this is an issue or not. However, it does make for a dilemma, since the command line is very generic and whitelisting would basically mean allowing anything to use this means for dropping and starting a .tmp.

BTW, tracked this down using the NVT ERP log :)(y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top