NoVirusThanks OSArmor
- Thread starter Evjl's Rain
- Start date
- Dec 29, 2014
- 1,716
Yes, I think so. You get it over and over correct? I assume it's coming from the same place as on my systems. The whitelist is not very good for that command line I'm afraid. The activator of the drop mechanism happens out of the range of monitoring, so it appears to be all Windows based in the command line. However, it's not. I suppose NVT has run across this many times, so maybe he will add a comment or something...
False positive with the latest version and Sticky Password. I don't use Sticky but this was forwarded to me by someone else here and I checked, it's a FP. Remember, SP launches a command line when Chrome launches, which triggers this. Adding an exclusion doesn't fix it, in the short term he disabled the rule entirely.
Date/Time: 4/4/2018 6:57:47 PM
Process: [2432]C:\Windows\SysWOW64\cmd.exe
Parent: [7944]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\Sticky Password\spNMHost.exe" chrome-extension://bnfdmghkeppfadphbnkjcicejfepnbfe/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.a2c806cd0a465d0c > \\.\pipe\chrome.nativeMessaging.out.a2c806cd0a465d0c
Signer:
Parent Signer: Google Inc
User/Domain:
Integrity Level: Medium
Date/Time: 4/4/2018 6:57:47 PM
Process: [2432]C:\Windows\SysWOW64\cmd.exe
Parent: [7944]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\Sticky Password\spNMHost.exe" chrome-extension://bnfdmghkeppfadphbnkjcicejfepnbfe/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.a2c806cd0a465d0c > \\.\pipe\chrome.nativeMessaging.out.a2c806cd0a465d0c
Signer:
Parent Signer: Google Inc
User/Domain:
Integrity Level: Medium
- Dec 29, 2014
- 1,716
However I searched the .tmp file on the disk and it does not exist, do you know why?
Yes, I couldn't find it either. It must be instantly deleted. I tried to catch it, but I think the drop and delete are over in a matter of a blink of an eye. I thought I saw one of them once, but it was gone very fast...
- Dec 29, 2014
- 1,716
@128BPM...here is an example of the kind of exploit that can use this same combination chain csc.exe->cvtres.exe in case you are interested to know a little bit more...
.NET Framework zero day Vulnerability (CVE-2017-8759) - Sequretek
.NET Framework zero day Vulnerability (CVE-2017-8759) - Sequretek
- Jan 29, 2017
- 1,201
I can confirm this (fwiw, no alert w/Firefox)
- Aug 23, 2012
- 293
Here is a new v1.4 (pre-release) test49:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test49.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Improved Block execution of .wsf scripts
+ Improved Block suspicious command-lines
+ Disabled /silent and /verysilent uninstallation
+ Improved Prevent important Windows services from being disabled
+ Fixed some false positives
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
@ForgottenSeer 58943 @128BPM @Stas
All reported FPs should be fixed.
The csc.exe execution is very hard to whitelist, personally I block csc.exe entirely (I don't use any .NET app here).
Blocking that events should not cause any issue anyway.
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test49.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Improved Block execution of .wsf scripts
+ Improved Block suspicious command-lines
+ Disabled /silent and /verysilent uninstallation
+ Improved Prevent important Windows services from being disabled
+ Fixed some false positives
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
@ForgottenSeer 58943 @128BPM @Stas
All reported FPs should be fixed.
The csc.exe execution is very hard to whitelist, personally I block csc.exe entirely (I don't use any .NET app here).
Blocking that events should not cause any issue anyway.
Nice! You are closing off so many of 'their' holes, have you seen any black helicopters or strange Ford 500's driving around lately?
- Feb 21, 2015
- 456
FP's with IDM not fixed and there's a problem with notification on multiple alerts at the same time only one notification alert appears, the rest alerts can only be seen in log file.
In Advanced > Attack Mitigation Rules :
Did you ticked "prevent regserver32.exe from loading dlls"? seems yes (based on your log) , so don't wonder why... (it is not an FP, it is expected behavior).
You have to create an exception rule if you want to keep the mitigation rule enabled.
Last edited by a moderator:
- Feb 21, 2015
- 456
I thought it could be whitelisted internally, anyway I excluded all four alerts but problem with multiple alerts at the same time should be fixed.
- Feb 21, 2015
- 456
You can exclude item on notification alert, look at my screenshot above on #952
exact, just click "exclude" and follow up.
open the log, add the blocked process to the exclusions
- Jan 29, 2017
- 1,201
- Aug 23, 2012
- 293
Here is a new v1.4 (pre-release) test50:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test50.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Fixed a typo on the Configurator GUI
+ Block loading of .inf files via InstallHinfSection\LaunchINFSection
+ Improved Block suspicious command-lines
+ Improved Block suspicious Svchost.exe process behaviors
+ Improved Block execution of suspicious scripts
+ Improved support for multiple alerts
+ Fixed some false positives
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
If you find any false positive please let me know.
@Stas
FP should be fixed now, please confirm.
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test50.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Fixed a typo on the Configurator GUI
+ Block loading of .inf files via InstallHinfSection\LaunchINFSection
+ Improved Block suspicious command-lines
+ Improved Block suspicious Svchost.exe process behaviors
+ Improved Block execution of suspicious scripts
+ Improved support for multiple alerts
+ Fixed some false positives
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
If you find any false positive please let me know.
@Stas
FP should be fixed now, please confirm.
Similar threads
