NVT ERP 3.1.0.0 Test Video?

AtlBo

Level 24
Joined
Dec 29, 2014
Messages
1,390
Antivirus
Qihoo 360
#1
Anyone seen a video test of NVT ERP 3.1.0.0 against ransomeware and other malware anywhere? I can't find one, but I'm pretty sure if I did, it wouldn't be what I'm hoping for. Anyway, I would love to see a really solid one.

I guess with such a straight anti-exe, it's not a fair fight against anything, but I think it would be a good test if the focus were on the types of pop ups to expect from NVT ERP during an attack. Also, it's very helpful to know that NVT ERP can't be bypassed completely.

One thing about this is that I am sort of concerned which settings should be used for this kind of test if anyone ever does one. It's mostly just a demonstration, so I think it would be more important to use solid hardened settings that users should use rather than the defaults. Overall, I think NVT ERP 3.1.0.0 is definitely a serious enough program to play around with and have some fun. For real, with the proper focus for putting together an instructional on what to expect from malware vs NVT ERP, this would be actually quite rewarding and a H#%% of alot of fun to do. I don't know enough to do this, but I think I would really love this project honestly.

As for NVT ERP and its value, I feel :rolleyes: that on the handling of command line it is actually better than VoodooShield. Anyone else noticed a difference? Then again, I guess it could be a settings thing or it could be that NVT ERP is just not telling everything. Don't know if anyone else might have an inclination about any of this.
 

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,143
OS
Windows 10
#3
Anyone seen a video test of NVT ERP 3.1.0.0 against ransomeware and other malware anywhere? I can't find one, but I'm pretty sure if I did, it wouldn't be what I'm hoping for. Anyway, I would love to see a really solid one.

I guess with such a straight anti-exe, it's not a fair fight against anything, but I think it would be a good test if the focus were on the types of pop ups to expect from NVT ERP during an attack. Also, it's very helpful to know that NVT ERP can't be bypassed completely.

One thing about this is that I am sort of concerned which settings should be used for this kind of test if anyone ever does one. It's mostly just a demonstration, so I think it would be more important to use solid hardened settings that users should use rather than the defaults. Overall, I think NVT ERP 3.1.0.0 is definitely a serious enough program to play around with and have some fun. For real, with the proper focus for putting together an instructional on what to expect from malware vs NVT ERP, this would be actually quite rewarding and a H#%% of alot of fun to do. I don't know enough to do this, but I think I would really love this project honestly.

As for NVT ERP and its value, I feel :rolleyes: that on the handling of command line it is actually better than VoodooShield. Anyone else noticed a difference? Then again, I guess it could be a settings thing or it could be that NVT ERP is just not telling everything. Don't know if anyone else might have an inclination about any of this.
testing it would be very boring because basically the only thing that can get past NVT ERP is malware with a valid digital sig from a vendor on the trusted list -- and that's nearly impossible to find. You can cover that (im)possibility as well, if you disable trust for signed files.
 

AtlBo

Level 24
Joined
Dec 29, 2014
Messages
1,390
Antivirus
Qihoo 360
#4
Well, I think it would be useful to see which kinds of pop ups would appear in an attack so a user could be prepared to spot an attack.

I saw a video that showed a browser trojan bypassing NVS ERP, but I guess that problem was long ago overcome by the developer. It was an older version of the program, which is much different now than that version which I saw.

I still think it could be very instructional to see NVS ERP against the worst out there and to see the pop ups and kind of study them. ERP pop ups aren't warnings really, and there isn't any input from any place about the validity of the process. It's different from any other security program in that way. Also, there is no sandbox, quarantine, etc. Making the right choice with the program every time is everything. It's really the user gets it right every time, or user is infected.
 

jamescv7

Level 61
Trusted
Joined
Mar 15, 2011
Messages
12,638
OS
Windows 10
Antivirus
Microsoft
#6
handling of command line it is actually better than VoodooShield.
@AtlBo: Yes in actual concept, NVT Radar Pro has full control alongside of wide configuration to extend the Anti-Exe lockdown.

Meanwhile Voodoshield is also strong but balance because of Cloud analysis.

NVT Radar Pro is definitely for security geeks unlike Voodoshield.
 

Lockdown

From AppGuard
Developer
Joined
Oct 24, 2016
Messages
3,100
#7
Anyone seen a video test of NVT ERP 3.1.0.0 against ransomeware and other malware anywhere? I can't find one, but I'm pretty sure if I did, it wouldn't be what I'm hoping for. Anyway, I would love to see a really solid one.

I guess with such a straight anti-exe, it's not a fair fight against anything, but I think it would be a good test if the focus were on the types of pop ups to expect from NVT ERP during an attack. Also, it's very helpful to know that NVT ERP can't be bypassed completely.

One thing about this is that I am sort of concerned which settings should be used for this kind of test if anyone ever does one. It's mostly just a demonstration, so I think it would be more important to use solid hardened settings that users should use rather than the defaults. Overall, I think NVT ERP 3.1.0.0 is definitely a serious enough program to play around with and have some fun. For real, with the proper focus for putting together an instructional on what to expect from malware vs NVT ERP, this would be actually quite rewarding and a H#%% of alot of fun to do. I don't know enough to do this, but I think I would really love this project honestly.

As for NVT ERP and its value, I feel :rolleyes: that on the handling of command line it is actually better than VoodooShield. Anyone else noticed a difference? Then again, I guess it could be a settings thing or it could be that NVT ERP is just not telling everything. Don't know if anyone else might have an inclination about any of this.
From a malware testing perspective it won't be a very interesting video...

Execute unknown\untrusted file > user manually or NVT ERP auto-blocks - dependent upon configuration

Anyone who uses NVT ERP - or any other anti-executable or software restriction policy software - more than likely knows to and how to perform a pre-execution file inspection

Even a rudimentary file inspection can significantly decrease the likelihood that a user will choose to execute the unknown\untrusted file in the first place - thereby reducing the anti-executable or software restriction policy soft as a fail-safe against a user mistake (one of the most common infection vectors)
 

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,143
OS
Windows 10
#8
Well, I think it would be useful to see which kinds of pop ups would appear in an attack
you will see the same kind of pop-ups you see in regular use: unknown applications alerts, vulnerable process alerts, unless you have it set to autoblock, like Jeff said.
 

AtlBo

Level 24
Joined
Dec 29, 2014
Messages
1,390
Antivirus
Qihoo 360
#9
Also, there is no sandbox, quarantine, etc. Making the right choice with the program every time is everything. It's really the user gets it right every time, or user is infected.
Correction. I should say there is no standard reference in alerts to a sandbox and not very often one for quarantine->no sandbox and then quarantine is an alert option only for unsigned executables. Apologies, just wanted to correct this. There is a quarantine, it's just not as prominent as it is in VoodooShield.
 

Lockdown

From AppGuard
Developer
Joined
Oct 24, 2016
Messages
3,100
#10
Correction. I should say there is no standard reference in alerts to a sandbox and not very often one for quarantine->no sandbox and then quarantine is an alert option only for unsigned executables. Apologies, just wanted to correct this. There is a quarantine, it's just not as prominent as it is in VoodooShield.
Dependent upon configuration, you can quarantine any file within the NVT ERP alert; customize Trusted Publishers' list, disable "Allow system files," etc
 

AtlBo

Level 24
Joined
Dec 29, 2014
Messages
1,390
Antivirus
Qihoo 360
#11
Dependent upon configuration, you can quarantine any file within the NVT ERP alert; customize Trusted Publishers' list, disable "Allow system files," etc
That's really a good idea, thanks. Off topic I know, but anyone who happens by have a quick answer for stealth mode? Should I use it? NVT Help is good, but searching didn't show anything. I'm guessing this is just running without the system tray icon? Not a good option for me.

I personally did disable "allow system files" already, but I had waited for some of them to be whitelisted first. Can't recall who on MT had this idea, but it works fairly well for me so far. I like ERPs trust list at first glance, but I guess it could be pared down some.

I'm looking forward to understanding how to use the parent whitelisting. Thanks to shmu26 for bringing that topic up for me some place. I had just started using it before I reinstalled Windows, but I hadn't acknowledged the importance of selectivity when doing this. Would it be correct to say this is as specific as creating the "Protected processes" list (or close to so)? Seems like a good opportunity to get creative.
 
Last edited:

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,143
OS
Windows 10
#12
I'm looking forward to understanding how to use the parent whitelisting.
just put the main exe file of the program into the parent list. That allows it to spawn children without prompting you.

for an example, let's say you have a little program that converts audio files from WAV to MP3. It works by running a sox.exe file located somewhere in a TEMP folder, and every file you convert has a different name.

this program will drive you crazy with prompts.

You could either edit the command line string by putting a * instead of the constantly varying name (a bit tedious and maybe even challenging), or you could put the program into the parent list.

EDIT: Actually, you might need to put also the sox.exe file into parent list, in this case.
 
Last edited:
Likes: AtlBo

Lockdown

From AppGuard
Developer
Joined
Oct 24, 2016
Messages
3,100
#15
To prevent encryption using NVT ERP, you would block the execution of the ransomware executable itself.

If you allow the ransomware executable to run in the first place, it might not create any child processes and generate no further NVT ERP alerts. From initial execution it could ransom files through various means.

Also, very often ransomware executes various vulnerable processes such as cmd.exe, bcdedit.exe, vssadmin.exe. Blocking these vulnerable processes might prevent encryption - but there is no guarantee. Cerber is an example; blocking cmd.exe will not stop file encryption.

For optimal security, it is best practice to block execution of any unknown\untrusted files. Why ? Because you don't know what the file do, how it will behave, and you don't know if your antivirus\internet security software will prevent malicious actions (bypass).

"Don't light a match in a gasoline refining facility - and you won't blow yourself up."

Simple concept.
 

Similar Threads

Similar Threads