NVT ERP -- mark vulnerable process as safe parent process?

shmu26 · May 9, 2016

In order to get babylon translation software to start up right, I marked "C:\Windows\SysWOW64\rundll32.exe"
as a safe parent process.
(It was not enough to just mark babylon.exe as a safe parent process.)
Is this a security risk, and if so, what's the better way to do it?

hjlbx · May 9, 2016

shmu26 said:
In order to get babylon translation software to start up right, I marked "C:\Windows\SysWOW64\rundll32.exe"
as a safe parent process.
(It was not enough to just mark babylon.exe as a safe parent process.)
Is this a security risk, and if so, what's the better way to do it?

White-list the rundll32.exe commandline when Babylon starts instead of the rundll32.exe process.

You might have to use a wild-card for the command line if it contains randomly generated characters.

LabZero · May 9, 2016

Rundll32.exe it is a legitimate process that is responsible for the loading and execution of Dll files and it's a complex system but potentially It can be subject to Dll injection.
I don't see a reason to white-list It as safe.

shmu26 · May 9, 2016

hjlbx said:
White-list the rundll32.exe commandline when Babylon starts instead of the rundll32.exe process.

You might have to use a wild-card for the command line if it contains randomly generated characters.

when babylon starts, the NVT ERP alert becomes non-responding and greyed out, so I can't click anything.

shmu26 · May 9, 2016

hjlbx said:
White-list the rundll32.exe commandline when Babylon starts instead of the rundll32.exe process.

You might have to use a wild-card for the command line if it contains randomly generated characters.

what happens is I get a warning about a vulnerable app, and then it freezes. It didn't help to add the command line manually to whitelist, and also training mode doesn't help. There are no random characters, just a normal path and file name.

hjlbx · May 9, 2016

shmu26 said:
what happens is I get a warning about a vulnerable app, and then it freezes. It didn't help to add the command line manually to whitelist, and also training mode doesn't help. There are no random characters, just a normal path and file name.

Sounds like bug in NVT ERP...

shmu26 · May 9, 2016

hjlbx said:
Sounds like bug in NVT ERP...

I am not so sure NVT ERP is optimized for windows 10 x64, despite what it claims on the site.

hjlbx · May 9, 2016

shmu26 said:
I am not so sure NVT ERP is optimized for windows 10 x64, despite what it claims on the site.

It works OK on my 64 bit system, but it isn't officially supported.

NVT ERP is no longer actively developed, so we're all kind of at a loss...

shmu26 · May 9, 2016

hjlbx said:
It works OK on my 64 bit system, but it isn't officially supported.

NVT ERP is no longer actively developed, so we're all kind of at a loss...

interesting that after a reboot or two, the "safe parent process" entry modded from C:\Windows\SysWOW64\rundll32.exe
to something different and more specific:
C:\Windows\WinSxS\x86_microsoft-windows-rundll32_31bf3856ad364e35_10.0.10586.0_none_086c4e649ce454df\rundll32.exe
I guess it's more restrictive that way, which is good.

Search

NVT ERP -- mark vulnerable process as safe parent process?

shmu26

Level 85

hjlbx

LabZero

shmu26

Level 85

shmu26

Level 85

hjlbx

shmu26

Level 85

hjlbx

shmu26

Level 85

Similar threads