NVT ERP -- mark vulnerable process as safe parent process?

Discussion in 'NoVirusThanks' started by shmu26, May 9, 2016.

  1. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,255
    13,527
    Utopia
    In order to get babylon translation software to start up right, I marked "C:\Windows\SysWOW64\rundll32.exe"
    as a safe parent process.
    (It was not enough to just mark babylon.exe as a safe parent process.)
    Is this a security risk, and if so, what's the better way to do it?
     
  2. hjlbx

    hjlbx Guest

    White-list the rundll32.exe commandline when Babylon starts instead of the rundll32.exe process.

    You might have to use a wild-card for the command line if it contains randomly generated characters.
     
    shmu26 likes this.
  3. LabZero

    LabZero Guest

    Rundll32.exe it is a legitimate process that is responsible for the loading and execution of Dll files and it's a complex system but potentially It can be subject to Dll injection.
    I don't see a reason to white-list It as safe.
     
  4. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,255
    13,527
    Utopia
    when babylon starts, the NVT ERP alert becomes non-responding and greyed out, so I can't click anything.
     
  5. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,255
    13,527
    Utopia
    what happens is I get a warning about a vulnerable app, and then it freezes. It didn't help to add the command line manually to whitelist, and also training mode doesn't help. There are no random characters, just a normal path and file name.
     
  6. hjlbx

    hjlbx Guest

    Sounds like bug in NVT ERP...
     
  7. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,255
    13,527
    Utopia
    I am not so sure NVT ERP is optimized for windows 10 x64, despite what it claims on the site.
     
  8. hjlbx

    hjlbx Guest

    It works OK on my 64 bit system, but it isn't officially supported.

    NVT ERP is no longer actively developed, so we're all kind of at a loss...
     
    shmu26 likes this.
  9. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,255
    13,527
    Utopia
    interesting that after a reboot or two, the "safe parent process" entry modded from C:\Windows\SysWOW64\rundll32.exe
    to something different and more specific:
    C:\Windows\WinSxS\x86_microsoft-windows-rundll32_31bf3856ad364e35_10.0.10586.0_none_086c4e649ce454df\rundll32.exe
    I guess it's more restrictive that way, which is good.
     
Loading...
Similar Threads Forum Date
On Sale! 50% OFF Folder Marker PRO with free Emsisoft Anti-Malware Discounts & Deals Yesterday at 4:01 AM
24 HOURS OR LESS GOTD: FileMarker.NET Pro 1.0.1 Giveaways, Promotions and Contests Yesterday at 3:58 AM
Mark Zuckerberg’s Promises To Fix Facebook In 2018 Technology News Jan 9, 2018