Advice Request NVT ERP to block Chromium Edge

Please provide comments and solutions that are helpful to the author of this topic.

RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,485
Hello everybody, hope soembody can help me here.

I use NoVirusThanks Exe Radar Pro (v4.0 beta) and I also use Chromium Edge.

This is the thing. Every time I launch Edge, I get an alert dialog to allow/deny (I use Alert Mode), and no matter what it just won't stop appearing at each launch. I have tried creating rules for Edge, for the command lines, anything you can think of and I still have to manually allow at each launch. Apparently, it's the extensions on Edge which triggers the dialog. Of course I've tried learning mode, remember allow, etc. It just keeps popping each time.

Date/Time : 2019-05-10 14:46:04.044
Action : Ask/Deny Once
Expression : -
Category : Alert Dialog
PID : 7360
Process : C:\Windows\System32\cmd.exe
Integrity Level: Medium
User/Domain : Gonza/DESKTOP-JRM99V7
System File : True
SHA1 : 08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9
Signer :
Command : C:\Windows\system32\cmd.exe /d /c "C:\Program Files\WindowsApps\Microsoft.WindowsDefenderApplicationGuard_1.0.8.0_x64__8wekyb3d8bbwe\WDAGExtensionCore.exe" chrome-extension://mfjnknhkkiafjajicegabkbimfhplplj/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.8599a1ee4c891f53 > \\.\pipe\chrome.nativeMessaging.out.8599a1ee4c891f53
Parent : C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe
Parent SHA1 : C04252EC07CD855C7A196BCE0457712238625764
Parent Signer : Microsoft Corporation

How do I whitelist this?
 
  • Like
Reactions: Andy Ful, oldschool, Vasudev and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
RoboMan said:
Hello everybody, hope soembody can help me here.

I use NoVirusThanks Exe Radar Pro (v4.0 beta) and I also use Chromium Edge.

This is the thing. Every time I launch Edge, I get an alert dialog to allow/deny (I use Alert Mode), and no matter what it just won't stop appearing at each launch. I have tried creating rules for Edge, for the command lines, anything you can think of and I still have to manually allow at each launch. Apparently, it's the extensions on Edge which triggers the dialog. Of course I've tried learning mode, remember allow, etc. It just keeps popping each time.

Date/Time : 2019-05-10 14:46:04.044
Action : Ask/Deny Once
Expression : -
Category : Alert Dialog
PID : 7360
Process : C:\Windows\System32\cmd.exe
Integrity Level: Medium
User/Domain : Gonza/DESKTOP-JRM99V7
System File : True
SHA1 : 08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9
Signer :
Command : C:\Windows\system32\cmd.exe /d /c "C:\Program Files\WindowsApps\Microsoft.WindowsDefenderApplicationGuard_1.0.8.0_x64__8wekyb3d8bbwe\WDAGExtensionCore.exe" chrome-extension://mfjnknhkkiafjajicegabkbimfhplplj/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.8599a1ee4c891f53 > \\.\pipe\chrome.nativeMessaging.out.8599a1ee4c891f53
Parent : C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe
Parent SHA1 : C04252EC07CD855C7A196BCE0457712238625764
Parent Signer : Microsoft Corporation

How do I whitelist this?
Click to expand...
Strange. I have run the command line from your log:
Code: 
C:\Windows\system32\cmd.exe /d /c "C:\Program Files\WindowsApps\Microsoft.WindowsDefenderApplicationGuard_1.0.8.0_x64__8wekyb3d8bbwe\WDAGExtensionCore.exe" chrome-extension://mfjnknhkkiafjajicegabkbimfhplplj/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.8599a1ee4c891f53 > \\.\pipe\chrome.nativeMessaging.out.8599a1ee4c891f53

I have got an alert from NVT ERP. So, I ticked "Remember this action" and next "Allow" button. No alerts after this. Could you do it on your system?
 
Last edited:
  • Like
Reactions: RoboMan, oldschool, harlan4096 and 1 other person
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
devjit2018 said:
Have you tried learning more? Learning mode will allow ERP to create the rules when you're launching edge.
Click to expand...
I just took a look at @RoboMan's spoiler. The command line has strings of random characters in it, and also the version number. So the rules created in learning mode won't work permanently, unless they are wildcarded.
 
  • Like
Reactions: Azure, RoboMan, oldschool and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
The problem is with WD Application Guard extension which is loaded by Edge Dev via command line. This command line should be whitelisted. Though, after whitelisting, everything should work well for a few days, until the extension will change its version. For whitelisting it permanently, the wildcards have to be used, as it was mentioned by @shmu26.

It is also possible that the below part of the command line is changing on each running of Edge Dev:
chrome.nativeMessaging.in.8599a1ee4c891f53 > \\.\pipe\chrome.nativeMessaging.out.8599a1ee4c891f53
If so, then this should be also replaced with wildcards, for example:
chrome.nativeMessaging.in.* > \\.\pipe\chrome.nativeMessaging.out.*

When using wildcards in Exe Radar Pro, one must remember to change the "Command Line" setting: 'Equal to" ----> "Like to (Wildcard)".
 
  • Like
Reactions: harlan4096, Azure, RoboMan and 3 others
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,485
Thank you. WD Application Guard isn't the only extension giving me trouble. I tried disabling the extension, and then the alert was given by Free Download Manager extension, and so on with every single extension.
 
  • Like
Reactions: oldschool and shmu26
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
RoboMan said:
Thank you. WD Application Guard isn't the only extension giving me trouble. I tried disabling the extension, and then the alert was given by Free Download Manager extension, and so on with every single extension.
Click to expand...
Maybe it's those Chrome character strings that Andy was talking about. I saw a lot of that in ReHIPS when I played around with Chrome. There is a lot of wildcarding to do.
 
  • Like
Reactions: oldschool, Andy Ful and RoboMan
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,485
shmu26 said:
Maybe it's those Chrome character strings that Andy was talking about. I saw a lot of that in ReHIPS when I played around with Chrome. There is a lot of wildcarding to do.
Click to expand...
Yep, I though the very same. VoodooShield gave me similar trouble back in the day with Chrome and FDM extension since it had a random string that changed at every Chrome launch. But I have no idea how to wildcard every extension.
 
  • Like
Reactions: stefanos, oldschool and shmu26
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
RoboMan said:
Yep, I though the very same. VoodooShield gave me similar trouble back in the day with Chrome and FDM extension since it had a random string that changed at every Chrome launch. But I have no idea how to wildcard every extension.
Click to expand...
DId you try something like this?
  • C:\Windows\system32\cmd.exe /d /c "C:\Program Files\WindowsApps\*" chrome-extension://*
  • C:\Windows\system32\cmd.exe /c "C:\Program Files\WindowsApps\*" chrome-extension://*
213515
 
Last edited:
  • Like
  • Thanks
Reactions: harlan4096, oldschool, RoboMan and 1 other person

Similar threads

M
    • Like
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Replies
0
Views
427
Microsoft Defender
Microsoft Threat Intelligence
M
Victor M
New Update Chrome 124 Ubuntu 24.04 LTS Apparmor profile
Replies
1
Views
856
ChromeOS & Linux
Victor M
Victor M
M
    • Like
“Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps
Replies
0
Views
412
Microsoft Defender
Microsoft Threat Intelligence
M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top