Status
Not open for further replies.
H

hjlbx

Would you recommend users with EXE Radar Pro to add those vulnerable processes to.. well EXE Radar Pro's vulnerable processes?
THIS IS REALLY IMPORTANT ! : Users need to educate themselves.

Here is valuable infos from SubTee:

ApplicationWhitelistBypassTechniques/Limits.txt at master · subTee/ApplicationWhitelistBypassTechniques · GitHub

ApplicationWhitelistBypassTechniques/TheList.txt at master · subTee/ApplicationWhitelistBypassTechniques · GitHub

NVT ERP is the way to go if one wants to monitor\block execution of any process that you do not wish to execute.
 
Last edited by a moderator:
H

hjlbx

Does AppGuard also already protect against those or does one need to include some in AppGuard?
While you can add those processes to User Space in AppGuard, that means they will always be blocked - with no way for the user to Allow - unless you goto User Space tab and select No.

From a practical standpoint, it is better to add them - if you wish - to NVT ERP's vulnerable process list and run in Alert Mode. This way, if one of the processes is executed, NVT ERP will generate an alert from within you can select Allow or Block.

NVT ERP is more convenient for those processes you might need to use for trouble-shooting - e.g. ipconfig.exe, netstat.exe, etc.

Plus, with a few of the processes there might be some breakage until allowed. NVT ERP gives this ease-of-use flexibility.

However, there are quite a few processes which the typical user will likely never use from the command line.

Each user needs to figure out and decide how they wish to handle it on their own specific system.
 

marzametal

Level 7
Verified
robocopy.exe can be used to examine the size of System Volume Information...
Code:
robocopy "c:\System Volume Information" c:\dummy /l /xj /e /nfl /ndl /njh /r:0 /b
System Volume Information
Code:
On W7 HP x64
C:\Windows\System32\Robocopy.exe
C:\Windows\SysWOW64\Robocopy.exe
C:\Windows\winsxs\amd64_microsoft-windows-robocopy_31bf3856ad364e35_6.1.7601.17514_none_252d34f00303c6fa\Robocopy.exe
C:\Windows\winsxs\x86_microsoft-windows-robocopy_31bf3856ad364e35_6.1.7601.17514_none_c90e996c4aa655c4\Robocopy.exe
 

jamescv7

Level 85
Verified
Trusted
That is the problem for Windows process as it does not have ability to block or protect against manipulation. Appguard and other stuffs should carefully implement those critical process cause not the time the solution process may work.
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
If you dont mind me asking hjlbx, what is that "S premium" your using there ?
Cool post too by the way, very inclusive list Thanks.
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
NVT ERP is the way to go if one wants to monitor\block execution of any process that you do not wish to execute.
ERP users should be aware that vulnerable processes are identified by their hash value, so if you get a significant windows update, you might need to refresh some of your vulnerable processes. You can check this by manually executing the items on your list, and see if you get the popup you expected. If not, delete the old entry, and re-add it.
 
H

hjlbx

ERP users should be aware that vulnerable processes are identified by their hash value, so if you get a significant windows update, you might need to refresh some of your vulnerable processes. You can check this by manually executing the items on your list, and see if you get the popup you expected. If not, delete the old entry, and re-add it.
You can avoid all this by not trusting System32 and SysWOW64 files that change... it's in the NVT ERP settings.
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
No, I don't use MS Office, its hub and anything related to MS office is blacklisted on this PC.
I use SoftMaker Office, but I have never seen that "S Premium" up there so it peaked my
curiosity, I will give it a look Thanks.
 
H

hjlbx

thanks hjlbx!

ReHIPS users can do this, too.
And Cyberghost has already taught us how to use Process Lasso to elegantly disable processes.
Process Lasso 101
It is better to disable a vulnerable process - or - execute it with restricted privileges, than to allow it to execute - even using an anti-executable or HIPS.

Exploit can bypass anti-executable by abusing vulnerable processes not included in the blacklist and gain escalation of privilege.
 

_CyberGhosT_

Level 53
Verified
Trusted
Content Creator
thanks hjlbx!

ReHIPS users can do this, too.
And Cyberghost has already taught us how to use Process Lasso to elegantly disable processes.
Process Lasso 101
"Some" my friend. Some of the ones on hjlbx's list you can't block or it will cripple windows. That's why i suggest to google what each process is for before blocking it. ;)
 

shmu26

Level 85
Verified
Trusted
Content Creator
this is my bare-bones list of blocked processes.
It should work on any x64 system, and will not cripple Windows, but will still stop the common exploits.
(the full name of the 4 powershell processes got cut off from my screenshot.
they are: powershell.exe and powershell_ise.exe)

Capture.PNG
 
Last edited:
H

hjlbx

"Some" my friend. Some of the ones on hjlbx's list you can't block or it will cripple windows. That's why i suggest to google what each process is for before blocking it. ;)
Actually, I submitted warning to ReCrypt - that users could block things like winlogon.exe - and smash themselves right outta the system.

I believe this issue should be fixed by now.

Ask @Umbra - he's active at the ReCrypt forum.
 
Status
Not open for further replies.
Top