Vulnerable Processes

[hjlbx]

the 4 powershell processes got cut off from my screenshot.
they are: powershell.exe and powershell_ise.exe

Why not just use wildcard; c:\windows\*\cmd.exe, c:\windows\*\wscript.exe, etc ?

Process Lasso not support wildcards ?

 

[shmu26]

Process Lasso not support wildcards ?

it supports. good idea.

 

[_CyberGhosT_]

Why not just use wildcard; c:\windows\*\cmd.exe, c:\windows\*\wscript.exe, etc ?

Process Lasso not support wildcards ?

I believe it does yes, I haven't tried it, I have a list I keep so I just copy and paste mine, when needed.

 

[shmu26]

You can avoid all this by not trusting System32 and SysWOW64 files that change... it's in the NVT ERP settings.

where did you see that in settings? (free beta version)

 

[hjlbx]

where did you see that in settings? (free beta version)

• Disable Trusted Vendors (signatures)
• Disable Trust System Processes

 

[shmu26]

if you do all that, what happens when windows does a major update, and kindly reboots your computer for you?

 

[hjlbx]

if you do all that, what happens when windows does a major update, and kindly reboots your computer for you?

You respond to any alerts and select Allow... you know Windows just updated. It might cause the bootup immediately after the update to be a bit slower than normal because there might be some alerts, but it won't smash your system.

 

[shmu26]

You respond to any alerts and select Allow... you know Windows just updated. It might cause the bootup immediately after the update to be a bit slower than normal because there might be some alerts, but it won't smash your system.

I hacked Windows, so it won't reboot automatically behind my back
How to permanently stop Windows 10 reboots after installing updates
and then I can set ERP to learning mode before manually rebooting.

 

[hjlbx]

I hacked Windows, so it won't reboot automatically behind my back
How to permanently stop Windows 10 reboots after installing updates
and then I can set ERP to learning mode before manually rebooting.

That is ill-advised. You want ERP set to Alert mode and manually respond to the handful of alerts that might appear.

 

[shmu26]

If I am running COMODO in proactive config, with HIPS enabled, what's about a vulnerable processes list? Is it still relevant? And if so, what's the best way to do it?

 

[Trooper]

this is my bare-bones list of blocked processes.
It should work on any x64 system, and will not cripple Windows, but will still stop the common exploits.
(the full name of the 4 powershell processes got cut off from my screenshot.
they are: powershell.exe and powershell_ise.exe)

View attachment 114271

How are you blocking these? What program?

 

[boredog]

this is my bare-bones list of blocked processes.
It should work on any x64 system, and will not cripple Windows, but will still stop the common exploits.
(the full name of the 4 powershell processes got cut off from my screenshot.
they are: powershell.exe and powershell_ise.exe)

View attachment 114271

I also have mshta.exe in Appguard.

 

[Trooper]

I also have mshta.exe in Appguard.

Same here. I have also added all of the ones mentioned above.

 

[509322]

How are you blocking these? What program?

I think he is doing it in NVT ERP.

You can do the same in AppGuard, EAM and NVT ERP.

If you use any programs that use cmd.exe on a regular basis, blocking it can be a pain - such as Mullvad VPN client, Windows Firewall Control or some Excubits security programs.

If you have questions about what to disable just ask me in the PM.

 

[shmu26]

Besides the above mentioned security softs, you can do it also with Kaspersky IS.
But the best way, IMHO, is with NoVirusThanks EXE Radar Pro (use the free beta version), because of the flexibility. This is particularly important with cmd.exe. A lot of apps use it. With NVT ERP, you can whitelist command lines to allow it where you need it, and still block it where you do not.
The truth is, you can do this with Comodo Firewall, too, if you use the HIPS. But not everyone loves Comodo.

And yes, mshta.exe is a good addition, although from what I have read, it usually will call one of the other main script interpreters, so you will still catch the malware activity early enough.

EDIT: ReHIPS also gives you control over these processes, and by default it will usually alert you if they want to run. But I don't understand well enough how it works in ReHIPS. Maybe someone else can explain.

 

[TairikuOkami]

View attachment 114271

Almost the same like mine.

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "wscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "cscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "mshta.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "msra.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "psexec.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "powershell.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "powershell_ise.exe" /f

 

[boredog]

Did you guys add both powershell for 32 and 64 bit ?

 

[Mr.X]

Did you guys add both powershell for 32 and 64 bit ?

Yes I did.

 

[boredog]

Yes I did.

Me too .

 

[Mr.X]

Me too .

Lately one of the most vulnerable Windows things susceptible of attacks.