Vulnerable Processes

Status
Not open for further replies.
H

hjlbx

Thread author
the 4 powershell processes got cut off from my screenshot.
they are: powershell.exe and powershell_ise.exe

Why not just use wildcard; c:\windows\*\cmd.exe, c:\windows\*\wscript.exe, etc ?

Process Lasso not support wildcards ?
 
  • Like
Reactions: _CyberGhosT_

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
You can avoid all this by not trusting System32 and SysWOW64 files that change... it's in the NVT ERP settings.
where did you see that in settings? (free beta version)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
if you do all that, what happens when windows does a major update, and kindly reboots your computer for you?
 
  • Like
Reactions: simmerskool
H

hjlbx

Thread author
if you do all that, what happens when windows does a major update, and kindly reboots your computer for you?

You respond to any alerts and select Allow... you know Windows just updated. It might cause the bootup immediately after the update to be a bit slower than normal because there might be some alerts, but it won't smash your system.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
If I am running COMODO in proactive config, with HIPS enabled, what's about a vulnerable processes list? Is it still relevant? And if so, what's the best way to do it?
 
  • Like
Reactions: simmerskool

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
this is my bare-bones list of blocked processes.
It should work on any x64 system, and will not cripple Windows, but will still stop the common exploits.
(the full name of the 4 powershell processes got cut off from my screenshot.
they are: powershell.exe and powershell_ise.exe)

View attachment 114271

How are you blocking these? What program?
 

boredog

Level 9
Verified
Jul 5, 2016
416
this is my bare-bones list of blocked processes.
It should work on any x64 system, and will not cripple Windows, but will still stop the common exploits.
(the full name of the 4 powershell processes got cut off from my screenshot.
they are: powershell.exe and powershell_ise.exe)

View attachment 114271

I also have mshta.exe in Appguard.
 
  • Like
Reactions: Trooper
5

509322

Thread author
How are you blocking these? What program?

I think he is doing it in NVT ERP.

You can do the same in AppGuard, EAM and NVT ERP.

If you use any programs that use cmd.exe on a regular basis, blocking it can be a pain - such as Mullvad VPN client, Windows Firewall Control or some Excubits security programs.

If you have questions about what to disable just ask me in the PM.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Besides the above mentioned security softs, you can do it also with Kaspersky IS.
But the best way, IMHO, is with NoVirusThanks EXE Radar Pro (use the free beta version), because of the flexibility. This is particularly important with cmd.exe. A lot of apps use it. With NVT ERP, you can whitelist command lines to allow it where you need it, and still block it where you do not.
The truth is, you can do this with Comodo Firewall, too, if you use the HIPS. But not everyone loves Comodo.

And yes, mshta.exe is a good addition, although from what I have read, it usually will call one of the other main script interpreters, so you will still catch the malware activity early enough.

EDIT: ReHIPS also gives you control over these processes, and by default it will usually alert you if they want to run. But I don't understand well enough how it works in ReHIPS. Maybe someone else can explain.
 
Last edited:
  • Like
Reactions: simmerskool

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,692
Almost the same like mine. ;)

Code:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "wscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "cscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "mshta.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "msra.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "psexec.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "powershell.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "powershell_ise.exe" /f
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top