Author Topic: can be executed: alert  (Read 4065 times)

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
can be executed: alert
« on: January 06, 2017, 11:56:50 am »
trying to understand how this setting works.
If I search in windows explorer for a process that has this setting, and I click on it to run it, it will start up without triggering an alert.
why is that?

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: can be executed: alert
« Reply #1 on: January 06, 2017, 12:15:47 pm »
trying to understand how this setting works.
If I search in windows explorer for a process that has this setting, and I click on it to run it, it will start up without triggering an alert.
why is that?
It's signed and in trusted vendors? It's launched by a safe application set to just allow child?

Show me the logs of when it happens and will tell you.

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
Re: can be executed: alert
« Reply #2 on: January 06, 2017, 12:31:07 pm »
I attached screenshots

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: can be executed: alert
« Reply #3 on: January 06, 2017, 12:47:23 pm »
Explorer is to inspect so it launches powershell because you use standard mode and Microsoft is in the trusted vendor list. So it doesn't ask and allows it.

If you want to block powershell completely for some reason use block instead of alert because removing MS from trusted vendor list is a bad idea. Too many alerts.
« Last Edit: January 06, 2017, 01:07:44 pm by aDVll »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: can be executed: alert
« Reply #4 on: January 06, 2017, 03:06:47 pm »
Thanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.

removing MS from trusted vendor list is a bad idea. Too many alerts.
It gives alerts for programs absent in RulesPack. Can you give a list of these programs so we could add them to RulesPack?
« Last Edit: January 06, 2017, 03:08:23 pm by fixer »

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: can be executed: alert
« Reply #5 on: January 06, 2017, 03:15:28 pm »
Thanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.

removing MS from trusted vendor list is a bad idea. Too many alerts.
It gives alerts for programs absent in RulesPack. Can you give a list of these programs so we could add them to RulesPack?
It's mostly their store programs that change version often. I would report all but first not all use them(i do because they run in appcontainer) and second change all the time. I can list all if you wish but i was waiting until you add folder and wildcard support to fix it that way.
« Last Edit: January 06, 2017, 03:19:57 pm by aDVll »

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
Re: can be executed: alert
« Reply #6 on: January 06, 2017, 03:29:08 pm »
thanks to both of you


shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
Re: can be executed: alert
« Reply #7 on: January 07, 2017, 07:58:44 pm »
okay, so here's an idea for the devs, based on what I was trying to do here:
ReHIPS will detect when the user disables isolation for a key app, and will activate a vulnerable processes list, along the lines of NVT ERP.
This will make ReHIPS much for flexible for  a wide base of users, some of whom will inevitably will want to disable isolation for certain apps

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: can be executed: alert
« Reply #8 on: January 07, 2017, 08:52:13 pm »
okay, so here's an idea for the devs, based on what I was trying to do here:
ReHIPS will detect when the user disables isolation for a key app, and will activate a vulnerable processes list, along the lines of NVT ERP.
This will make ReHIPS much for flexible for  a wide base of users, some of whom will inevitably will want to disable isolation for certain apps
It already does though buddy. You set it to inspect or alert and with the change Fixer mentioned above you can actually easily have a vulnerable process list as you wish. There is 0 reason to have an extra tab for them and rehips already has pretty secure rules for them.
Might be missing what you want.

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
Re: can be executed: alert
« Reply #9 on: January 07, 2017, 09:17:16 pm »
fixer's proposed change is great.
The idea here is to take the work out of it, for intermediate users who disable isolation on some apps . ReHIPS could build them a  nice vulnerable processes list, to trigger execution alerts for whatever they need to keep themselves safe. The pros on the ReHIPS team know what processes need to be alerted when you don't have isolation.
Just an idea, take it or leave it...

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: can be executed: alert
« Reply #10 on: January 07, 2017, 10:59:06 pm »
fixer's proposed change is great.
The idea here is to take the work out of it, for intermediate users who disable isolation on some apps . ReHIPS could build them a  nice vulnerable processes list, to trigger execution alerts for whatever they need to keep themselves safe. The pros on the ReHIPS team know what processes need to be alerted when you don't have isolation.
Just an idea, take it or leave it...
I see what you are saying but it does do that already. The point is not to block the execution of vulnerable processes but them executing something else. The dev team i believe did a good job of setting all of those to inspect so you get a notification.
Let's say potato.exe is a malware downloader and i allow it to run powershell. Good it run it and it tries to execute the actual malware and i get an alert because powershell is on inspect by default.

Don't get me wrong i am trying to understand what you mean. You want to also block the execution of powershell in my example when i change 1 isolated application to allow?

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
Re: can be executed: alert
« Reply #11 on: January 07, 2017, 11:11:05 pm »
I want it not to block powershell, but to alert upon execution.
why? Because maybe powershell -- or another process -- will be abused by an exploit to make certain system changes such as modifying the registry, or loading dlls, or disabling all security softs from startup. These are changes that, as far as I understand, do not necessarily require executing a second process, so they won't be blocked or alerted, as things stand now. 
Once you take away the isolation, you become vulnerable to this kind of thing.
Please correct me if I am out to lunch on this issue

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: can be executed: alert
« Reply #12 on: January 07, 2017, 11:14:37 pm »
I want it not to block powershell, but to alert upon execution.
why? Because maybe powershell -- or another process -- will be abused by an exploit to make certain system changes such as modifying the registry, or loading dlls, or disabling all security softs from startup. These are changes that, as far as I understand, do not necessarily require executing a second process, so they won't be blocked or alerted, as things stand now. 
Once you take away the isolation, you become vulnerable to this kind of thing.
Please correct me if I am out to lunch on this issue
Powershell and things like that need to execute something to do harm. Them just running doesn't do anything it's just like you run it manually. When they try to execute something you will get an alert by default.
« Last Edit: January 07, 2017, 11:19:15 pm by aDVll »

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
Re: can be executed: alert
« Reply #13 on: January 07, 2017, 11:32:48 pm »
okay, but powershell at its present settings will just inspect children. So if a valid windows process is invoked by the command line, it will run.

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: can be executed: alert
« Reply #14 on: January 07, 2017, 11:37:50 pm »
okay, but powershell at its present settings will just inspect children. So if a valid windows process is invoked by the command line, it will run.
Cool the valid windows process runs. Then?
No windows process does anything malicious without executing something not from windows and not whitelisted.

Reason NVT and programs like that have a vulnerable processes list is that the only way to control issues is by stopping the first execution because they just allow or block. Rehips have an alert mode and an inspect mode which feels that role giving you more granular control.