New Antiexecutable: NoVirusThanks EXE Radar Pro

No...this Wilders Thread is for ERP .... I posted what I would do. Again, not in the know re influence Quietzone. I missed that you felt Quietzone as causal in your original post. I noted you pulled v3.0. I note v3.1 is improved. Hopefully, others more in the know re Quietzone. I'll close with ERP cleanly installs/integrates OS.
NVT ERP developer is active here...

 

@novirusthanks

What about post #4580, will you look into this? It would be cool if "Install Mode" could suppress or disable alerts from "vulnerable processes".

https://www.wilderssecurity.com/thre...ks-exe-radar-pro.300552/page-184#post-2488180

 

I am using beta version v3.1.0.0 BUILD1-15052015.

I have just made $20 donation.

If I do 'check for update', a panel shows there is newer version (is there a newer beta?) but if I click on link it does not open on my system ...

Where can I get latest (beta) version on the NVT site?

Maybe it would have been better if I had purchased license for stable version at this point, rather than donate for beta version?

Edit: My question answered:

Thanks a lot for you donation, much appreciated.

The latest (stable) beta version can be downloaded from this link:
https://www.wilderssecurity.com/thre...ks-exe-radar-pro.300552/page-185#post-2490985

Since it is a beta build, you should disable the option on "Settings" -> "Notify me when a new version is available" and you should not check for updates as it checks only stable version, that is at version 3.0 (older).

Very soon we will release officially the new stable version v3.1.

We only miss two features to add.

Regards,
Andreas

 

@novirusthanks

On my system, ERP's process monitor can not list sppsvc.exe (Microsoft Software Protection Platform Service). The process is visible with Process Explorer and System Explorer. Other requests: give an option to sort "Vulnerable Processes" and "Command Lines". And please try to get rid of the ugly focus rectangle.

 

Issue : Exe Radar Pro, doesn't appear anymore on the system tray when it starts automatically. How to fix it ?

 

I have been running a snapshot that has Online Armor installed, together with ERP.

However, I launched Maxthon browser portable version from a USB stick a little while ago, and have had no end of problems getting it to run, when previously there had been no problem running with ERP.

Anyway, I have shutdown ERP, and am just relying on OA for protection, so I can continue to run Maxthon portable.

Looking at the logs in ERP is confusing to say the least.

 

I have a portable apps folder and I have it whitelisted in ERP, but when I launch IObit uninstaller I still get 3 alerts (2 when opening and 1 when closing) and I have the command-lines whitelisted but they still keep alerting me everytime I open IObit. Is there a way to stop the alerts by tweaking the command-lines?
opening
"C:\Windows\System32\cmd.exe" /c Schtasks /run /tn "Uninstaller_SkipUac_Family"

"C:\Windows\System32\cmd.exe" /c WMIC QFE GET /format:list >"C:\Users\Family\AppData\Local\Temp\IObitUninstallerPortableTemp\hotfix.ini"
closing
"C:\Users\Family\AppData\Local\Temp\nsfBE77.tmp\ns7680.tmp" "schtasks.exe" /delete /tn Uninstaller_SkipUac_Administrator /f

 

Um, I have C:\Users\user\AppData\Local\Google\Chrome\User Data\SwReporter\3.20.1\software_reporter_tool.exe in Blacklist.
Filename: software_reporter_tool.exe just ran as detected by Norton.
Version 3.21.0.0 Identified 5/31/2015 at 7:52:52 PM
MD5 that just ran is C4EF32C1C0473392EF4204890AF8E457
I have 9 Events with same MD5 same timestamp within second.

MD5 already in Blacklist is EB81815F1628247337DCF5C44A137366

As a bunch of new SwReporter are already in Whitelist. I cannot Blacklist.
Process = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Command-Line = is huge.

How do I identify and Block new SwReporter to ERP.
ERP did not Alert
I'm Sandboxed. But have Full File Access to ERP

Update: Now ERP is showing a bunch+++ more with same MD5. Different PID's.
How do I Blacklist...?

Update: software_reporter_tool.exe ran again. Norton Download Insight flag's the event.
Anyway to make ERP see the event (again)..? I was able to Blacklist once 15/05/2015
ERP build 15052015

 

Salutations,

Is ERP ready for Windows 10 coming up shortly? If need not? could you give a time frame?
For Windows 10? Many thanks!

 

Salutations,

@Peter2150, Appreciate your insight and thank you for the information.

 

Update to #4636
SwReporter wanted to run again. ERP prompted. I Blacklisted. The MD5 is different each call.
I don't know if SwReporter run on a schedule or trigger. Chrome dialog asked if I wanted to run. "If your having Chrome problems run SwReporter". No thanks. In theory. I think SwReporter is looking for conflicts. I think SwReporter calls home. Since the MD5 changes each run. ERP will catch it..? Or, I'll have to catch Chrome dialog window. Norton logs the event. I may have missed toast flyout. Focused on ERP window. ERP logs at least a dozen Events. Same MD5 different PID.

 

Hi All

New to No VirusThanks. On Win 7 SP1 64 Bit.

When I boot Windows (With NoVirusThanks permanently in LockDown Mode) NVT EXE blocks rundll32.exe even though I white listed it. When I try to whitelist it again it says it is already whitelisted.

The process and Cmd Line are shown below:

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart

Question, why is something that is whitelisted being blocked (as shown in Red on the events tab) and what is shadowPlayOnSystemStart?

How do I stop it being blocked?

Thanks

Terry

 

Andreas the developer hasn't been seen for around 3 weeks.
Anyone know if he is still active

 

Please see http://novirusthanks.org/help-files/exe-radar-pro/#vulnerable-processes Hope helps.
When a process that is listed in the "Vulnerable Processes" is executed, and if the commandline string is not whitelisted, NoVirusThanks EXE Radar Pro will generate an alert so you can allow or block the execution of the process, even if you have the process present in the whitelist.
http://www.shouldiblockit.com/nvspcap64.dll-50194.aspx
IMO FWIW ~ Alert Mode is just as safe as Lockdown. Lockdown offers less Alerts. Thereby IMO less information. Once ERP is trained. ERP is quiet. So, I prefer Alert. Or, Lockdown > Ask user what to do. Maybe you're at Lockdown > Block Process Execution

 

Hi BJM

Thankyou, an excellent reply. The link was very helpfull as well.

Terry

 

Hello,
Since, recent Norton update. ERP prompts with numeric string. Only string goes to Command-Lines. How to wildcard..?

 

Has anyone heard from Andreas?

 

Nope. Maybe he's on vacation....

 

@siketa

Not yet in vacation, just very busy with an external errand

@boredog

I will try to install Quietzone and ERP to see if there is any conflict.

@Rasheed187

When Install Mode is activated for a parent process, all processes started by that process (including sub-processes) are auto-allowed.

If you get an alert about a vulnerable process it should mean the vuln rocess was not started by a parent process related to the main parent process present in the Install Mode.

Do you have any example or software I can download to reproduce the issue ?

@bjm_

To stop SwReporter you should run ERP in Lockdown Mode so that only whitelisted processes/cmdlines are allowed.

As of now there is no option to blacklist a process by commandline or path.

@bjm_

You should whitelist the Norton's process, that is best way.

@Overkill

About these commandline strings:

What is the parent process ?

 

parent process = C:\Portable Apps\IObitUninstallerPortable\IObitUninstallerPortable.exe

 

Guess, I forget...by thinking Alert is same as Lockdown only with more "Alerts"

 

I don't believe this is correct. You can test it with TCP Optimizer and SSD Tweaker as mentioned before. In the first screen-shot, you will see that powershell.exe is launched by TCP Optimizer, and in the second one, cmd.exe is launched by ngen.exe. However, this is a mistake from ERP, because both Process Explorer and System Explorer report that the parent process is SSD Tweaker. I want "Install Mode" to make ERP stop alerting about vulnerable processes that are launched by the parent process, without having to make permanent rules.

 

@ novirusthanks

Two requests:

1 Is it possible to make a "terminate parent process" option, unless the parent is a system process, to avoid problems.
2 Please give an option to sort by "folder path" instead of PID: Events tab--> Process column