Driver Radar Pro v1.5 (Freeware)

I uploaded a new build that can be downloaded from this link:
http://downloads.novirusthanks.org/files/DrvRadarPro_Setup2.exe

What's new ?

+ Optimized the saving of events to the log file
+ Added option "Open Logs Folder" in the Main Menu
+ Show the name of the PC user in the Events
+ The driver file when copied to the custom folder, is renamed as the MD5 hash value by default
+ Reorganized the Whitelist window for better usability

One option that will be added in the next days is that by default it will save the settings not per-user but for all users.

@bellgamin

Really much thanks for the donation

@Overkill

Adding an alert dialog may need some more work, also it may require to hook some APIs in user-mode that may potentially create some incompatibilities.
However, we'll discuss it on the next weeks and then I'll report it back here.

 

"C:\WINDOWS\system32\drivers\mbamswissarmy.sys got blocked"

Just installed it and had same problem. Before rebooting I clicked to add to white list, rebooted to login screen, logged in and screen went black except for mouse arrow which I could move around. Did a CTL-ALT-DEL and stopped Malwarbytes driver and screen came back but not Malwarbytes. Rebooted and all was back working.
I am running Win 8.1 64 bit

 

Thanks Andreas for considering it.

 

Hello

This morning when I woke up my computer and DRP showed its results here is what I got.

5/24/2014 1:29:56 PM, Blocked, Bruce, C:\Windows\system32\Drivers\iqvw64e.sys, 0x4CE7E000, 0x5D4000, Intel Corporation , Intel(R) Network Adapter Diagnostic Driver, 73A40E29F61E5D142C8F42B28A35119

I clicked to add it to white list, rebooted. I don't see the action in my todays log file but before any action , I did save a copy to my desktop.

The thing that is bugging me is even though I have not used Win 8.1 all that long, I can not find that file.
Also when I clicked on it in the results window to see what Virus Total had to say, Virus Total showed results for a different named file that was from a temp folder.

Any ideas?

 

Ok was able to find it in my C: program files/MyDell folder. Is it called to the sys32 folder at some point?

It belongs to Dells My PC check program PC Doctor.

 

@controler

Yes, that is possible. Some programs may drop the driver file in C:\WINDOWS\system32\drivers\ and then when it is loaded, they delete the file.

However, DRP can save a copy of the to-be-loaded driver file in a custom folder for further analysis:
http://postimg.org/image/t4yb6chip/

In your case I believe it is the legit file associated with PC Doctor, more information can be found here:
http://systemexplorer.net/file-database/file/iqvw64e-sys

Have you solved the issue with MBAM driver by adding it to the whitelist ?

 

Yes I did add the MBAM driver to white list and all is well. I did know the sys file was safe but isn't that tactic of copying the driver to sys 32 then deleting it something malware can do to become undetected? And so my question is when they do that is it just being loaded into memory and used there?

 

@ controler
Yeah I had a similar issue and as a result, for whitelisting, I had Drive Radar scanned system32 like the recommended settings but I also had it scan Program Files just in case. The reason is that there are programs that don't drop their drivers anyway but start it directly from their own folders. I ran into a couple problems with Malwarebytes Anti-Exploit not working until I whitelisted stuff from the Program Files.

 

@controler

As @Enternal said, it is normal that some legitimate programs do not copy the driver file in the folder C:\WINDOWS\system32\drivers\ but instead, they load the driver file from the same folder where is located the main executable file or from the temporary folder. The fact that they may delete the driver file after it has been loaded, is not a malicious behaviour, many security software are known to do this for various security reasons.

I found the recommendation of @Enternal useful and I added two more options in the Configuration Wizard (with Recommended Settings are enabled by default):
http://postimg.org/image/an7p9wnzh/

 

are we getting the password protection in this version?thanks

 

@jmonge

Sure, I'm adding it right now

//Added

I uploaded a new build that can be downloaded from this link:
http://downloads.novirusthanks.org/files/DrvRadarPro_Setup2.exe

What's new ?

+Added option to password protect sensitive actions:
http://postimg.org/image/ukv2t9g45/

+Enter password dialog:
http://postimg.org/image/v6gs9rlk3/

+Minor fixes and optimizations

 

Thanks!

 

thank you very much

 

Was just wondering if in the disable mode, instead of it reading enable for x min would it be better to read disable for x min and maybe even color it like red or something.

 

@controler

Sure, here you go:

I uploaded a new build that can be downloaded from this link:
http://downloads.novirusthanks.org/files/DrvRadarPro_Setup2.exe

I fixed one issue when scanning for .sys files in 32-bit OS and I changed the text "Disabled Mode" to "Disable Protection", and other small optimizations:
http://postimg.org/image/e2930hbgt/

I also updated the log format to:

[Date/Time: 26/05/2014 18:30:59] [Action: Allowed] [PC User: root] [Driver: C:\WINDOWS\System32\drivers\nvterp.sys] [Image Base: 0x821B000] [Image Size: 0x217000] [Publisher: NoVirusThanks Company Srl] [Description: NoVirusThanks EXE Radar Pro KDriver] [MD5: 12312312312312312312312312312312]

 

Whoo boy! Fast, fine, functional, foremost, fantastic job NVT!!!

 

One last update, I just added the option "Do not copy system drivers" in the "Drivers" TAB:
http://postimg.org/image/pjagh67y7/

The new build can be downloaded from this link:
http://downloads.novirusthanks.org/files/DrvRadarPro_Setup2.exe

If other users do not report any bugs, it will be released officially the v1.5 in the next days

 

Nice add-on for XP users. Will version 1.5 facilitate ASLR?

 

thanks a lot

 

LOOKS PRETTY DAMN GOOD

 

this evening when I came home and brought my computer out of sleepytime mode. About 5 min into my session my computer crashed. It listed the driver before reboot as. drvradar.sys

 

@controler

Can you send me the crash dump file ?

It should be located in c:\windows\minidump\ folder and / or c:\windows\memory.dmp (file).

 

Can you get rid of the social buttons on the header?

 

I sent two dumps from yesterday to support@novirusthanks.org.

I also sent them to malwarbytes since it's protection stopped working right after the crash.

 

@controler

Thank you for sending the dump files.

According to WinDbg this is the faulty module:

Image path: \??\C:\Windows\system32\drivers\mwac.sys

It may be related to Malwarebytes:
http://www.techsupportforum.com/forums/f299/bsod-probably-caused-by-mwac-sys-837481.html