New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. guest

    guest Guest

    i have both installed, no conflicts. what is your SD & ERP version, which OS , does SD processes are whitelisted in ERP?
     
  2. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    With all due respect all the information is already supplied in my previous posts and my signature, except perhaps for the SD processes, with only one listed, namely 'DefenderDaemon.exe'.
     
    Last edited: Jul 29, 2014
  3. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    Well, the problem mentioned above just stopped happening... I don't understand...I mean it's okay, by all means, but I don't like erratic behaviour particularly with security programs. At this stage time will tell...
     
  4. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Which setting do you guys use?

    screenshot.1.png
     
  5. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    "Allow processes signed only by Trusted Vendors"
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I don't use trusted vendors. I want to make the decisions on my machines so I use the first option.
     
  7. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    I have uploaded a new beta build of ERP, the download link is this:
    http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_20042014_BUILD1_30072014_v10.exe

    To update, follow these steps:

    1) Make a backup (export) of your current settings/lists
    2) Close EXERadar (if it is running)
    3) Uninstall EXERadar (you can keep your current settings)
    4) Reboot the PC (needed)
    5) Install the new build

    This new build fixes various issues reported by @busy (such as when editing command-lines, file locations and the saving of new vulnerable processes) and other small optimizations/fixes.
    It integrates a protection against process termination, so Task Manager and other applications cannot terminate EXERadar.exe and ERPSvc.exe processes.
    The process protection works in all OSs, from XP to 8.1 32/64-bit.

    Post here if you find any issues with this new build.

    @Overkill

    I have it set to "Do not allow signed processes".

    @act8192

    Not at the moment, may be a good idea to allow user to also specify processes and command-line strings allowed to execute for each whitelisted parent process.
    Not sure if it would overload ERP as you can always whitelist the processes, what you guys think about this ?

    It doesn't matter I think, you may install first ERP and then Outpost probably, important is that then you configure both of them to exclude each other from being monitored.

    Yes, you may use the firewall component and disable the other component if it does the exact same thing as ERP's features.

    @TyRidian

    In addition to @busy and @guest recommendations I recommended to @Osaban to also exclude in SD the driver file of ERP that is located here:
    C:\WINDOWS\system32\drivers\nvterp.sys

    It may solve the issues related to the "Failed to retrieve the driver handle".

    @bellgamin @Overkill

    I have still remained your two issues to reproduce, will have more time for this on these days for sure.
     
  8. Enternal

    Enternal Registered Member

    Joined:
    Apr 21, 2009
    Posts:
    47
    Thanks for the new version! That reminds me, there is something funky going on with Chrome and I tend to get funky garbled characters under the Parent column when using it. It only happens to Chrome and I have already tried resetting EXE Radar and tried with another system with same results. I will get a more detailed explanation about that with pictures once I get home.
     
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    @novirusthanks, Thanks for responding to our queries.
    Re: can ERP set specific Parent-child allows:
    Could be done from alert, right?
    I'm no expert in these things. Just inquiring what's possible.
    On XP, System Safety Monitor (SSM) does watch parent-child very carefully with no performance hit at all. Also includes command strings.
    Sunbelt firewall also can do it, though not to the great detail SSM can, also no issues.
    How this feature would (or not) work on Windows 7, no idea. But it would be very useful, as it is on XP.
    Think browsers. I only permit one parent - explorer.exe. Not excel, word, outlook, pdf readers, trojans, nothing.
    Or firewall setup, regedit, regsvr32, many more - limiting who can run those sensitive programs works without a hitch.
     
  10. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    @novirusthanks

    i followed the instructions to update ERP but PC froze after logon, had to reset and rollback to previous snapshot. (RollBack Rx)

    COMODO Internet Security Premium 7.0.317799.4142 (Proactive Security, HIPS enabled)
    AppGuard 4.1.44.1 (Beta)
    Sandboxie 4.13.1 (Beta)
    RollBack Rx 10.2 269483149
    Windows 7 Ultimate SP1 (up to date) 64 bit

    Edit: it's definitely incompatibility between CIS and new ERP. Tried without CIS and no problem after logon.

    @Enternal

    Same here

    http://s4.postimg.org/nzo0ekvxp/nvterp3692.png
     
    Last edited: Aug 1, 2014
  11. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    @novirusthanks

    Incompatibility with ERP v3.1.0.0 BUILD1-30072014 and EMET 5.0 Final

    PC Freezes when newest ERP v3.1.0.0 BUILD1-30072014 is installed next to the newest version of EMET 5.0 Final (With EMET protections for ERP processes enabled)

    Here is what I experienced

    1. Current versions of ERP and EMET are installed next to one another, EMET is under Maximum security settings with EAF and Caller unchecked for ERP Processes.

    2. I restart my machine

    3. PC Boots up and loads all processes

    4. Double click on the ERP tray icon and program appears to be in a frozen state, including when trying to click on anything else on the PC.

    5. Restart the PC as many times as you want, same results

    Now, if I remove ERP processes from EMET, ERP operates just fine (Of course after system restart)

    Now for a question:

    Since you implemented process protection, does this mean that ERP is not needed under EMET protection anymore?

    Could this be why I experienced the above issues?
     
    Last edited: Aug 1, 2014
  12. guest

    guest Guest

    where is my lock icon !!!! :D

    more seriously , installed , all went fine at the moment.
     
  13. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    Does anyone have a problem in automatic deletion of sandboxes after upgrading to latest NVTERP build?Using Sandboxie v4.13.1 Beta on Windows 7 Ultimate 64-bit.
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Enternal

    Have you followed these steps ?

    3) Uninstall EXERadar (you can keep your current settings)
    4) Reboot the PC (needed)
    5) Install the new build

    @TyRidian @busy

    I installed EMET + CIS in a VM and I configured them to work togheter (no freezes or similar):
    http://postimg.org/image/h4yo8g4hh/

    I excluded all .exe and .dll files on CIS Behavior Blocked:
    http://postimg.org/image/9qj220nkz/

    I would recommend to also add the kernel-mode driver located here:
    C:\WINDOWS\system32\drivers\nvterp.sys

    I configured EMET this way:
    http://postimg.org/image/u75j6pydr/

    Then I rebooted the VM and I noticed no conflicts or freezing issues, I will keep the VM running for few days to see if the OS continues to be stable.

    Let me know if you can try to configure CIS and EMET the same way and if it works for you too.

    Another general rule for using ERP with other HIPS/AVs/FWs is to add to the exclusions list of HIPS/BB all the .exe and .dll files located here:
    C:\Program Files\NoVirusThanks\EXE Radar Pro\

    Plus the kernel-mode driver:
    C:\WINDOWS\system32\drivers\nvterp.sys

    *Note that in this new build there are two new .dll files used by ERP:
    C:\Program Files\NoVirusThanks\EXE Radar Pro\erpmodule.dll
    C:\Program Files\NoVirusThanks\EXE Radar Pro\erpmodule32.dll

    They should be added in the exclusions list.

    @WSFfan

    What problems do you get ?

    Let me know if you get thge alert, in case paste here the command-line string so we can help you to update the whitelisted command-line string using wildcard.

    @act8192

    I think you can achieve the same with the "Lockdown Mode":
    Every unknown (not present in the whitelists) process that try to run is blocked by default.
    If IEXPLORE.EXE spawns a new and unknown process, it is blocked.
    If IEXPLORE.EXE tries to load a DLL file via rundll32.exe and the command-line string is not whitelisted, it is blocked.
    If IEXPLORE.EXE tries to execute a new process via cmd.exe and the command-line string is not whitelisted, it is blocked.
    If IEXPLORE.EXE tries to register a DLL file via regsvr32.exe and the command-line string is not whitelisted, it is blocked.

    Let me know if this is what you needed.
     
    Last edited: Aug 1, 2014
  15. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    By looking at your screenshot, I noticed that you were using "Recommended security settings" as I was using "Maximum security settings"

    So, I changed to Recommended security settings to see if that would work....and it did not.

    I tried everything that was shown in your configuration.

    I was thinking why it would work for you and not for me, So the only thing I am wondering is...

    Since both ERP and EMET have changed/been tweaked with, could it be a Windows 8.1 thing?

    I mean, what is strange to me is that EMET 5.0 Technical Preview 3 and EXE Radar Pro (before newest changes were made) worked just fine under Windows 8.1, but now it does not.

    Which makes me believe that there is an incompatibility with the two, while under Windows 8.1.
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Sure that is possible, I will install both (with EMET set to "Maximum security settings") in a VM with Windows 8.1 and I will let you know the results :)
     
  17. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    Uninstalled previous Beta build,deleted the config settings,rebooted,then installed the latest beta.Applied recommended settings.NVTERP is in alert mode now.

    Removed all items in Safe Applications,Then whitelisted Program Files,Program Files(x86) and Windows folder in 'C' Partition

    Unchecked Allow all software from Program files folder in Settings>General

    Unchecked Don't check if a process is signed(save bandwidth)

    Checked all the options in External Devices

    Enabled Password for protecting the closing the application and disabling of protection

    Enabled Play the system beep sound

    Header color -Emerald

    I run Firefox or IE sandboxed,but sandbox doesn't get deleted automatically.Please note that I have checked Automatically delete contents of sandbox in Sandboxie.

    Then i delete contents by right clicking delete contents in Sandboxie tray icon.

    Exit NVTERP.Then run Sandboxed application,but now Sandbox contents is deleted automatically.After that i re-enable NVTERP,but now sandbox doesn't get deleted automatically.

    Please note the command line string for Sandbox automatic deletion is present in NVTERP
    C:\Windows\system32\cmd.exe /c rmdir /s /q "?:\*\__Delete_*" is there in Whitelist>Command-Lines.

    OS-Windows 7 Ultimate 64 bit
    Sandboxie-v4.13.1 beta
    NVTERP-latest beta build
     
    Last edited: Aug 1, 2014
  18. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
  19. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    Andreas, you rock :thumb:

    By the way, just want to thank you for all that you do.
     
  20. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    I've added ERP files to every possible exclusion in CIS but PC freezes if i open/execute the gui. (EXERadar.exe)

    Is there any way to disable self-protection other than renaming those DLLs?
     
  21. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    Busy, what operating system are you running?

    Also, is the OS 32-bit or 64-bit?

    It might help the developer pinpoint the problems you're experiencing.

    It could be that ERP broke compatibility with the newest changes, while being run under a certain Operating System (XP, 2000, Vista, 7, Windows 8, 8.1)

    I might be wrong, but I am thinking this is the cause for freeze-ups, etc.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I also would like the option to disable self protection, just on general principles.

    Pete
     
  23. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    @TyRidian

    Windows 7 SP1 x64. *

    I renamed those DLLs and using the latest beta without freeze.
     
  24. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Is this normal for this build?

    screenshot.1.png
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    On XP I´m also using SSM, and the parent-child control feature is kinda nice, but it sometimes can also be a bit annoying. And if I´m correct the "vulnerable process" feature in ERP will always alert when "sensitive" programs are launched, am I correct? :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.