New Antiexecutable: NoVirusThanks EXE Radar Pro

I share your views about minimizing code hooking, so I'd say you should not have self protection on XP (I'm an XP user, btw).

 

Hello,

I white-listed reflect.exe and added Macrium to trusted publisher. NVTERP gives me no alerts and even happens with protection disabled. I must disable protection and close NVTERP from the tray icon before Macrium will launch and do an image. Otherwise Macrium crashes on launch and the stopped working message appears. Macrium so far has been the only software that I have experienced an issue with the latest beta of NVTERP...

 

I released a new beta build v11:
http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_20042014_BUILD1_11082014_v11.exe

To update, follow these steps:

1) Make a backup (export) of your current settings/lists
2) Close EXERadar (if it is running)
3) Uninstall EXERadar (you can keep your current settings)
4) Reboot the PC (needed)
5) Install the new build

The main addition to this new build is that it does not need anymore the DLL files, it now uses a new kernel-mode driver to protect EXERadar.exe process from termination, so ERP should now work correctly with CIS and other security software. If no issues are reported, I will add support to protect also ERPSvc.exe from process termination. Take in mind this new build does not support process protection on Windows XP OS, at least at the moment.

There is a new option in Settings->General:

"Enable self-defense against process termination"

Let me know if someone find any issues.

@puff-m-d

The beta build v10 is bugged due to user-mode hooking (.dll files) conflicts with other software, please try the new beta build v11, it used a kernel-mode driver now.

@act8192

I personally do not use SSM so I cannot say much about that program, however I think you can do what you need to do with ERP too.

I personally find too complicated to add rules as you suggested, example:

* Opera.exe can run calc.exe
* Opera.exe can run notepad.exe
* Opera.exe can be started from explorer.exe
* Opera.exe can run wordpad.exe

I prefer to globally manage the applications that are allowed to run in the system, without adding too type of rules based on the parent process, but instead add flexible rules to filter processes allowed to run:

* Opera.exe can run in the system, stop.

So any process can start Opera.exe because I consider it a safe and trusted process, so I can start it from any parent process.

Of course, any process started by Opera.exe that is not present in the whitelists will be blocked or you will get an alert (if you are using Alert Mode).

ERP can be uninstalled completely, make sure to click on "Yes" on the question "Do you want to delete the current settings and logs ?".

 

Weird, avast flagged the new build...

 

updated, self-defense enabled, run well on my system as always ; good Job again Andreas.

 

Hello,

Update went smoothly and self-defense seems to be working good.

I am happy to report that the new version fixes my issues launching Macrium Reflect as it now launches and performs imaging and back-ups as expected.
Thanks for the excellent support as always!

 

I installed it on one computer (I had to exclude it in avast) and it seems to be working fine. ESET has no issues with it so i'll be installing on my laptop next.

 

@novirusthanks With the latest beta,automatic deletion of sandbox problem is fixed.

NVTERP fails to remember the location of an exported backup.While trying to import the backup,need to manually browse to the location of exported backup.

 

@novirusthanks

Newest build of ERP is now working great with the latest version of EMET (Maximum and Recommended security settings)

Thanks for all your hard work

So far, latest build of ERP is working beautifully

 

No issues on all machines here, thanks again

 

Same here, thank you Andreas for this magnificent Software. I have two paid version and it's worth every penny

 

Is download link working?

 

Not here ATM.

 

@WSFfan

Yes that is normal, I will add support to remember the last directory for import/export.

@Overkill

I will update the kernel-mode driver in the next build adding a version information and I will contact Avast in case it is still detected as FP.

@busy @siketa

It should work fine now, let me know.

 

Thanks, its working now.

 

Yeah....same here.....

 

Fellow member Cutting_Edgetech, attended me to the fact that ERP actually let´s processes start up in an active state before killing them, I was a bit surprised that I missed this. But isn´t this a security risk, especially when it comes to blocking exploits? Shouldn´t the process start up in a non-active or suspended state?

 

@Rasheed187

The process has to be spawned in order for ERP to gather additional information, like process ID (PID), command-line, MD5, file publisher, etc.

The process isn't running or executing code in any TLS section or its entrypoint. You can't block a process and gather process id, process name etc. without spawning it (securely).

Other security software may not need to gather additional information about a process, instead ERP saves all possible information about a process, that is very useful for beginner users but also for expert users, such as when you have to respond to malware incidents, with ERP you can track any aspect of a process (PID, command-line, MD5 hash, etc).

Nothing to worry about, really.

 

Do you plan on making ERP utilize ASLR, and DEP? I believe malware that uses unhooking techniques will become more prevalent in the future. There is quit a bit of detail in this article about why it is important to use ASLR. http://rce.co/why-usermode-hooking-sucks-bypassing-comodo-internet-security/

 

Great! thanks

 

@Cutting_Edgetech

ERP doesnt install any hook in the system.

And even if it will do (for example, to support self-defense in Windows XP), our own internal hooking framework is 100% ASLR and DEP compliant.

 

The last time I checked the executables from ERP installation folder using this site http://icebuddha.com/slopfinder.htm it said ERP did not have ASLR or DEP enabled.

 

I will enable them on EXERadar.exe and ERPSvc.exe on the next build release.