New Antiexecutable: NoVirusThanks EXE Radar Pro

ERP will have the Install Mode totally automated (no need anymore for the "Deactivate" window).

A new beta build should be uploaded in the next days.

 

Niiiiiice!

 

Are these settings obsolete?
http://novirusthanks.org/help-files/exe-radar-pro/#sbie-erp
http://novirusthanks.org/help-files/exe-radar-pro/#appguard-erp

If you see my signature that's the combo I currently use. Do I need to make a special settings?

 

I added it to AppGuard's Power Apps following the advise, however I'm going to try not adding it. Just wonder what about the other programs in my signature.

 

Why do I have to keep Allowing plugin container. Is there away to Allow by Parent or ?. Everytime I open Yahoo with flash content....plugin container prompts for an Allow. I Allow by command line but, obviously command line changes and Allow process doesn't satisfy for next time.

 

Guess, I imagined that ... with all the preloaded command line wildcards....why wouldn't the Developer preload "plugin container"

 

If plugin container is browser related, then it's acceptable not to preload it as a whitelist entry in any form. If people sandbox browsers, run them only in VMs, install security addons to nerf digital fingerprints... why would they whitelist an executable that is triggered by a browser? (An executable that maintains plugins).

I went to the extreme and entered my browsers into the Vulnerable Processes tab.The alerts might tick you off.

 

Here is the download link for the new beta build:
http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_03032015_BUILD2.exe

To update:

1) Close ERP from trayicon->exit
2) Uninstall ERP completely
3) Reboot the PC (very important)
4) Install ERP

This build fixes few issues reported by two users when they login/logoff the system and ERP now has the "Install Mode" fully automated.

Please let me know if you find any issues.

@bjm_

What is the process name ?

If you have the option "Allow software from Program Files folder" then plugin-container.exe should be auto-allowed.

Else, you have to whitelist it manually, after you have done it, you should not get new alerts.

I have Mozilla Firefox here and I whitelisted plugin-container.exe, then I got no more alerts.

 

Below is a recent command line for plugin container. With this command line Whitelisted... each time, I come near flash content. I'm prompted to Allow plugin container. What am I doing wrong other than not Allow(ing) software from Program Files.
<< "C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel=10740.2665d9b0.1115416391 "C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll" -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" E7CF176E110C211B 10740 "\\.\pipe\gecko-crash-server-pipe.10740" plugin >> I suspect the channel = changes ?
_______ ______________ ____________
Upon Allow Process ~ the following two command lines occur to Events

"C:\Windows\SYSTEM32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe" --channel=10160.0114F258.399790615 --proxy-stub-channel=Flash11736.603F0590.31423 --plugin-path="C:\Windows\SYSTEM32\Macromed\Flash\NPSWF32_16_0_0_305.dll" --host-npapi-version=28 --type=renderer


"C:\Windows\SYSTEM32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe" --proxy-stub-channel=Flash11736.603F0590.31423 --host-broker-channel=Flash11736.603F0590.30183 --host-pid=11736 --host-npapi-version=28 --plugin-path="C:\Windows\SYSTEM32\Macromed\Flash\NPSWF32_16_0_0_305.dll"

 

@Peter2150
Hi Pete, could you elaborate the following please? I want to achieve the same in my security config.

TIA

 

Same issue for me with Norton. NIS has Real Time, Idle Time engines. Pulse and Full update engines. Background Task engine etc.
______________________
"C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\WSCStub.exe"
[2272]C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe
C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\symerr.exe
c:\windows\syswow64\rundll32.exe "c:\program files (x86)\norton internet security\nortondata\21.6.0.32\definitions\virusdefs\20150303.001\cceraser.dll", RunServer S-1-5-21-2084490526-3157944608-823130631-1004
c:\windows\syswow64\rundll32.exe "c:\program files (x86)\norton internet security\nortondata\21.6.0.32\definitions\virusdefs\20150303.034\cceraser.dll", RunServer S-1-5-21-2084490526-3157944608-823130631-100
________________________________________________
Okay, I'll install 03032015 and try again with Whitelist All...
Either way, after two or three days of Allow Process / Allow Command Line. Allow should be satisfied. Unless, string changes. Which in the case of Norton...the string changes and in the case of plugin container the string changes.

 

Thank you Pete, now can you provide one or two pages to test? I've tried on some and built-in java alerts pop-up, give permission to run but ERP remains silent?

 

I think ERP still needs an option to prompt the user for an action for executions from USB devices. Currently the only option is to automatically block executions from USB devices, or disable USB/ERP protection in order to allow USB executions.

 

OK, thank you so much.

 

@bjm_

Can you try to add these command-line strings to the Whitelist->Command-Lines tab ?

Code:

c:\windows\syswow64\rundll32.exe "c:\program files (x86)\norton internet security\nortondata\*\definitions\virusdefs\*\cceraser.dll",*

Let me know if the alerts are gone.

About these ones:

You should whitelist this Adobe Flash process:
C:\Windows\SYSTEM32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe

 

Where is this Install button? lol... I must be blind... 03032015 build...

 

Hello marzametal,

When you install a program, the "Install Mode" button will be on the ERP window that pops up to allow or block.
HTH...