New Antiexecutable: NoVirusThanks EXE Radar Pro

Ohhh, how nice is that... cheers Puff, Peter.

 

Hello,

No problem as you are most welcome ...

I was one of the ones that was not really sure if "Install Mode" was needed ... Andreas has done a great job of implementing it and I am now happy to see it added ...

 

Glad you like this feature.
Anyone could explain a bit more in detail why this new feature is so good? As I already stated I'm a novice in these security programs. TIA

 

I like it too.
Great job, Andreas!

 

C:\Windows\system32\Macromed\Flash\FlashUtil64_16_0_0_305_Plugin.exe is and has been whitelisted....the only way I've found for plugin container to stop prompting is to set Allow all software from Program Files folder. Which should afaik also resolve Norton...prompting. Symantec is listed as a Trusted Vendor.
Changing strings seems to stubbornly resist permanent Allow.

 

Nice! That's exactly what I was thinking before I asked... thanks.

 

I have been using the latest beta for 2 days now on Windows 7x64 with no problems so far.

 

I have added the following as per your request...c:\windows\syswow64\rundll32.exe "c:\program files (x86)\norton internet security\nortondata\*\definitions\virusdefs\*\cceraser.dll",*
You also requested C:\Windows\SYSTEM32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe whitelisted.
I have the following ... whitelisted
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_16_0_0_305_Plugin.exe

and as per Peter2150. I have set Allow all from Program Files folder.

 

I've been on here less than I usually am, so forgive me if this question has already been asked.

Is ERP going free with a donation option? I ask because the latest beta doesn't have an option to input my registration details.

 

Yes it has.

 

ERP needs an option to whitelist the process, and command line string at the same time. It would cut down the number of prompts I have to respond to by about half. It would be so much easier to kill 2 birds with 1 stone.

 

Yes I agree once again. I am not an avid/experienced user of ERP but the short time I've been using it, Cutting_Edgetech has the reason once again, it's a lot of work to respond to each and every alert...

 

Hi Pete, for me and I've proved my statement, is that common sense depends upon individual intelligence, experience, formal education and skills on any given matter.

 

It just makes sense to give a third option to whitelist the process, and command line string at the same time. Is that option already there, and maybe I did not see it?

 

No is not there.

 

Hello,

I might be misunderstanding the questions about whitelisting processes (applications) and command lines at the same time and my understanding of how ERP works might be wrong also, but here is what I understand...

When you whitelist a process (applications), that process and any command lines that it may use is whitelisted, so there is no need to to whitelist any command lines that particular process may use. The only exception I know of this is if the particular process has been added to the "Advanced > Vulnerable Processes" tab. In this case you would have to whitelist the command line even if you have the process whitelisted.

When you whitelist a command line, you are being more granular in control of a particular process, allowing that process to only launch with that particular command line. If you also whitelist the process itself, whitlisting the command line makes no difference as all instances of that process no matter what the command line will launch. Once again "Advanced > Vulnerable Processes" tab can come into play as if the process is listed there, it will require a command line whitelist (even if you have whitelisted the process).

If you look at an entry under the "WhiteList > Command Lines" tab, for example this entry from mine:
C:\WINDOWS\system32\rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
I see the process with the command line, so to my understanding, the process and command line are already being whitelisted at the same time. In this particular example, the process involved is also added to the "Vulnerable Processes" list, so adding it to the "WhiteList > Applications" tab would serve no purpose.

Now if my understandings above are correct, I see no reason or instance where I would want to whitelist the process (applications) and command line at the same time. I see no purpose that it would serve. What would whitelisting the process and command line at the same time accomplish if my understandings above are correct? This is why I do not understand the need to whitelist both the process and command line at the same time as it would not really serve any purpose.

Again, this is just how I understand how ERP works and I definitely may be wrong in these understandings. Please correct me if any of my understandings of how ERP works is incorrect or incomplete, or if I have misunderstood your questions...

 

Brill, a new release hopefully the crashes i had will be a thing of the past.

Thanks

 

So, to your understanding. Whitelist Process satisfies Command Line strings even with changing strings.
I've tried Whitelist Process with Norton updates and flash plugin container where the string (numeric) changes and ERP was not satisfied with my setup of not allowing all from Program Files folder. Even Norton idle background tasks were not satisfied by Allow Process or Allow Command Line.
Now that I've setup Allow all.....ERP is quiet. I prefer to Allow as needed and for Allow to satisfy command line string that change....but, seems I need to global Allow all.
My concept is that with ERP lists cleared. After a few days all I need will be satisfied via Allow. I've found that Norton and plugin container resist settling in with Allow (and ERP setup not to allow all from Program Files folder).

 

@puff-m-d

You have explained it perfectly

@Cutting_Edgetech @Mister X

Whitelisting both process and command-line at the same time is really not needed.

Most repeated alerts are shown because the process is present in Advanced->Vulnerable Processes, so in this case it is needed to whitelist the command-line.

If you still get alerts, it is needed to edit the whitelisted command-line using wildcard characters where the characters change.

Example:

If you whitelist this command-line:

And you still get alerts with these command-line strings:

You should edit the whitelisted command-line string by using wildcard characters:

Or also this would work better:

See the wildcard characters "?" and "*".

Only this is needed to handle alerts caused by Vulnerable Processes, you only allow particular and safe command-line strings to run.

@bjm_

Yes, with the changes I suggested, you should not receive new alerts about that particular command-line strings.

If this happens, we just need to analyze the command-line string, check where the characters change, and use wildcard characters correctly, that's all.

In the case of Norton Internet Security, you got alerts because it uses a system process (rundll32.exe) to load DLL files (legitimately of course):

That process (rundll32.exe) is present in ERP's Vulnerable Processes list because it is commonly used also by malware to load malicious DLL files.

So in this case you needed to whitelist the command-line string using wildcard.

This command-line string:

Become this using wildcards:

I used the wildcard character "*" in the parts of the string that are known to change frequently in that command-line string.

About this process:

It is related to Adobe Flash Player and it can be safely whitelisted, however, please note that when Flash Player is updated, the file MD5 hash will change, so you will get a new alert. To handle this problem automatically you should have "Adobe Systems Incorporated" present in the Settings->Signed Processes->Manage Trusted Vendors... plus you need to have the option "Allow processes signed only by Trusted Vendors" enabled.

An alternative in this case, considering that C:\Windows\SysWOW64\Macromed\Flash\ is a protected folder, where only processes with Admin privileges can write files in there (with Vista+ OS), you can browse to WhiteList->File Locations and add this string:

Or if you prefer:

Or if you prefer:

And you should get no alerts even if Flash Player is silently updated.

With ERP is very important to create a solid whitelist with frequently executed programs, specific command-line strings that involve the Vulnerable Processes, and it should be enough. Obviously the options Allow processes signed by Trusted Vendors" and "Allow software from Program Files folder" can help too to reduce the alerts.

I may write a very detailed tutorial about this topic soon if also other users may request it.

@Paul R

All should be fixed about old bugs, please let me know if you find any issue

@Mister X @marzametal

Sure, as @Peter2150 and @puff-m-d said, the Install Mode is only present in the alert dialog, and can be used when you need to install (or uninstall) a trusted application, so if you click on "Install Mode" when the setup file is executed, you will get 0 alerts while the application is being installed. When it has finished to install, ERP will automatically recognise it and will disable the Install Mode for that setp file. During this process, you do not need to change the Protection Mode (before you had to do this), and the Protection Mode that you have is always active while the Install Mode is enabled, so for example, if ERP has set the Install Mode for the setup file of Sandboxie, if you execute an unknown (not whitelisted) application, it would be blocked (or you will get the alert) by ERP according to your active Protection Mode. Being said this, Install Mode is very useful to install and uninstall trusted applications as it will reduce the alerts related to the installation/uninstallation of the application selected.

 

Thanks for letting me know, I appreciate it.

 

I don't think that was the case on my machine. I would whitelist the command line string when prompted, and then I would be prompted again for the process. I don't think the process I was being prompted for was on the vulnerable process list. I think it was for some software I have installed on my machine. At any rate I was having to respond to double the prompts I would have to if I could just whitelist the process, and command line string at the same time. I have ERP installed on my test machine so I will look at it again later today to see if I can find what the processes I was being prompted for after whitelisting the command line string.

 

@Cutting_Edgetech

If you can reproduce the repeated alerts please let me know more information about the process by posting here or via PM so I can take a look at it.