New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Well I think we have the answer to sophisticated threats...
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, the point then is this isn''t a failure of ERP, but a failure to protect the system and back it up.
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    well, it's a case where you need ERP + a good amount of experience and proper caution
     
  4. guest

    guest Guest

    In the case of ClassicShell (several weeks ago) the hacker-group modified the official installer. The UAC prompt showed a modified digital signature but some people ignored it.
    there are even cases of people who don't disconnect the backup-medium from the system and it is then encrypted too :eek:
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    My backup media is always connected but protected by FIDES. Only only SyncBackFree is allowed to read/write from a source folder on my local HDD, then manually I backup running SyncBackFree to my backup media. Next I run a desktop client (allowed in FIDES) to read my external backup media to upload in the cloud.
    If by any unlikely chance a malware is able to execute my specific desktop client, this is added as a vulnerable proccess in ERP.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    So far it doesn't look like any ransomware is encrypting Image backup files. That may because not enough people bother.
     
  7. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
  9. guest

    guest Guest

    If it's always connected, additional protection like FIDES can be useful.
    I'm using it too, all external media is protected with it. Only a few programs which really need access to it, get the access.
    I agree.
    A counter measure is to not enable Trusted Vendors. Or leave it enabled and delete all Vendors except Microsoft.
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Same here. All vendors including M$ deleted on purpose. I use to make a Windows clean install, next setup ERP to whitelist M$ processes. Then I delete all trusted Vendors including M$. Note that some important M$ vulnerable processes are added manually (takes a lot of time and efforts, at least for me) within ERP vulnerable processes tab.
     
    Last edited: Sep 15, 2016
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I recently upgraded to v3.1.0.0 Build1-24062015 because of earlier posts in this thread.
    I no longer see any Vendors in the list under Manage Trusted Vendors - anyone else have this?
    I did have them in the the earlier build 15052015 I think it was ... I did do an export and import of my setttings.
     
  12. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    228
    Location:
    UK
    I haven't come across FIDES before. Could you explain what it is/provide a link?

    Thanks
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
  14. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    228
    Location:
    UK
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Yes, it seems that is the new 'international' name. I like Pumpernickel, but maybe it was thought to be too German!
     
  16. guest

    guest Guest

    Yes :D
    That's fine too. And don't forget about AG (Publishers) ;)
    c:\ProgramData\NoVirusThanks\EXE Radar Pro\Data\TrustedVendors.db -- is this file empty?
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    It is there, but 0 KB, so it is empty ...
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Last edited: Sep 15, 2016
  19. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
    I'm not sure that will protect you from this type of ransomware:
    http://www.bleepingcomputer.com/new...e-files-and-encrypts-your-hard-drive-instead/

    Of course, if you backup regularly to cloud you are OK, but that depends on users upload speed, size of backup, etc.
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    My config (see my sign.) does protect against Petya-like ransomware. Shadow Defender is there and tested against Petya on my real personal machine, several months ago. Besides I have a DATA partition different to C: (OS).
    In addition I do weekly (sometimes shorter/earlier) system image backups (IFW) to be fully protected and recover easily/quickly on this kind of disasters.
     
    Last edited: Sep 15, 2016
  21. guest

    guest Guest

    You made a backup of your settings, correct?
    Extract that backup (it's a .zip-file even if it's has a different extension), and look for the extracted file TrustedVendors.db.
    If it's not 0KB and you see content in it, you can copy this file manually to c:\ProgramData\NoVirusThanks\EXE Radar Pro\Data\TrustedVendors.db and overwrite the existing file (after closing ERP).
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks @mood, you're a star!
    I did try reimporting my settings from prior to my upgrade to Build 24062015, but Trusted Vendors list must have been removed already (I don't know how or when).
    But your method from an early settings backup has worked, and the list is now restored. Thanks!
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No, it uses DLL Injection, just like about all other ransomware variants. The new dll protection feature covers another technique, not related to DLL injection.

    That's why I always run apps inside the virtual sandbox (controlled by SBIE) first, to see how it behaves.

    I really wonder when he's going to offer a GUI. I mean, currently all of those tools make you feel like you're back in the 80's again. Smart Object Blocker was also a complete shock to me.
     
  24. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    682
    Location:
    Wembley, London
    I'm curious as to whether Andreas still works for NVT, you may recall he was very active here in the past.
     
    Last edited: Sep 17, 2016
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    I think he IS NVT. I just think he is on a money making project.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.