New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Actually, the apps that you mentioned all do something different. EMET´s memory protection is different than the one in AppGuard. And the memory protection in AG is nothing special, HIPS have been doing this for years (anti-code injection, anti memory access).
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I know AG uses a very simple method of memory protection based on policy. AG blocks applications from reading, and writing to the memory of other applications. AppGuard blocks code injection as well. You already mentioned both of these. If AppGuard's memory protection is the same as most HIPS then why do I always get at least half a page of memory related blocked events in AG's Activity Report? I don't ever find any of these blocked events in the logs of the HIPS I have used. Maybe the HIPS just do not log them, but I will check with the developer of AG to see what they think.

    Edit: Any further discussion about this should be continued in AG's thread since this is ERP's thread. I have contacted Barb, and am waiting for a reply. I do understand though that you was only replying to someone else's post in this thread.
     
    Last edited: Jun 5, 2014
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It´s not that it´s simple, but it´s nothing new. The protection offered by EMET tries to tackle exploits at an early stage, while apps like ERP and AG try to block the exploit in stage 2. So anti-exe might not stop real advanced attacks, but most exploit kits are using standard exploits, so anti-exe is good enough most of the time, I believe. But I don´t think it´s really necessary to add memory protection because ERP can work together with EMET, MBAE and hopefully the new HitmanPro.Alert. :)
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Last edited: Jun 5, 2014
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I noticed that ERP does not have block processes executed from USB's ticked with this build. Was this on purpose? I think executions from USB's is a very common source of infection. So many work stations get infected by thumb drives.
     
  6. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    FYI, in test that was run by a third-party against AppGuard and Emet last year, AppGuard stopped 100% of the attacks and EMET only stopped 80%.
     
  7. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    I would like to view the results of this test. Please PM the link to me if it is against forum rules to post it.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ Cutting_Edgetech and Barb_C

    Let´s not hijack this thread, I´ve responded in the AppGuard thread. ;)
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Sorry, I had multiple tabs open when I responded here. I though I was in AG's thread. Thank you for bringing that to my attention. I will copy my last post, and paste it in AG's thread. That's were I thought I was when I made it. I will delete my last post from this thread.
     
    Last edited: Jun 5, 2014
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Cutting_Edgetech

    I re-enabled it, I disabled it only for test a thing, thanks for reporting it.

    @Rasheed187

    I will re-add the help file in the online ERP web page tomorrow.

    @siketa

    I updated the installer and uninstaller script so now all .tmp files and the uninstaller are signed.

    This is the link to download the new build:
    http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_20042014_BUILD1_20042014_v5.exe

    To update, follow these steps:

    1) Close EXERadar (if it is running)
    2) Uninstall EXERadar (you can keep your current settings)
    3) Install the new build

    A reboot is not needed.

    What's new ?

    + Updated the installer script to sign also the .tmp files and the uninstaller
    + Added a new safe command-line string
     
  11. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    Andreas, what about those boxes in a popup?
     
  12. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello Andreas,

    Thanks for the new build. I really like the new colors of the tray icon for the different alert levels. However, I may have a bug. If I disable protection permanently via the tray icon, obviously it changes colors. I then do a reboot of my system and when my system loads, the tray icon has changed back to default color for the alert mode enabled. upon checking ERP, it is disabled as it should be (hovering over the tray icon shows disabled) but the color of the tray icon is reflecting ERP is now in alert mode. I have tried this scenario several times and it is reproducible every time on my system (Windows 8.1.1 Pro 64 bits)...
     
    Last edited: Jun 6, 2014
  13. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    I can confirm that. It stays disabled but the default icon is back on when rebooted. It says disabled when hovering over the icon. Win 8.1 64 bit.
     
  14. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Are the settings stored in program data? Cause that folder is always left after uninstall
    I don't see the setting "Block processes with invalid or revoked certificate" anymore
     
  15. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @puff-m-d @kjdemuth

    I could reproduce that issue, will fix it.

    @Overkill

    The new uninstaller will delete all \EXE Radar Pro\ in ProgramData (if you select to not save settings and logs).

    @siketa

    Do you mean like the editboxes ? http://postimg.org/image/tbj1ajrjb/

    Personally I got used to them, they make easier the process of copy/paste the process name, path, description, etc..

    What do you guys think about them ?
     
  17. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Thanks Andreas ;) ...
    As for the edit boxes, I like them also (for the same reasons as you) :thumb: ...
     
  18. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    Yes, those boxes.
    Can't you copy the text without them?
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    At first I had to get used to the edit boxes, but now I do like them.

    Pete
     
  20. J_Whacka

    J_Whacka Registered Member

    Joined:
    May 30, 2014
    Posts:
    13
    Is the following OpenPipePath=*\mailslot\NVTInj\* still needed in the Sandboxie config file? also are these commands correct:


    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WRusr.dll",* < No idea what this is for as its set by default unlike the other WRusr.dll command which i got to add manually.
    C:\Windows\system32\cmd.exe /c rmdir /s /q "?:\*\__Delete_*" < Without this set i get popups when Sandboxie removes content from the sandbox.
    "C:\WINDOWS\sysnative\rundll32.exe" "C:\WINDOWS\system32\WRusr.dll",* Without this set i get a lot of popups when opening and closing stuff like Firefox.

    Its fine along side Webroot AV on Windows x64 SP1 love the new header colours and i agree with the edit boxes i like them also for the same reasons Andreas.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks. When I get my new PC I will test the new ERP version. :)
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I would like to receive more info about this test, perhaps you can publish it on the AG site? But if it´s true, it´s also good news for EXE Radar, because if AG can stop these attacks, so can ERP, and it proves that anti-exe is quite a powerful protection method against exploits. :)
     
  23. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    it is very powerfull
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Please lets take the AG discussion to that thread.

    Pete
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    AG, and ERP do not work the same. ERP uses whitelisting, and AG uses policy. That's why many users from Wilders use them together. The only whitelisting AG uses is by publisher, and that is optional. ERP may use some other methods i'm not aware of, but that's the biggest difference AFAIK. I personally believe you can consider AG an AE in the sense that it blocks executions, but it uses a completely different method of blocking them than ERP.
     
    Last edited: Jun 9, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.