New Antiexecutable: NoVirusThanks EXE Radar Pro

Thank you! I was informed by one user they chose not to use ERP due to ASLR, and DEP not being enabled. Maybe they will consider using ERP now.

 

OK thanks, I do know that for example System Safety Monitor, starts up a process in a suspended state (on Win XP) so that´s why I wondered about this. By the way, I installed the latest version, and it seems to run just fine, nice job.

EDIT: Is it perhaps possible to make separate entries for "Lockdown/Allow/Learning Mode - Enable permanently" in the context menu?

 

@ Peter2150

You´re missing the point, I was concerned if it was a potential security risk, so it´s about if ERP can (or should) be improved or not, not about which product is better.

 

@ Peter2150

I don´t see why comparing it to SSM is irrelevant, yes it´s a HIPS, but it also functions as anti-exe. And it would have been a security risk if a process is started in an active state before being blocked or terminated. Because then it could already compromise the system with code-injection for example.

 

I find references to SSM very informative. My queries about parent-child, but especially some of the deep details Rasheed187 inquires where he mentions SSM. On XP, SSM is/was a gold standard of HIPS in a way. Hence, for learning purposes, the "comparisons" and answers here and in AppGuard thread, are most useful to me (for XP). Please don't dismiss. That's what a forum is for, isn't it?

 

@ novirusthanks

I forget to say that "Safe parent processes" like Sandboxie now work correctly, very nice.

A couple of things that I noticed:

1 Columsize is not always remembered. Perhaps an idea to give an option which columns should be displayed?
2 There is no title in ERP´s "Title Bar"
3 Is it possible to remove the "focus rectangle" completely?

http://www.askvg.com/how-to-remove-the-annoying-focus-rectangle-in-windows/

A possible bug: Whitelisting does not always work, when you launch a file from the desktop, and you whitelist it, it will block the file in lockdown mode. Until you choose "whitelist running processes".

 

@ busy

Well, this "trick" is a bit annoying.

 

I released a new beta build v12:
http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_20042014_BUILD1_11082014_v12.exe

To update, follow these steps:

1) Make a backup (export) of your current settings/lists
2) Close EXERadar (if it is running)
3) Uninstall EXERadar (you can keep your current settings)
4) Install the new build

*A reboot is not needed*

The process ERPSvc.exe is now protected from process termination (if self-defense is enabled) and ERP utilizes ASLR and DEP.

@Rasheed187

I couldn't reproduce this behavior, can you write more details about it ?

Here is what I tried:

1) Start NewProgram.exe from Desktop
2) From the Alert Dialog select WhiteList
3) Switch ERP in Lockdown Mode
4) Start again NewProgram.exe
5) It was executed correctly (because it was present in the WhiteList)

 

NoVirusThanks EXE Radar Pro

The development of this product seems to be moving right along. Fine work... good job.


But.... this product needs to be renamed.

The term "NoVirusThanks" is unclear and convoluted. It could be interpreted in several ways.

The term "EXE" is meaningless to over 99% of the computer using public.

And finally, the term "Radar" is not good either. I get what you are referring to.... I think. But again, most would have no idea what you are trying to convey by use of that term.

The term "Pro" is fine. Good job with that term.

-------------

Clearly, a good marketing guy did not name this product.

For your future success, I recommend a rename to something that the computer using public can relate to.

I recommend:

"Frank's Malware Execution Stopper!"


And yeah, some would say the term should be "executable" rather than "execution." Got it.

But this is a marketing name, not a product description.

You provide a name the public can in some way relate to, a name that conveys 'action', and then you provide more detail and explanation in the product literature.

I will not trademark the name and will request no royalties.

You're welcome.





-ftp

 

Someone on another forum asked if there was a way to prevent the execution of a process using a password. I recommended that they visit this topic.

I tried password protecting a couple processes but they continue to run without a password dialogue. This appears to not work correctly. Or, am I missing something?

The events log shows that these are allowed under Trusted Vendor and Program Files but shouldn't the entry into password protected processes take precedent?

 

I removed Chrome from "manage trusted vendors" and unchecked, "allow all software from program file folders". These are the two places in the event logs where Chrome was allowed.

Unchecking "allow all software from program file folders" means that I will have to approve most everything that runs from program files that is not on the trusted vendors list. Correct? What a pain in the rear this is to complete this task.

Isn't there a way to do this without changing global settings? I don't understand why a process needs to be untrusted and a whole folder needs disallowed for this one process to be password protected.

 

Ok, thanks.

I don't think it is working correctly. I checked the help file and it doesn't mention anything about any extra steps. Help shows version 2.7.7 and changes have been made to the GUI/program since then. In my mind, if you password protect a process, it should be password protected regardless if it is trusted or not.

http://novirusthanks.org/help-files/exe-radar-pro/#password-protect-processes

 

It's not how the program works according to the help file. It may be possible with several unnecessary steps/workarounds but is this how it is expected to work? I doubt it.

I'm not using 2.7.7. The image in the help file shows version 2.7.7 which is not current.

I will try the beta.

From here, I will just report this as a possible bug and need no further help.

Thanks.

 

Let's let Andreas decide this. Thanks for your help.

 

No offense to you, but I would have to disagree with all of this.

I think this product is quite established, and that also includes the product name.

I think a name change is a bad idea.

 

I totally agree!