New Antiexecutable: NoVirusThanks EXE Radar Pro

Hello All!
I have installed ERP Free with Software Restriction Policy and played really nice!
By the way, just wonder, version 2.7.0.0 is the latest free version or am I missing something?

 

If they use the most commonly encountered exploits in the Wild in their test then I would not be surprised if a good solid AE like ERP scored even higher than applications that only specialize in exploits. The fact is that the overwhelming majority of exploits do use some sort of payload. If the majority of the exploits they use in their test use more advanced exploit methods that do not use a payload then MBAE, HMPA, and EMET should score much higher than an AE alone. The best option would be to use them both if they do not cause an application conflict. You just have to be careful not to keep adding security application to your machine until you end up being the virus lol I like staying at 3 real-time myself. Also, always keep all your applications, and OS up to date with the latest patches.

 

Yes piling up security software with overlapping functions is a very bad idea. I only have 2 realtime monitors: Kaspersky IS and EMET, with AppLocker enforced. I tried MBAE and HMPA, however I don't feel like I'll keep either one of them since I am very satisfied with the free EMET.
You made a very good point - yes it's very important to keep the OS and all programs up to date, which many ppl here fail to do.

 

@Cutting_Edgetech

Payloads can be executable files but don't have to be. There are different payload types, some of them execute in memory only. These are payloads as well.

 

I was referring to payloads that actually write to the disk, but you bring up a good point.

 

Well, I wonder if ERP does block that? I'm sure AppGuard does and SBIE4 as well, but I'm not sure about ERP.
As far as I know you would still need to execute malware to the dirty job in order to actually attack your memory security and have your memory security compromised, before that-nope.

 

Will you add this to the default list of safe command line strings? C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy It was blocked by ERP, and it caused my VPN service to disconnect. As soon as I allowed it the VPN reconnected. I will be good for now since I whitelisted it, but if I ever roll my machine back to an image before installing ERP then it will be a problem problem again. Sometimes it takes a few hours before it runs. The problem with that is i'm not always at my machine, and it will cause my VPN to disconnect again. I could just add it myself, but I don't exactly trust that I will remember to add it if I roll my machine back a few months from now. I'm using Windows 7X64 Ultimate.

 

OK....a month has passed since the last beta build.
Andreas, when can we expect the final release?

 

Yes I agree, I would not be surprised if "anti-executable" apps will perform just as good as specialized "anti-exploit" tools. Would be cool if someone could test EXE Radar, AG, MBAE and HMPA against the most used exploit-kits.

 

The GUI of ERP has no real password protection. It's easy to kill EXERadar.exe with Process Explorer as an unprivileged standard user and restart it again without password. The password you entered before is not requested. Also stealth modus cannot be activated via function keys. I tried it with F12 and <SHIFT> F12.

 

Self-protection is on, and password is set. I still can kill ERP via Process Explorer v16.04

 

I have a question for Andreas or anyone else who would know the answer...

I bought a new Laptop and I would like to know if I can transfer my actual licence on it? Or do I have to buy a new one?

Thanks for help

 

Thanks Pete

 

@Cutting_Edgetech

Sure, that command-line string will be added in next build.

@siketa

So far I received only two emails about potential errors on ERP (that have to be verified), so the last beta build seems pretty stable.

I implemented now "Install Mode" in ERP, will run some more tests tomorrow and then will upload here the new beta build.

Wanted to add "Install Mode" to ERP before release the final build

@Antarctica

Replied to your PM.

@natZONE

"Self-protection" was meant to protect mainly from Task Manager (since it is a system process that may be needed by sys admins), as you can auto-block all new processes (and so Process Explorer would not be able to run).

However, Process Explorer was not able to kill ERP the last time I tested it (as I remember), I will give it another test.

"Password protect on exit" means that if you click on File -> Exit or from the tray icon -> Exit you will be asked to enter the pass.

It has no effect when a process tries to kill/terminate ERP.

@powerpack

Yes, the last free (old) version is v2.7.0, but it is not anymore supported.

 

Export/Import Settings file open/save dialog doesn't remember previous folder (it always defaults to Desktop). For example, if I export the Application Settings to D:\MySettings\settings.erp, then export/import again, I expect ERP to set the file save/open dialog to D:\MySettings rather than Desktop.

 

@novirusthanks With new Install mode, are you making it so that it doesn't create new rules for the auto-allowed child processes ? This is my preference (ie. I just don't want to be bothered by alerts during install, but I want to get an alert if any of the child processes were executed again).

EDIT (to avoid more posts ):
Also, I think I suggested this before, but can you make it so that a double-click on a white-listed command line will open the View/edit window.

You could also do the above for other lists (eg. open file properties for Applications and Whitelist entries, and Edit item for the File Location entries etc.)

 

I run Shadow Defender and ERP blocked the main window from running (ie. Defender.exe) due to expired/revoked certificate when double-clicking the SD tray icon. ERP was correct in that the certificate is expired, but there dosn't appear to be any way to allow it without disabling certificate checking altogether. Even though it is expired, I still expected the normal Allow/Deny alert dialog to be displayed, but with the Certificate section highlighting the fact that it is expired.

Another related feature I've requested before is the ability to disable signature/certificate checking, but still have the alert dialog show the certificate expiry date (even if it can't be checked for revocation)

 

Try the actual version of Process Explorer, you shall see you will be able to terminate the GUI of ERP. Furthermore, if you restart ERP which was just killed via Process Explorer, it does not ask you for the password you set before. This is definitely a vulnerability. You didn't defer to this argument I wrote in my review. Moreover, the password is not case sensitive.

 

@novirusthanks

1. With latest beta, if you select "BlackList Process" from alert dialog, it doesn't get added to the Blacklist, so opening the same process again results in an alert.
2. On Quarantine list, can you add two new context menu items:

• "Open original folder" which will open Explorer at location where quarantined process came from
• "Show file properties" to show properties dialog

3. After fresh installation of ERP without reboot, I noticed two .dmp files in the temp folder (eg. 78398737.dmp was 32KB or 64KB and ~78398737.dmp was 0 bytes). Before rebooting, I tried to delete them and it said one of the ERP processes had a lock on them. After reboot I was able to delete them, but after every boot (with ERP auto-starting) a new 12345678.dmp 0 byte file re-appears (which can be deleted immediately - ie. no lock).

 

@novirusthanks

I was having a look back at some of my posts and noticed that a few more of the usability suggestions haven't made it into ERP yet (eg. Date/Time column on all rule lists). Are these on your TODO list or were they just overlooked ?

 

@novirusthanks

The same is happening with WhiteList Process - it doesn't get added to the list. WhiteList Command Line works fine though.

 

Cool, this will make EXE Radar a lot easier to use, thanks a lot.

I think I also had this problem the last time I checked on Win 8.

 

Glad I'm not the only one I'm on Win 8.1.1 x64. The Last Modified timestamp for WhiteList.db under ProgramData does get updated when the button clicked, but the size does not change.