New Antiexecutable: NoVirusThanks EXE Radar Pro

Hello digmor crusher,

The automatic check for updates only references the stable released versions, not the betas. If you use the betas, you can disable the update check in "File > Settings > General > Notify me when a new version is available".
HTH...

 

@ novirusthanks

I noticed that in "lock-down mode", still quite a few of things are blocked from the Control panel in Win 8. For example, I can't launch Date and Time, Folder Options and Internet Options, perhaps you can add the command-line strings. Another thing, you might want to add these 2 apps to the vulnerable processes:

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
C:\Windows\syswow64\WindowsPowerShell\v1.0\PowerShell_ISE.exe

 

@ novirusthanks

BTW, why is ERP still up for sale, and where is the donation link and help file on your homepage?

http://www.novirusthanks.org/products/exe-radar-pro/

 

I guess because it is still old stable version.
Beta is not officially released.

 

@siketa

I checked the log file and will try to reproduce the case.


@digmor crusher

If ERP is already opened the desktop icon does nothing, maybe I can change it that it shows back to fron the main GUI.

Correct

@Rasheed187

I mean it is not that easy to add that taking into consideration usability and redundancy (as we already have sub-menus).

Agree, will see what can be done.

Will check it.

Working fine for me here, any other user experience this issue ?

Does this happens in some specific situations/actions ?

Will try to reproduce it.

Sure, will add them, if you have new safe command-line strings to recommend feel free to post them here too

When ERP 3.1 stable will be released it will be updated the homepage, I may add a notice in these days about this thread and about the donation.

The help file is linked in the Help->Online help file menu in the GUI window, will add it also in the product page tomorrow.

 

@novirusthanks

It seems that possibly there is a conflict between COMODO Internet Security 8.1.0.4426 (CIS) and ERP v3.1_09032015_BUILD2. Latest ERP beta is causing CIS "access System in memory" alerts to popup.

1. Install CIS (config: Proactive Security, HIPS enabled: Safe Mode)
2. Install ERP
3. Restart the system
4. CIS popups "example.exe is trying to access System in memory" from time to time or everytime before restart/shutdown/logoff.

CIS 8.1.0.4426
ERP v3.1_09032015_BUILD2
WIN7 64 Bit SP1+

 

Busy

Sounds like CIS is being ultra paranoid about nothing. Are you using Safe Mode or Paranoid Mode? See here from nearly 2 years ago http://forums.comodo.com/comodo-cle...o-i-unblock-a-processexecutable-t96369.0.html

 

I did some tests with previous versions:

In all cases CIS installed (HIPS enabled with Safe Mode)

ERP version: After install/After uninstall/After restart
w/o ERP: No alert/No alert/No alert
09032015 B2: Alert/Alert/No alert
09032015 B1: Alert/EOSError/-
03032015 B2: No alert/Alert/No alert
24022015 B1: No alert/No alert/No alert
22022015 B3: No alert/No alert/No alert

After install => Install ERP then restart
After uninstall => Uninstall ERP then restart
After restart => Restart w/o ERP

 

Busy

If you add ERP to trusted list CIS should stop falsely complaining? ERP isn't working with the System process at all. Feel free to ask NoVirusThanks to confirm this. Comodo can be contacted and they can see what this trigger is, but last I checked Comodo was still using superfluous usermode hook DLLs (guard32/64.dll) which internally use madcodeHook (a well known hooking library). I don't trust Comodo's judgement at all and personally would never install their protection software as it seems counter intuitive. Just my 2 1/2 cents

P.S: I could run 10 top of the line security products alongside ERP. ERP gets along with them all. This isn't by coincidence, ERP doesn't use any hooks or code injection. This tells me Comodo's problem is Comodo

 

I already excluded/whitelisted ERP (or any other security software) from Comodo. CIS isn't complaining about ERP but recent versions of ERP are causing strange "randomexample.exe is trying to access System in memory" CIS alerts to popup. As you can see in my tests. (ERP march builds)

I'm not saying this is caused only by ERP and if not i'll contact with Comodo. Until then, let's see what @novirusthanks will say about this issue.

 

If this is only happening in ERP builds since March then it should be pretty easy to examine the changelog and see what recent changes/additions were made that has CIS issuing these System memory access prompts. Will wait for NoVirusThanks response too

 

I have been using ERP as part of my kids parental control (password protected) which worked great until install mode came around...I love install mode, but it gives my kids the ability to install whatever they want now (they would figure it out soon enough) so if possible could install mode be an option rather than a default feature of ERP? I think others would hopefully prefer this as well.

 

I don't understand why to use both CIS and ERP?

AFAIK if you have CIS with HIPS on then ERP just doubles some functions of HIPS. What am I missing?

Thank you.

 

That's true.

 

to restrict/block access rights of running applications.

 

Comodo's HIPS in that case is enough.

 

Thank you.

 

Sometimes when I come back to my system after it has locked, I am unable to get back into it due to an ERP prompt. This I don't have a problem with as I don't like to auto-allow processes for the most part. However, it would make it much easier to diagnose the cause of the problem if the Alert itself could be logged, as well as the Allow/Deny decision. This way I could just reboot the computer, check the log to see what was being alerted, and then allow this process/command-line. Currently, I have to reboot, and then switch back to Allow Mode or Learning Mode, and wait until the "hang" happens again (which may be a long time), plus my machine is vulnerable during this time because everything is allowed. The optional ability to Log Alerts as well would solve this problem nicely.

I was thinking of how best to add this feature, given the current "Log only blocked applications", and I was thinking that you could just replace this with three checkboxes - one for each type of item you want to log. eg. "Log Allowed Applications", "Log Blocked Applications", and "Log Alerted Application" (or something like this). By default, maybe only the first two are checked.

By having three checkboxes, the user could choose exactly what they want to log.

NOTE: I am only really interested in controlling what events get logged to the log file. Specifically, I generally only want to log Alerted and Blocked apps, but I still like to see Allowed events in the Events list of the app.

 

Also, still hoping for...
- double-click on command-line entry to View/Edit command-line string
- pressing Delete which entries are selected will bring up Delete confirmation dialog
- Ctrl+A in Command-line string edit box selects all text

 

I have a crypto-malware sample (ctb-locker) that uses a shortcut if you would like to try it. I was informed I could only give it out to security software developers. You may already have it, but if you think you don't then let me know. I could send it to you after the Kentucky Basket Ball Game is over.

 

@Defenestration @Overkill @Rasheed187

Uploaded a new beta build:
http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_29032015_BUILD1.exe

+ Added option to password protect the Install Mode (File->Settings->Password Options)
+ Added option to Disable Install Mode in the alert window (File->Settings->General)
+ Added option to log allowed, blocked and alerted applications (File->Settings->Logging)
+ Added more safe command-line strings for Win 8 OS

@busy

I tried ERP with many security software and as I know your issue with CIS is the only one active issue.

I suspect that CIS do not like that EXERadar.exe is started very early from the service.

About your tests below:

[

 

@Defenestration @Overkill @Rasheed187

Uploaded a new beta build:
http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_29032015_BUILD1.exe

+ Added option to password protect the Install Mode (File->Settings->Password Options)
+ Added option to Disable Install Mode in the alert window (File->Settings->General)
+ Added option to log allowed, blocked and alerted applications (File->Settings->Logging)
+ Added PowerShell_ISE.exe in the list of vulnerable processes
+ Added more safe command-line strings for Win 8 OS

@busy

I tried ERP with many security software and as I know your issue with CIS is the only one active issue.

I suspect that CIS do not like that EXERadar.exe is started very early from the service and somehow it is unable to detect EXERadar.exe process, hence maybe it refers to System process.

About your tests below:

Can you check if 24022015 B1 has the option "Start with Windows" in the File->Settings->General window ?

Can you also check that is present the registry value in HKCU\Run or HKLM\Run about ERP ?

@Cutting_Edgetech

Sure, send me the link via PM please.

 

@novirusthanks
Thanks for this new beta release...

 

@novirusthanks

24022015 B1 doesn't have that option.

Also, there is no registry entries for ERP in HKCU\Run or HKLM\Run.