New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. guest

    guest Guest

    1- All Mode seems to ignore when Metro Apps are executed, despite enabling them, prompts are still shown.

    1bis- Metro Apps rules are not memorized, (i.e: in alert mode or learning mode)

    2- multi-account issue on my side: if first installed on one account (say admin), and set up; when logging to the second one (say SUA) makes ERP hang the system (and vice-versa).
    The desktop of the second account stay black, with just ERP window open. This seems to be occuring because one prompt may not be shown and hang the system. Tried to use learning mode but no avail. one both account are setup normally; issue disappears.
     
    Last edited by a moderator: Oct 25, 2017
  2. guest

    guest Guest

    3- in Managed Excluded Processes, i can't add more than 3 rules with the * wildcard...

    4- ERP doesn't remember the rules of the Slack desktop application, even if set to remember, also no events is recorded from it.
     
  3. guest

    guest Guest

    I have switched to "Learning Mode", but nevertheless i was greeted with a black screen (only ERP was visible) after i wanted to login into my account (reboot, login => black screen).
    So something seems to be blocked even if ERP is in "Learning Mode" and it couldn't display an alert. (I haven't configured ERP fully yet, and especially files from the Windows-directory are missing in my rules; "Allow system files" is enabled)
    The last executable which could be loaded before the black screen appeared, was:
    Code:
    [Process Creation]
    Process: C:\Windows\System32\LogonUI.exe
     
  4. guest

    guest Guest

    same as me post #6236 n°2
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Yesterday installed ERP beta on Windows 10 Pro for Workstations 1709 x64 as admin acc. All went fine and turn off the PC.

    Today I logged in as LUA:

    1. ERP popped up its main GUI as expected.
    2. Then I clicked on start menu and nothing happened.
    3. Tried to open/run anything else, nothing happened.

    This was the only event ERP logged:
    Code:
    2017-10-25 19:47:01.460 System file - - 11A8 C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe C999908C9DEBA07F1DA7C23A156C2E2395E863F8 Microsoft Windows "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca C:\Windows\System32\svchost.exe B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8 Microsoft Windows Publisher
    It seems ERP blocked that event but it didn't pop up an alert dialog.

    Had to push reset button on the case to be able to restart the machine.
     

    Attached Files:

    Last edited: Oct 25, 2017
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Setting > Security > Allow System Files (checked)

    Yet ERP seems to keep alerting at some "system" related processes.
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Usually, ERP shows alert dialog as LESS view:
    less.png


    When I click MORE it shows this view:
    more.png



    But every time ERP shows a new dialog it doesn't remember the MORE view.

    Request: make ERP to remember alerts' views. Please.
     
  8. guest

    guest Guest

    i think the issue (same as mine and @mood) is that the prompts are hidden behind the GUI. as reported earlier, they aren't "on top"
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    In my case I could move main gui aside, no alert pop up behind.
     
  10. guest

    guest Guest

    ok so it may be different but somehow related, something is blocked that shouldn't.
     
  11. guest

    guest Guest

    There was no .dmp-file created but i could extract some more info.
    A specific Process-ID was mentioned in an error-report and with the help of my logs i knew it was ProcPermitDialog.exe and it is related to the issue above. But the information is not really useful:
    Code:
    Faulting application name = bad_module_info, Version: 0.0.0.0, Timestamp: 0x00000000
    Faulting module name = unknown, Version 0.0.0.0, Timestamp: 0x00000000
    Exceptioncode: 0x00000000
    Fault offset: 0x00000000
    Faulting application path = bad_module_info
    Faulting module path = unknown
    
    After searching for "bad_module_info" in the web it seems to be an issue of Windows 10 FCU, and not ERP :)
     
  12. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Mister X @guest @mood

    Regarding the black screen with ERP GUI when the PC is rebooted or user session is changed, what happens if you add a rule like this:

    Code:
    Process -> Path -> Like to -> C:\* -> Allow
    
    In Alert Mode.

    Try to see if with this rule, that issue happens again.

    I suspect an important process (like LogonUI.exe or slui.exe) is blocked somehow.

    @mood

    Thanks for the info and suggestions.

    @Mister X

    Can add an option "Show Alert Dialog always expanded" in "Settings" tab.

    We use a Windows API to know if a process is a system file, some processes even if located on C:\WINDOWS\System32\ they are not considered system files by the API. We may add additional custom checks to identify a process as a system file probably.

    @guest

    Is this happening on SUA or also on Admin account?

     
    Last edited: Oct 26, 2017
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks. That would be great.
    Again, that would be great if you could do it.
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Something like this?
    Rule.png

    Edit: It didn't work.
     
    Last edited: Oct 26, 2017
  15. guest

    guest Guest

  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Yup, it doesn't.
     
  17. guest

    guest Guest

    I found a workaround, go the services (services.msc), stop the Procpermit service, set it to manual, reboot , log on the 2nd account , start the service, set it to automatic, answer the various prompts.
     
  18. guest

    guest Guest

    ok, the problem is from logonUI.exe, after my workaround to allow me to login into the 2nd account, i tried logging out or restarting, i couldn't; the log shown LogonUI.exe executing, seems it hangs for some reason if ERP is loaded in a different account than the one it was installed.

    i tried to copy the config file from one user to another, no avails.


    After a new clean installation of ERP, the issue seems to have disappeared for now, maybe it was one-time bug.
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Mister X @guest

    Thanks for testing the "Process -> Path -> Like to -> C:\* -> Allow"

    @guest

    We'll update the service app to better handle session changing and we'll include internal rules to allow LogonUI.exe
     
  20. guest

    guest Guest

    Nice :thumb:
     
  21. guest

    guest Guest

    Issue - "Deny rules has no effect or doesn't seem to have a higher priority than 'allow rules' or 'System files'
    Prerequisite:
    a) Allow System Files = ticked
    b) [Proc.Path LIKE "C:\Program Files\*] [Action = Allow]
    I have created the following deny-rules:
    Deny_rules.png
    ...and i have enabled them but only the last Rule (#6) is working correctly.

    Issue - "Protection disabled" = no event is being logged
    "The old ERP" was still logging if the protection was disabled, but this is not the case anymore with the new version.
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @mood

    This should have a solution when we re-introduce Vulnerable Processes.

    Yes, we'll re-add support for logging of events when protection is disabled on the next build.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    A word of thanks to @mood, @guest, @Mister X and others for their thorough testing which will help us all get a better product with v2. :thumb:
     
  24. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    +1 ;)
     
  25. guest

    guest Guest

    Thanks guys, i do it with pleasure, NVT and ERP is a company and a product i like to support, Andreas is a great dev. :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.