New Antiexecutable: NoVirusThanks EXE Radar Pro

@novirusthanks

#1: same as @Mister X , on SUA or Admin account, no black screen anymore, im on the desktop, but after ERP is loaded, the system hangs (cursor circling in eternal loop), boot is halted (other programs aren't loaded), start menu sometimes unavailable or very slow to open, no events logged on ERP.
- It happens even when ERP is set on Learning Mode.
- once ERP is closed (via tray icon), boot resumes ; got memory leak error window and start menu is fully accessible.


#2: Events tab, the vertical scrollbar can't be moved when clicking & holding the bar.

#3: even on Learning Mode, i got prompts

 

Missed that one, same here

 

Andreas must have overlooked that one in the latest beta. Reported already: https://www.wilderssecurity.com/thr...ks-exe-radar-pro.300552/page-249#post-2714499

 

It would help if at least "Learning Mode" would be working 100%

Code:

File Instructions.txt:
What is missing?
- The "Protection Modes" are not fully working

If "Allow System Files" has been enabled and ERP is not recognizing specific files in the Windows directory "as a System Process" (and the file isn't whitelisted) normally a prompt is displayed.
But early in the login-process a prompt isn't displayed (and the user can't click on allow...) and with the 2nd beta the system seems to be hanging even after the user has logged in ("but usability is near zero. Start menu won't open" #6280)

With a working Learning Mode it can be easily mitigated, because ERP is automatically whitelisting the process (and the system shouldn't hang anymore).

 

Yes, that should have been what we should have; when i first experienced the hang in the first beta, i set ERP to Learning Mode right away to see if it was about any blocked processes , but since LM doesn't work properly, it made the job more difficult, i even tried to whitelist Program Files folders and Windows folder; no success.

 

How about memory usage of both gui and service?
I think it's high as said in my prev post, don't you think guys?

 

Yeah

Less than 15 MB (service+GUI). I would rate the Memory usage as acceptable/normal.

 

Same here, and since all features and modes aren't implemented yet, the value indicated are irrelevant to me.

 

I hope the public beta will have co-signed drivers, so even folks like me with recent versions of win 10, fresh installed, will be able to use it, without disabling safe boot. Yeah, you could run in VM or whatever, but real-life usage is a much better testing ground.

 

I've sent a new beta build to @mood @guest @Peter2150 @Mister X

This is the changelog for the new beta build 13 November 2017:

Protection Modes should all work correctly now.

I could reproduce the "black screen" bug, it happears when switching user sessions in some known circumstances.

Will update here as soon as we fix that issue when switching user sessions.

 

I hope the small lock on tray icon for Lockdown Mode will return


#1: When in Lockdown Mode, blocked processes isn't showing up, which can be confusing (aka clicking 10 times on the tray icon of the apps expecting the GUI to shows up)

 

Great. Looking forward to it.

 

After moving the mouse over the tray-icon, it shows "Multiple+ Client" (instead of the actual Protection Mode), and the tray-icon looks the same in all modes (same color).

Shouldn't the alert dialog "stay" on top even after clicking into a different window?
I have accidentially clicked on a different window, then the alert dialog "disappeared" and i had to search it

Learning Mode seems to work now. Rules are created with these fields automatically filled in: "Name / Signer / Hash / Path" and Comment "Added via alert dialog"
But, if i look at the Events window and Rules Editor, i can't distinguish both modes (Learning Mode / Alert Mode) - I don't know if i was in Learning Mode or have added it via alert dialog (the Events look the same)
Suggestions:
a) Rules added via Learning Mode = Category "Learning Mode" (instead of the category Alert Dialog)
b) Rules added via Learning Mode = Comment "added via Learning Mode" (instead of "Added via alert dialog.")
c) Events window: "Allow/Learning Mode" (instead of Ask/Allow)

 

@guest

Sure, we will add support for changing the icon based on protection mode later.

It will be fixed on the next build.

@mood

It will be fixed on the next build.

I like this enhancement, we'll discuss about it asap.

They will be fixed on the next build.

Thanks for reporting these issues guys

 

The last time I tested NoVirusThanks EXE Radar Pro it was not multi-user friendly. In other words, the rules only applied to the current user. Is there an easy way to work around that, so the rules are applied globally (to all users)?

Phil

 

@pcalvert they are working on it, and it is what we beta test actively right now.

 

If this the same issue then it is not fixed at all.

 

Great, I'm glad to "hear" that.

What seems strange to me is that the ruleset files are located here:

Code:

C:\ProgramData\NoVirusThanks\EXE Radar Pro\Data\

Since the rules only apply to the current user, I thought for sure that the data files would be located somewhere within the user's profile, like the AppData directory. I was hoping to work around the issue by copying the needed files to the SUA profile, but obviously that isn't going to work.

 

@pcalvert to use a multi-users setup with ERP v3.x.x., you have to export settings from one and import to the other, and even, after a reboot some of those aren't kept (especially the soft settings, rules are normally kept) .

 

Interesting comment here: https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-34#post-2720033

Implications for NVT ERP?

 

That post looks like he is talking about wholesale whitelisting, without command lines and parent/child and vulnerable process etc.

 

OK, you are probably right.

 

That is true in some way; anti-exe won't protect you from the exploit itself, only from what the exploit will do once it breached the system.
An attack is not a one effect mechanism, it works by stages called attack chain, so you have to block the attack somewhere in the chain, earlier is better.
Anti-exe and most security software will react when the dropper (if any) is executed by the poor user or when the exploit try to execute a monitored process.