New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Where are they exactly in OSA in order to as you say "transfer" them to ERP.

    I also have BOTH programs running in harmony now.
     
  2. guest

    guest Guest

    Let ERP be ERP and not trying to copy other solutions. ERP has a command line parser and Lockdown Mode which is good enough.

    It won't happen, it is not in ERP scope, just use Appguard alongside as i do.
    ERP is just an anti-exe, it can't even monitor the memory or even DLLs (unlike Smart Object Blocker), so don't even expect to see any Memory Containment feature.
     
    Last edited by a moderator: Feb 26, 2018
  3. guest

    guest Guest

    Ticking the option "Block execution of any process related to NirSoft" in OS Armor is basically the same as writing this rule in ERP 4.x:
    ERP4.x.png
    And this can be done with most of the options in OS Armor.

    I think it can be useful for those who are running ERP 4.x to have pre-configured rules, at least some Powershell-related or "Attacks Mitigation"-Rules.

    OS Armor can be called a behaviour blocker but it is working internally not differently than ERP 4.x
    Both applications do scanning of processes, child processes and command-lines and are acting accordingly.
    OS Armor is the "easy way" of adding a behavior blocker but IMO the same could be achieved with proper rules in ERP.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    But obviously whoever has commissioned OSA, didn't want to have to writre rules, or be bothered with them
     
  5. guest

    guest Guest

    Exactly :)
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    (finally clearing the groggy out of my brain/eyes)

    Funny or better put, best thing that jumps out at me which is a huge relief is the vbs, etc. script blockings.

    Yes, ERP is set to alert on those and many others of course, but the OSA approach serves as a backup since on my machine ERP is more front line and picks up on scripts FIRST, then OSA kicks in with blocking IF it's decided to allow pass ERP.

    And even better yet on this end, I have a generic placement for local WiFi whereby I use my smartphone running off the lappy, which uses a combo of a vbs script and cmd at startup and no interference whatsoever. Didn't even have to modify either rules or their locations which breathes even more fresh air into this OSA/ERP combo.

    Rock On!
     
  7. guest

    guest Guest

    Yes, OSA + ERP is a good (or even perfect) combo :thumb:
     
  8. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    No kidding! If my expression mark seems (where have you been lately), well I have been out of commission awhile.

    This OSA is as everyone already is aware, super granular and being of the ambitious and emotional type I had to blow a horn on what it's turning up as I run thru things today with it.

    See, I never been quite of a mind as a user where you have to learn variables and tinker and expend a huge amount of time prodding to line up GRANULARITY line by line, and/or VAR by VAR etc.

    OSA seems lays it out (as is so far) and for lack of a better term, takes a bunch of legwork out from that task and leaves pinpoint precision rules right where we can use and need/add them to be best for each particular machine's arrangement.

    WOW
     
  10. guest

    guest Guest

    When SOB will attain the usability of ERP then it will be a very good addition to OSA.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Almost forgot that. Enter yet another jewel in SOB. Gee Whiz. With these three PC safety apps where does a user turn.

    SOB never really caught on for me but that's only simple user preference on one end. Taking absolutely nothing away from it's great ability(s).

    Can't even imagine if the trio of such power safety apps can even be practically grouped together given the other programs most of us keep in place to form our solid walls of defense.
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    The thing that worries me about OSA is that malware (and Windows itself) is regularly morphing in unpredictable directions. This means that today's smart rules can become obsolete tomorrow. So for OSA to stay relevant, it will need constant development. And you know...
    But ERP stays "eternally" relevant.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Which leads this user to say, as is been a bug of mine for as long as Microsoft has dished out new releases of the O/S, where they add new leads/tie ins which many times introduce/present yet another new new wrinkle for security vendors to have to try to cover (with updates/upgrades).

    One example being PowerShell IMO of late, and then the cat and mouse game is right back on again where it falls to tracking and making provision to prevent bad actors from taking advantage of those new internal connections for their own purposes.

    You have to hand it to the good guys though. They are every single bit as notorious in staving off new twists for potential intrusion as much if not more than the bad guys.
     
  14. guest

    guest Guest

    In fact, SOB is better than ERP since it monitors dlls and drivers, the only huge con is the lack of GUI.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Which is exactly why it never really caught on for me.

    Shame too really. Since you point exactly to the excellent abilities SOB affords an end user.
     
  16. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    wtf is SOB?
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is the first public beta of ERP v4.0 (pre-release) test 1:
    http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test1.exe

    exeradarpro.png

    *** Please do not share the download link, we will delete it when we'll release the official v4.0 ***

    This is the changelog so far (summarized):

    + Redesigned the application from scratch
    + Kernel-drivers are co-signed by MS
    + Allow to enable\disable\search\sort\categorize rules
    + Simplified the user interface
    + More detailed events that show also the triggered rule
    + Create rules grouping process fields (name, signer, cmdline, parent, etc)
    + Allow matching parent process AND child process
    + Support wildcard (? and * character) on each process field
    + Improved support for Limited User Accounts and Fast User Switching
    + Self-protection against process termination is auto-enabled
    + Only Task Manager is allowed to terminate the program
    + Improved support for Windows 10

    How to handle Vulnerable Processes?
    I create a new category in Rules, named like "Vulnerable Processes", and I add there all system processes commonly hijacked and misused by malware, example cmd.exe, powershell.exe, rundll32.exe, etc. I set the Action = Ask to be always notified when they are executed. Other system processes like vssadmin.exe, reg.exe, regini.exe, etc I prefer to set Action = Deny to automatically block them (I don't need them). As you can see from the screenshot below I added also the SysWOW64 versions (I'm on a 64-bit OS). To allow a vulnerable process I just create a new rule matching the process, the parent process (can be useful) and the command-line string. In some safe cases, I just match the parent process and the child (vulnerable) process, i.e C:\Program Files\Safe\Process.exe (parent) -> C:\WINDOWS\System32\cmd.exe (child), without matching the command-line.

    vuln-processes.png


    *** Probably you may avoid matching the SHA1 hash of vulnerable processes, because lets say a malware copies cmd.exe to Temp folder, then when it is executed you would get an Alert Dialog because it is not anymore a system process but is considered as an unknown process. Moreover the ones I added are not even digitally signed by MS. ***

    test1.png

    I exported my list of vulnerable processes (made quickly, you may add some more):
    http://downloads.novirusthanks.org/files/VulnerableProcesses_Rules.csv

    Just click on "Rules" -> "Import" and select this CSV file to import them.

    Now that rules can be categorized you can just create new categories and put your custom rules there. One important thing, if you create a rule to allow all processes on C:\WINDOWS\* then it takes precedence on the Action = Ask so all processes in C:\WINDOWS\* will be allowed (also processes with Action = Ask). This first public beta should be pretty stable and you should familiarize with it easily, it has a simple interface to create and manage rules and to check events. The settings tab has a few important and simple option. The self-protection against process termination is enabled by default and can't be changed via the settings (it is not present there as option). Only task manager can terminate EXE Radar Pro processes.

    Let me know your feedback guys :)
     
    Last edited: Feb 28, 2018
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    :):thumb:

    Wilders Security people is going to burst with joy ... :ninja:
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Nice!, I can't wait to give it a try. :thumb:
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Amazing :thumb:
     
  23. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Fantastic, thanks Andreas.:thumb:
     
  24. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    I presume we Uninstall old version?
    Are our settings retained?
    Your Rules blend with ours?
    In stall in same directory as the exe.?

    Thank you - this is a great program.
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @novirusthanks Is the expectation of 4.0 release to be free or paid? Thank you.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.