New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  2. guest

    guest Guest

    In SOB you have to write rules and writing rules (or configuring applications via "notepad") is not somebody's cup of tea.
    And i think the majority would like to have a GUI so the priority for developing is still ERP, OS Armor, etc.
     
  3. AEG

    AEG Registered Member

    Joined:
    Mar 12, 2018
    Posts:
    29
    Location:
    Middlesbrough
    Yes you're right. Actually I've just discovered you can stop programs from running other processes in ERP and it's easier and more flexible than with SOB. All you do is enter the parent process in a new rule and then block all other processes using * in the name field of the child process or you could allow all processes signed by the same company to run! Very clever.
     
  4. AEG

    AEG Registered Member

    Joined:
    Mar 12, 2018
    Posts:
    29
    Location:
    Middlesbrough
    Does anybody know what the lockdown and allow modes do. I can't seem to find any help files foe ERP
     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I understand what you are looking for -- in ERP 3, there was such a thing. But in ERP 4, there isn't, at least, not yet. AFAIK.
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Lockdown means it will be blocked and you will not get a prompt.
    Allow means it will be allowed and you will not get a prompt. But it will be logged, so it is different from disabled.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    That expression builder seems is a healthy meat and potatoes feature the likes of which i not come across ever. Almost too good to be true. Now with that, I haven't slung what is usually a respectable laundry load of malwares at it yet since you chalked this release with plenty to chew on with digging at areas each of us set out to cover within our own respective configs, but it is quite a fine piece of work to the end where exists some super granularity. Once enough of the rules are layed out as manually as humanly possible, comes what I thrive on most, bombarding the whole ball of wax with as formidable a collection of crapware that I seriously believe has small chance to get very far if not stopped in it's tracks the moment something moves to tamper with windows basic as well as undocumented hidden pathway functions.

    I expect ERP will more than hold it's own but for pity sakes, add SysHardener + OSA and how do crapwares even find a leg to stand on with this defense shield.

    It's been duly noted that self-protection, which is always what badwares would seek to throw off first IMO, has been enhanced to better lock in ERP (and OSA for that matter). Good News, very good news indeed.

    Not even made it to the "experimental UAC control section yet". Thanks greatly for putting the metal into the forge with this app and providing the end user an excellent process security app on a scale which looks to becoming better than any of us expected it would possibly turn out to be, at least this early in it's stage of development.

    And while i'm at it, there is one quirk that is bothered me for years that an old trusty HIPS used to do. Is there some way possible a setting can be added to Alert To/Prevent the creating of ANY folder within the system. I miss that one little nuance simply because if a malware could somehow slip thru a sliver of a hole long enough to create a folder to drop files in, it might be fashioned in a way to return to try to activate it's goods (although ERP-OSA) would surely trap the process, am curious if a method exists which would be simple to simply prevent Folder Creation period. Alert to it etc. Sorry for the reach and maybe not of consequence at all for most, but am curious is it's possible to add something on that particular command.

    It's more likely that of a Permissions ordeal? to restrict new folders creation? than useful to contribute to process security, but for purely in the wind sakes thought I might put that out there for any thought if by chance relevant, if not is quite ok. ERP 4 seems Powerhouse material while also light as a feather.
     
    Last edited: Mar 25, 2018
  8. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    @novirusthanks

    Having some boot problems with latest ERP build 3.

    1) Sometimes explorer.exe won't load after welcome screen and I have to ctrl + alt + delete and run explorer.exe.
    2) Sometimes I'm stuck at the welcome screen while it's endlessly trying to load the desktop. Only solution is to hardware reset the computer to get into Windows.

    Also, in the last session, ERP build 3 didn't load the GUI. It only loaded the service.

    I am using ERP with OSArmor latest build and Windows Defender.

    Furthermore, could you add the Signer 'Microsoft Windows Publisher' to the trusted publisher list? I have checked the box 'Allow all Microsoft signed processes', but that doesn't include 'Microsoft Windows Publisher'. For instance, the parent file which starts SkypeHost.exe is signed by Microsoft Windows Publisher.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    That is exactly what I experienced in a earlier post where I mentioned a couple reboots I sort of locked myself out, or thought I did.

    It either self corrected itself (hasn't happened again anymore through several reboots since or IIRC the BLOCK box had run away too fast for me to catch and exclude before I ticked "do not auto close notification dialog" and finally could exclude necessary system/other app processes to prevent it from happening again) forget now which ones.

    Of note, after first install I pulled back and unticked for sure "Allow Known Safe Process Behaviors" & "Allow Processes Signed By Trusted Vendors" and that's when on boot I had to keypress the combo and bring up Task Manager to start explorer with Admins rights to get to the desktop.

    https://www.wilderssecurity.com/thr...ks-exe-radar-pro.300552/page-263#post-2746255

    Are you running any other third party strong security or programs?
    If so you might check to see if any of their processes need excluded?

    If not check the ERP 4 log and review which process it's blocked IF that might be of use.
     
  10. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Thanks for replying!

    Glad to hear I'm not alone about this problem. It occurs sporadic and not on every boot. I have the same settings as you did; "do not close notification dialog" etc. I even had the "Perform an action (auto-allow once) after N minutes of idle". So I waited for 2 minutes and I was still stuck.

    I am running Windows Defender with OSArmor and ERP only. The problem is it occurs sporadically. Not every time! I've tried re-installing but that didn't help.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Glad to!

    I removed OSA before installing ERP 4 but Windows Defender is still there on Windows 10 but really didn't consider it the culprit.

    However it's not repeated for me again. Hope you get to track down why and correct it, or someone else bring it up if they run into the same too.

    Since you reinstalled and it's repeated again it bears watching the logs to see what's showing up in them after it happens.
     
  12. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    I will be sure to check out the logs the next time it happens!
     
  13. AEG

    AEG Registered Member

    Joined:
    Mar 12, 2018
    Posts:
    29
    Location:
    Middlesbrough
    Similar problem here. Not always able to login to windows10. Sometimes get entirely blank screen with no login or mouse. The display driver sometimes doesn't recognise my additional monitor. No blocking shown in logs. I thought it was a problem with Smart Object Blocker which I installed then uninstalled. The first lockup happened after uninstall and reboot. It looks like it's ERP however as others are having similar problems.
     
  14. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Yep! That's my problem too (except I don't use SOB). Can confirm.
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    This might be the same problem that OSA had. The dev fixed it by extending the timeout.
    I noticed that with ERP 4 installed, it takes significantly longer to reach desktop after a reboot, so I suspect that one of the ERP processes is not initializing fast enough, and is causing various issues.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Oh is this reporting ever useful. It's needed so it can be fixed. With those 2 occurrence I had, now since you bring that up I remember my Mouse went out and I lost keyboard letters control completely but just so happen my login pass is numbers only and that got me past that point. Dismissed it as something maybe a one time thing since I was able to boot but got to a blank screen where it was necessary to bring up Task Manager to type in Explorer and get back on screen.

    For me this all happened right after first installing this release (uninstalled ERP3 first). Yesterday I rebooted several times during the day with no issue but seems there is something to this.

    I wasn't as active much with Object Blocker so that experience might be connected n useful as applies to ERP 4 for some sharing the same issue.
     
    Last edited: Mar 25, 2018
  17. AEG

    AEG Registered Member

    Joined:
    Mar 12, 2018
    Posts:
    29
    Location:
    Middlesbrough
    I wonder if anyone can tell me why this is happening. I got a warning that calculator was trying to run while using firefox. The command line was:

    "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1803.711.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca

    Is this related to windows updates or is it something odd.
     
  18. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    If you could copy the entire ERP log entry for that event, it would easier to see what happened.
    The ERP log entry should show the parent process and the command line and everything, in other words, it shows the context in which the event took place.
     
  19. AEG

    AEG Registered Member

    Joined:
    Mar 12, 2018
    Posts:
    29
    Location:
    Middlesbrough
    Ok thanks, here it is. I'm pretty sure it's ok as windows store has just attempted the same thing. Log:

    Date/Time: 2018-03-26 13:03:14.081
    Action: Ask/Deny Once
    PID: 5280
    Process Path: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1803.711.0_x64__8wekyb3d8bbwe\Calculator.exe
    SHA1: E54CDEEFC80824AB1DF297044E08BCF877846723
    Signer:
    Command Line: "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1803.711.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
    Parent: C:\Windows\System32\svchost.exe
    Parent SHA1: B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
    Parent Signer: Microsoft Windows Publisher
    Expression: -
    Category: Alert Dialog
    User/Domain: aegre/TOSHIBA-SATELLI
    Integrity Level: Low
    System File: False
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Yes, I think you are right. It says
    Parent: C:\Windows\System32\svchost.exe
    And windows scheduled tasks are initiated by svchost.

    I see this so often, I just ignore it when scvhost runs one of those windows apps commands.
     
  21. AEG

    AEG Registered Member

    Joined:
    Mar 12, 2018
    Posts:
    29
    Location:
    Middlesbrough
    Ok. thanks. I think I'll try and create a generic rule to deal with these updates.
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    We could reproduce all reported issues, should upload a new build tomorrow.

    @AEG

    That event is safe, did you check the option "Allow Microsoft Windows Apps"?

    It should auto-allow all Windows Apps.

    @puff-m-d

    The option "Block Suspicious Process Behaviors" incorporates some OSA rules, it is mainly an experiment.

    We'll decide if leave it or remove it after some of the next builds.

    As of now, there is no possibility to exclude an event related to that option, but we may add this possibility in next builds.

    The option "Allow Known Safe Process Behaviors" incorporates the old ERPv3 command-line strings (in a much smarter way), and other known safe process behaviors related to system processes. Some rules are taken from OSA's internal whitelist rules.

    Yes, but I personally don't like much to join them, I see it this way:

    OSArmor is for any user and once installed, with the default options, it offers a very good additional layer of defense. Bad processes behaviors are blocked by default, the user doesn't need to decide if allow or block a process. All is pre-configured, you just need to check\uncheck protection options according to your knowledge and needs. It allows also to write your own custom block rules. We manage and keep up-to-date the pre-configured protection options.

    ERPv4 is for medium\advanced users, you get alerts for any unknown process, you can fully lockdown your system with Lockdown Mode (allow only what is whitelisted and block the rest), and it allows you to write more granular rules. Nothing is pre-configured, and you need to "train" ERPv4 by yourself according to your installed apps and PC usage. This is a fully configurable anti-executable.
     
  23. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello @novirusthanks,

    Thank you very much for your detailed reply ;) . You answered all of my questions very well :thumb: !
     
  24. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    TY for OSA and ERP. And yes - please keep them as separate products. Each stands alone and can serve different users though many of us here use both.

    Nice explanation above.
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    The latter please Andreas. If my opinion counts, keep 'em both as separate products.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.