New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. guest

    guest Guest

    Perhaps the developer should implement a way to let Deny-rules do their work else Deny-rules have no effect if the setting "Allow System Files" is ticked.
    And some users might want to deny the execution of regedit.exe/cmd.exe/takeown.exe/powershell.exe or other system files.
    And unticking it (now deny-rules are working) is not an ideal solution because there will be a lot of prompts.
    @novirusthanks
    the same goes for "Allow all software from Program Files folder". Maybe you can find a possibility to set a higher priority for Deny-rules (perhaps in a similar way as it was recently introduced for Ask-(Edit: Allow-) rules [hint: "Exclude (Allow)]")
    So the user can block applications in a directory reliably even applications in this directory are System Files/the directory is located in Program Files/are signed by a trusted vendor/etc...
     
    Last edited by a moderator: Apr 11, 2018
  2. guest

    guest Guest

    Yes, this would be nice :thumb:
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Thanks. It is just as you said. If "Allow System Files" is ticked, deny rules don't work, but "ask" rules do work. That explains a lot of things.
    It's no big deal to change a few deny rules to ask rules, until the next build.

    This is probably the same behavior that was troubling @Peter2150 .
     
  4. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    The security settings overlap on different occasions. I have unchecked all allow settings except for, "allow system files".

    What is the order that the rules are applied?

    I am still uncertain on how to ask to run the LinkedIn and Pandora apps.
     
    Last edited: Apr 11, 2018
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Just adding to @Charyb's questions:
    Let's say a user unchecks "allow system files."
    He gets bombarded with lots of prompts, to which he answers with allow rules.
    But among them will inevitably be some previously defined "ask" rules, such as cmd and rundll32.
    Will this kill the "ask" rules? If so, what can be done?
     
  6. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    @novirusthanks
    Would it be possible to make the rule expression builder window resizable?
     
  7. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    I would like the alert dialog to show which category rules are in. These are located under vulnerable processes but the alert does not show this.

    Date/Time: 2018-04-11 13:56:08.465
    Action: Ask/Allow Once
    PID: 5852
    Process Path: C:\Windows\System32\rundll32.exe
    SHA1: 1C99C20757B039D88F59B02B7753A730A90BF2AD
    Signer:
    Command Line: C:\WINDOWS\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations
    Parent: C:\Windows\System32\svchost.exe
    Parent SHA1: B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
    Parent Signer: Microsoft Windows Publisher
    Expression: -
    Category: Alert Dialog
    User/Domain: SYSTEM/NT AUTHORITY
    Integrity Level: System
    System File: True


    Date/Time: 2018-04-11 13:58:21.704
    Action: Ask/Allow Once
    PID: 6532
    Process Path: C:\Windows\System32\sc.exe
    SHA1: BE2E15F3DDB084B3370B004234704C716A008950
    Signer:
    Command Line: C:\WINDOWS\system32\sc.exe start wuauserv
    Parent: C:\Windows\System32\svchost.exe
    Parent SHA1: B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
    Parent Signer: Microsoft Windows Publisher
    Expression: -
    Category: Alert Dialog
    User/Domain: SYSTEM/NT AUTHORITY
    Integrity Level: System
    System File: True
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    +1
    Maybe also a different color or something, as a visual clue.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    @novirusthanks In case i miss it. Does ERP 4 Test prereleases still throw up a separate ALERT when a HASH is changed on a whitelist-allow file or files?

    That was always a great feature in ERP 3 when the bright yellow stripe Alerted to a Whitelisted Application Changed

    This was easily tested using ResHacker on one of my security logging apps filechangealarm where I often reprogram Delphi colors/control boxes/menus and overwrite the original. ERP 3 picked that up with a special ALERT!
     
  10. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    I want to continue to keep one of the ask rules in vulnerable processes but I want to modify it and have it allow it using other criteria. Is this possible to have two rules relating to the same process with different actions? For instance, if I add the hash and path in the dll32 vulnerable process rule, will these two rules differ enough to show the ask dialogue or the allow dialogue?
     
    Last edited: Apr 12, 2018
  11. guest

    guest Guest

    After whitelisting of a file with Proc.Name, Proc.Path and Proc.Hash and after modifying of this file, "Unknown Application Detected" will be shown.
    But would be a good idea to show "Whitelisted Application Changed" or something similar (so that the user knows that this file was already whitelisted but the hash of the file has changed)
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    DEFINITELY miss that.
    Although file will still be alerted on after modification (per the notify you show) the Changed Hash as a separate alert was/is a useful indicator ERP 3 handles very well.
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    To answer my own question, no it won't. It has already been explained that in order to override an "ask" rule, an "exclude" rule must be used.
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks @shmu26, as it was quite a chore when I done that before the Exclude was added in this version.

    Windows has so many files-file operations that most seem set on going into motion when in reality plenty of those could actually wait a day or two IMO and some need not access nonstop at all, also in my opinion.

    The less activity the better which I personally like since it allows the machine some time to rest. :rolleyes:
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    The user could be spared all this confusion if the vulns will have a special prompt that automatically selects "exclude" in the rule maker.
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    :thumb:
     
  17. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    What is the purpose of "Read data from file" located in the expression builder? How is this used?
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v4.0 (pre-release) test8:
    http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test8.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + Deny action is checked before Allow* actions on Settings tab
    + Fixed showing of Alert Dialog on dual monitors
    + Show the category of the triggered Ask rule in the Alert Dialog
    + Improved "Allow Known Safe Process Behaviors"
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @Charyb

    It extracts the fields (i.e name, path, signer) from the selected exe file.

    Will read and reply the other posts asap.
     
  19. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    I understand now.

    Version 3 was good, but I think I'm going to like version 4 much better. It's much simpler and cleaner.

    I still would like to be able to view and edit the trusted vendor list. Coming soon?

    Thanks
     
    Last edited: Apr 13, 2018
  20. guest

    guest Guest

    Nice, deny-rules are working now as expected :thumb:
    RadarPro_Deny-rule.png
    RadarPro_Deny-rule.png
    RadarPro_wscript-rule.png
    =
    RadarPro_Deny-rule_log.png
    RadarPro_wscript-rule_log.png

    Issue - "Events":
    After resizing of some columns to the smallest size, closing and re-opening of the GUI (and enlarging of the columns), chars looks scrambled:
    RadarPro_Column_resized.png
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Does ERP now remember both window and columnsize? I haven't even downloaded the latest versions because of this annoyance.
     
  22. guest

    guest Guest

    No :)
     
  23. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    What does "allow system files" mean, exactly?
    Does it mean all files in certain locations, or does it mean all files on the digitally signed microsoft security catalog (.cat)?
     
  24. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    Here is my guess.
    Any executable located in the system32, sysWOW64, and systemapps folders.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    @novirusthanks can spell that out exactly for us when back online again. No guessing. Just the facts. :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.