New Antiexecutable: NoVirusThanks EXE Radar Pro

Indeed he is.

 

Thanks

 

Ooops. That's even of more importance.

 

Here is a new v4.0 (pre-release) test13:
http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test13.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

So far this is what's new compared to the previous pre-release:

+ Added new signers to Trusted Vendors list
+ Fixed If you sort columns in Rules, they get auto-resized. And column-size in Events should be saved even after restart of the ERP GUI.
+ On Rules tab, renamed "Copy Selected Rule to Clipboard" to "Copy Selected Rule(s) to Clipboard" and it now supports multiple selected rules (copying them to clipboard)
+ Support ESC to close the dialog also on "Export Rules", "Event Details", "Excluded Processes" windows
+ Added "Support for Drag & Drop" of files for rule creation (just drag & drop a .exe file on the Rules tab and "Expression Builder" will open with pre-filled file details)
+ Removed the orange button "NoVirusThanks" on the top-left of the GUI window
+ On Rules tab, renamed "Create Internal List of Vulnerable Processes Rules" to "Re-create Vulnerable Processes Rules"
+ Added msra.exe and mstsc.exe to Vulnerable Processes rules (you need to right-click the Rules tab listview and click on "Re-create Vulnerable Process rules"
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@n8chavez

We will discuss about the dark theme soon (it's on the todo list).

@Cutting_Edgetech

We'll add ability to scan a custom folder and auto-create allow rules for each .exe file found (as suggested by @mood on #6766).

@Tomin2009

We'll improve internal whitelist, please share any ERPv4 alert related to Vulnerable Processes rules.

We'll also update the Home tab with correct text/sections soon.

 

test13: Trusted Vendors added by the user gets deleted after a click on "Add Default Vendors"

 

Click

 

@novirusthanks does ERP v3 had a "purge rule" feature? i can't recall..if yes would be nice to have one on v4 too.

 

@guest - "purge rule"? I run ERP v3 (WILL NOT GIVE IT UP) on another busy 8.1 system.

Under Whitelist Tab applications tab-"Safe Applications" rules there is a "remove non-existent processes"

Is this perhaps what you refer to? It is a very handy addition.

 

yes this one.

 

Thanks. Yep it's there in my v3 ERP and is a useful purge element. I suppose something similar might even prove equally useful in other sections of certain dialog recorded logs. dunno.

But betcha it can just as easily be inserted for this new v4 ERP. Cool request!

 

@novirusthanks First of all, thank you very much for developing this wonderful piece of software! I've been using it for years, critical layer of protection for Windows IMO.

Recently, I've upgraded to Windows 10 April 2018 update (clean install actually) and decided to give this new V4 a try. Now onto my complaints

1) Is it me, or is the option to allow child processes missing from the V4 alert window completely? I.e. when I launch an installer from Windows Explorer, ERP asks for my approval, but since an installer process usually launches multiple processes I receive multiple alerts for one installation. A specially when a process requests administrative rights; the ERP alert will just show up again after clicking yes in the UAC prompt. I've looked at the "Parent Process" option in the alert window, but this shows explorer.exe as the parent process. I don't understand the use of this option, actually. Why would I allow explorer.exe as a parent process? What I'm expecting, is an option "Install" or "Allow child processes created by this parent process". V3 did provide this option (the most right button in the alert window, forgot its name). I install programs on a daily basis, so the amount of alerts is getting kind of annoying

2) The alert window is very cluttered with a lot of information in a relatively small space, in comparison to V3. The all white color scheme and the font used for the "Unknown Application Detected" text doesn't help too, to be honest. Also, the alert window is not resizable. The "Remember the action" option is too close to the Allow button, allowing for easy mistakes. I would rather see a menu drop down button next to the Allow button (and for the Block button as well). The use of the Tab button is inconsistent, the order of selected fields doesn't make sense (try pressing the Tab button a number of times).

3) There is no option to either view or change the Protection Mode from the program's main window, only from the context menu. It would be nice to have a rather big Protection Mode status on the Home page of the program window with a slider and descriptions next to it (like the UAC window does).

4) The alert window sometimes pushes applications to the background after choosing Allow, requiring me to click the taskbar button to show the process window. This seems to be happening consistently with MSI based installers.

5) The "Running Time" on the program's window Home page could be expanded to show: xx Days, xx Hours, etc.

I know V4 is still in the testing phase, but I wouldn't want to miss out on a possibly helpful contribution to the development. It's absolutely fantastic that you allow for user input in this phase of development! I believe V4 will shape up to be just _perfect_

 

Are they going to add PresentationHost.exe to the list of vulnerable processes? I thought they was. They added mstsc.exe, and msra.exe, but not PresentationHost.exe.

 

I just noticed you can filter the Rules List by All, Allow, Ask, Deny, and Exclude. I guess there is no need for a separate list for Allowed Applications after all.

 

Here is a new v4.0 (pre-release) test14:
http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test14.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

So far this is what's new compared to the previous pre-release:

+ Add Trusted vendors no longer replaces them but adds the internal list instead
+ Improved internal whitelist rules

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@mood

Should be fixed now.

@ghysler

Thanks for all the suggestions, I wrote them in the todo list and we'll discuss them asap

About "Install Mode" (was on ERPv3 Alert Dialog), we plan to add it also on ERPv4.

Added on the todo list that too.

@guest

Yes ERPv3 had that option, now that rules allow to match various fields of a process/parent it may be different.

However I wrote the suggestion in the todo list.

@Cutting_Edgetech

I'm finishing a few tests with PresentationHost.exe, if all goes well will add it to Vulnerable Processes.

 

Andreas is bound and determine to make me part down to the last machine with ERP 3 and this is getting awfully close.

FWIW, as awesome as OSA really is, and it is. ERP 4 (and 3 for me) is my bread n butter security lockdown protector.

 

ERP Test 13 on Windows 10 Educational Edition version 1703.

I almost asked for an option to untick all the Vendors in the Trusted Vendors list because I did not realize that the option already exist by right clicking in the list. The reason I overlooked it the first time is because it is worded as "disable all". I think it would be more clear if it said, "untick all", and "tick all" or "uncheck all", and "check all". I would be interested in knowing what others think.

Possible Bug:
If I disable all vendors by using the right click option from the Trusted Vendors List, then tick one or more vendors on the Trusted Vendors List, and select delete vendor it will not delete any of the vendors I have ticked. Can't you tick a vendor's check box to delete it from the list, or do you have to highlight them one at a time? I'm aware that you can remove them all by using the remove all option, but that's not what i'm trying to do.

Edit: 05/17/2018 @ 10:58
I think I may have misunderstood how the Vendors list is meant to be used. So, if I untick a Vendor does that effectively make ERP exclude that vendor's digital certificate from the Trusted Vendor's List Then If I tick it back at some point in the future it is the same thing as adding that vendor back to the Trusted Vendor's List. Is this correct?

 

All Vendors can be deleted (Remove All) or one at a time (highlighting of a Trusted Vendor + "Delete Vendor")
Suggestion: The user is able to highlight "more than one" Trusted Vendor and after clicking on "Delete Vendor" all highlighted Vendors are deleted.

Correct.
The checkbox switches between "enabled/disabled". Removing a Trusted Vendor from the list or unticking it has the same effect.

 

Mood thanks for the comfirmation!

I recommend that the user be able to highlight more than one vendor at a time for removal also. Support for shift down arrow, and shift up arrow would be good.

 

Please add this feature to ERP! This feature would keep exploits from spreading from the exploited application to the rest of the system.

I want to see a vulnerable app list option. It could also be called a vulnerable process list. I want to be able to add a parent process to the list, and then choose exactly which child processes are allowed to be spawn by the parent. This will give me complete control over all child processes the parent can spawn.

For example: I would choose firefox.exe as the parent. I would then choose the following allowed child processes for firefox.exe: app-container.exe, maintenanceservice.exe, crashreporter.exe, and update.exe. If firefox attempted to spawn any process other than the allowed child processes I have defined then ERP would prompt me, or automatically block the process depending on what Protection Mode is enabled.

I think having the list in a tree format would look nice. Being able to click on a plus symbol next to the parent to expand the view to show allowed child processes under the parent would work really well.

I'm still a poor student, but I would pay extra (within what I can afford) for this feature.

 

Will add support for deletion of multiple-selected vendors on next build

Can be already done with new rules scheme:



Here are the exported rules:

Code:

<category>Firefox Rules</><action>Allow</><expression>[Proc.Name = maintenanceservice.exe] [Proc.Signer = Mozilla Corporation] [Proc.Path = C:\Program Files\Mozilla Firefox] [Parent.Name = C:\Program Files\Mozilla Firefox\firefox.exe] [Parent.Signer = Mozilla Corporation] [Action = Allow]</><enabled>1</>

<category>Firefox Rules</><action>Allow</><expression>[Proc.Name = updater.exe] [Proc.Signer = Mozilla Corporation] [Proc.Path = C:\Program Files\Mozilla Firefox] [Parent.Name = C:\Program Files\Mozilla Firefox\firefox.exe] [Parent.Signer = Mozilla Corporation] [Action = Allow]</><enabled>1</>

<category>Firefox Rules</><action>Allow</><expression>[Proc.Name = plugin-container.exe] [Proc.Signer = Mozilla Corporation] [Proc.Path = C:\Program Files\Mozilla Firefox] [Parent.Name = C:\Program Files\Mozilla Firefox\firefox.exe] [Parent.Signer = Mozilla Corporation] [Action = Allow]</><enabled>1</>

<category>Firefox Rules</><action>Allow</><expression>[Proc.Name = crashreporter.exe] [Proc.Signer = Mozilla Corporation] [Proc.Path = C:\Program Files\Mozilla Firefox] [Parent.Name = C:\Program Files\Mozilla Firefox\firefox.exe] [Parent.Signer = Mozilla Corporation] [Action = Allow]</><enabled>1</>

<category>Firefox Rules</><action>Allow</><expression>[Proc.Name = firefox.exe] [Proc.Signer = Mozilla Corporation] [Proc.Path = C:\Program Files\Mozilla Firefox] [Parent.Name = C:\Program Files\Mozilla Firefox\firefox.exe] [Parent.Signer = Mozilla Corporation] [Action = Allow]</><enabled>1</>

You can save them as "Rules.xml" and then open Rules tab -> Import -> Select "Rules.xml"

 

I like OSA better -- ERP usually breaks installs & updates if I forget to turn it off or I'm not there when they happen.

 

Ok, I see how you did that with the expression builder now. I created the same rules you did using the expression builder. Does the top section of the expression builder that says "Process" mean "Child Process"? I think it would more clear if Parent Process was put on top, and put Child Process on the bottom. Also, label it as Child Process if that's what it means.

All the rules you created are allow rules. Does the user have to create an explicit deny rule to block firefox from spawning all other child process not allowed by an allow rule?

Edited 5/18/18 @ 4:11
Actually, just changing the name "Process" to "Child Process" in the expression builder will make things much more clear in my opinion. It's not really necessary to put Parent Process on top.

Edited 5/18/18 @ 4:46
I may have just figured out how this expression builder is intended to be used to configure complex rules. I guess "Process" means the process can be a Parent, or Child Process. I'm assuming that Parent Process at the the bottom of expression builder is only needed if you want to control child processes that can be spawned by the parent. I think many people will not realize ERP has Parent Child Control capabilities. Maybe it will be more clear when documentation comes out. If i'm correct in my thinking then it all seems easy now.