Driver Radar Pro v1.5 (Freeware)

Discussion in 'other anti-malware software' started by novirusthanks, Apr 28, 2014.

  1. Lorina

    Lorina Registered Member

    Joined:
    Mar 13, 2018
    Posts:
    13
    Location:
    EU
    I don't suppose there's a way to avoid this in normal Lockdown mode, but if you run DrWeb's CureIt (https://free.drweb.com/download cureit free/?lng=en), which is frequently updated and has randomized driver names, Driver Radar (1.8 and the previous version) blocks it when in Lockdown mode. That's not too much of an issue, but once CureIt's driver is blocked by Driver Radar, there's an immediate crash / blue screen in Windows (10 Pro 64 in my case, checked on two different computers).
     
  2. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    109
    @novirusthanks

    With a new install, the setup of the new version don't let me choose the path of the installation folder.
    In the previous versions, the path of the installation folder can be chosen...
     
  3. guest

    guest Guest

    This can happen if drivers are blocked from being loaded.
    Does this driver have a digital signature? If this driver have one, you should add the signer of the driver to the whitelist in the category "Signers".
    If it doesn't have a digital signature, the driver has to be whitelisted before you are switching to Lockdown else a BSOD will occur after each update of the driver.
    (Driver is not whitelisted = DRP blocks the driver in Lockdown = Issues might appear)
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    I have a question to verify that I understand the different protection modes of DRP:
    Lockdown mode: automatically blocks any driver not on at least one of the three whitelists (hashes, wildcards, and/or signers)
    Learning mode: automatically allows all new drivers and adds their information to the whitelists (includes hashes and/or signers)
    Disable protection: turns protection off and allows all drivers
    Now if I have understood the above modes correctly, what exactly does "Trust mode" do?
    I apologize in advance if this question has already been answered but I did do a search without finding one.
     
  5. guest

    guest Guest

    Trust Mode: In this mode each driver will be allowed to load and you will be notified if a driver is loaded.
    It is basically the same as "Disable Protection" but with notifications.
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello @mood,

    Thanks for the reply. I was having a hard time trying to figure out what, if any, differences there is between "trust" and "disable" and you have now answered my question :thumb: ...
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    comment?
     
  8. guest

    guest Guest

    I have noticed it too that drivers are not added to the whitelist in Learning Mode.
    The user must add new drivers himself, but normally in Learning Mode it should be the job of DRP.
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    ....maybe, I'll wait for 1.9 before trying DRP, again.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Can't tell one way or the other just yet (ERP v4 study period) but I have noticed lockdown mode pretty stable on my 8.1 and I assume 10 as well although my interest in 10 is waning due to it's remote wanton silliness.

    But, Driver Radar when it detects and locks in on a driver/service, it's a routine of mine (when i know it's familiar-safe) to simply manually add it to all 3 categories, hash-path-signer and they're stored there on out.

    I wish I could add something for comment or complaint but not tampered with learning mode beyond the first run/install/restart long enough to lock in the vitals and let Driver Radar Pro point out the rest to determine where they stand, whitelist or not.
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    If Secure boot is disabled, I understand why DRP is useful: it prevents rogue kernel drivers from starting.
    But if Secure boot is enabled, and I am on a version of Windows that requires drivers to be co-signed by Microsoft, do I still need DRP?

    Question 2: Let's say I want to trim down the Trusted Signers List. Nowadays, almost all drivers are co-signed by MS, right? So to avoid borking Windows 10, what signers must I have? All the Microsoft signers, or what?
     
    Last edited: Jul 12, 2018
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Wouldn't wildcards solve @Lorina's issue?
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It depends how old your PC is. Any device drivers associated with the motherboard are usually only updated for a few years; until its warranty expires. Also if you have "dated" app software installed that uses a driver. This is the primary reason Microsoft didn't by default enable driver signature enforcement -see below- in the Win 7 to 10 upgrades.

    As far as what CA's can issue driver certificates, only a limited number can:
    https://docs.microsoft.com/en-us/wi...-for-public-release--windows-vista-and-later-

    https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature

    https://docs.microsoft.com/en-us/windows-hardware/drivers/install/software-publisher-certificate
     
    Last edited: Jul 12, 2018
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Thanks.
    When Microsoft co-signs a driver, what specific name/s does it use?
    Microsoft Windows?
    Microsoft Corporation?
    Others?
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    "Microsoft Time-Stamp Service" is what it uses to co-sign its own driver certificates.
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    So in that case, as far as DRP is concerned, it looks like we still need to go by the primary signers.
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Still trying to understand how DRP helps us, obviously I am missing an important point.
    The only driver that gets logged on my system is ndiswan.sys , whatever that is, so apparently most of the drivers load early at system startup, before DRP starts monitoring.
     
  18. guest

    guest Guest

    Only adding of Microsoft signers is not sufficient. DRP seems to check for the first digital signature of a driver.
    In the case of for example c:\Program Files\Sandboxie\SbieDrv.sys, "Invincea, Inc." is the first and "Microsoft Windows Hardware Compatibility Publisher" is the second digital signature.
    If you haven't added "Invincea, Inc." to the list of Signers, DRP will prevent the driver from loading.
    Code:
    Action: Allowed
    Driver: C:\Program Files\Sandboxie\SbieDrv.sys
    Publisher: Sandboxie Holdings, LLC
    Signer: Invincea, Inc.
    
    To find out which signers should be added, NoVirusThanks Signer Extractor can be used.
    https://www.wilderssecurity.com/threads/novirusthanks-signer-extractor.403695/
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Makes sense to me since I don't see how DRP could monitor boot loaded device and OS drivers. Also even if you had clean installed Win 10 1607+ and had Secure Boot option enabled, you still would have got nailed in this recent malware incident: https://www.wilderssecurity.com/thr...avoc-among-windows-10-users-in-the-us.405052/ . Because, the hacked driver was validly signed with a stolen device driver certificate.

    Reference in regards to Win 10 1607+ driver signing requirements:
    https://blogs.msdn.microsoft.com/wi...r-signing-changes-in-windows-10-version-1607/
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    That case is the exception to the rule, because more often than not, malware isn't signed.
    If the user's OS doesn't enforce MS driver signing requirements, DRP should still help protect against bad drivers loaded during the current session.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    On this regard, it is almost impossible to install a new kernel mode app driver on Win 10. This is because the driver has to be signed with either a MS issued EV driver code signing cert.. Those certs. cost $$$$$ and the vetting process to acquire one is extensive to say the least. Or alternatively, the driver has to be submitted to MS for analysis and verification and if deemed OK, will be signed by MS with a driver code signing cert..
     
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Just trying to understand your post, I think I know why you underlined "new", it is because the really old drivers are not banned from Windows 10 (example: driver of NVT ERP v. 3).

    But why did you underline "install"? I am guessing that you mean an unsigned driver could be loaded in the current session, but not installed in a way that it will gain persistence after reboot?

    Maybe that is the answer to my original question, about what DRP does for you. It protects against loading of rogue drivers. Just throwing that out as a possibility.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    What is was referring to is for a driver to be loaded, it first has to be installed. Assuming your current Win 10 ver. is clean, the odds of malware installing a kernel mode app driver is about nil. Of course, there are also user mode drivers that could be installed but their damage potential is far less than a kernel mode driver.
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    This app is POWERFUL and formidable-good immediate details who is trying to load and if it's one of those persistent repeaters Radar Pro easily outlasts however many attempts something tries to load while rapidly changing driver file names.

    Excellent!! Found nothing yet that can bypass it.
     
  25. guest

    guest Guest

    @EASTER if you don't use SUA you should go with SOB.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.