New Antiexecutable: NoVirusThanks EXE Radar Pro

Is a default vulnerable processes list included / embedded in ERP 4 in the latest builds, or does this have to be added / imported?

And is Andreas' list minimal, or go quite a way towards e.g Excubits' blacklist?

 

It is included and with "Re-Create Vulnerable Process Rules" the Vulnerable Processes List will "appear".

 

Hello @novirusthanks,

I would like to suggest a small tweak to the "Rules" tab > "Expression" column in NVTERP. It seems a lot of times if you view/edit a rule and save it, the order of the information in the "Expression" column changes. This makes it harder to compare rules in the "Rules" tab, especially "Exclude" rules that you edit for wildcards. It would be nice and more user friendly if the order of the different fields in the "Expression" column could follow some preset order. I realize that not all fields are necessarily in each rule which may make it harder to do. If there is any way that this can be done, it would be greatly appreciated.

 

Here is a new v4.0 (pre-release) test19:
https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test19.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

So far this is what's new compared to the previous pre-release:

+ Added "Install Mode" (on the "Alert Dialog") -> It will allow the execution and all child processes will be auto-allowed until the main PID is active
+ Edit Rule from Event now automatically populates the expression builder fields with the appropriate fields from the event
+ Improved "Allow Known Safe Process Behaviors"
+ Improved "Learning Mode" auto-created rules
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

* Before installing this new version, you should delete these files:

C:\Users\<User>\AppData\Roaming\NoVirusThanks\RadarPro.conf
C:\ProgramData\NoVirusThanks\EXE Radar Pro\*

* This will be done automatically on next build from the installer file.

@bellgamin

I understand your point about ERPv4. With the new ERPv4's Expression Builder it allows you to fully control processes executed in the system and create much better/powerful rules but it is not as easy as ERPv3. It is for more advanced users and that's why we have created OSA. After all bugs have been fixed on ERPv4, we'll work on usability trying to make it more usable.

Additionally, we'll develop a few more anti-exe-like simple programs that will be suited also for beginner users, here is one:

A simple and smart process alerter that will show a prompt only for unsigned (or signed by unknown vendors) processes executed in user space.

It will support alerting for vuln apps on system folders (to block exploit payloads and such), auto-allow trusted vendors, etc but will be extremely simple.

@puff-m-d

We'll discuss about that.

 

isn't deleting the Programdata folder deletes all rules as well? that's no bueno

 

Seconding @mekelek question:

Inside Databases folder, there are Rules.db and Rules.db-journal files.
Deleteing them isn't a bit too much?
I assume my rules would be erased, wouldn't be?


Or how about exporting them then importing them prior installing this new version?

 

Great to see the INSTALL mode addition. I really didn't want to make a sniff over missing that enough to make suggestion but looks like it came back around anyway.

Thank You @novirusthanks

 

Hello @novirusthanks,

Thanks !

Did this...

Fix this?

Thanks as always ...

 

@ NVT -- thank you for the kind words. I suppose I could learn to become reasonably proficient in using v4. It would be easier, I suppose, than teaching diffential & integral, or writing linear programming apps in Forth, all of which I did back in the good old days.

As someone who images very often, I no longer find that learning to tweak a complex IDPS (Intrusion Detection & Prevention System) is where I want to put my limited time. With imaging, all one truly needs is IDS -- detection more so than prevention.

Several years ago, I did take the time to become reasonably proficient with some relatively complex IDPS. I was able to make System Safety Monitor jump through hoops. Same for Prevx. Same for Malware Defender. I paid for all of these. All of them were very very popular here at Wilders. And all of them have been abandoned by their programmers, not because they fell behind technology but because they did not generate a viable income stream.

Thank you for OSA. On those rare occasions when OSA has looned loudly at me, I have never yet chosen to override it. It's a bit like cross-breeding a lion with a parrot. I don't know what to call its child but I do know this -- when it talks, you better listen. So also with OSA.

 

I didn't even know that Install Mode was not implemented yet, good to see. What I don't understand about the new ERP v4 is: where are the Command Lines, Parent Process and File locations tabs?

Well, you should be able to simply select a parent process and see exactly which child processes they are allowed or disallowed to run. Current Expression Builder seems to be too complex.

ERP v4 is definitely on the right track, but it's not as good as ERP v3 yet when it comes to certain things. But I agree that v3 is a finished project, and we need to concentrate on making v4 better.

 

I just want to reconfirm: if I run ERP 4.19 in learning mode, and some command lines get whitelisted, the vulnerable processes will still alert for new command lines, correct?

Question: if I get a prompt and I click on "custom rule" and I whitelist a command line and click on "save", the next time it runs, I get prompted again. And if I try to whitelist it again, it says that the rule already exists.

But if I set the same parameters straight from the prompt, and tick "remember the action", I don't get prompted again. Why is this?
EDIT: I think I found the reason. When I clicked on "custom rule", I failed to make it an "exclude" rule. So it was in contradiction to the "alert" rule for that vulnerable process.
But when I do it straight from the prompt, it automatically is made into an "exclude" rule.

 

Thank You @schmu26 for your explanation on this.

Never used learning mode before (always manually made rules on the fly) but I intend to allow v4 to run in that scan/record session for a day or two when I transition from the last v3 that's installed on my WIN 8.1 system.

Since you ran into that learning curve and subsequent action-solution, that's useful-helpful detail to keep an eye out for. Appreciate the share on this.

 

@novirusthanks
1) (Alert Mode)
If there is a Prompt for an Ask Rule (Category = Vulnerable Processes) and if it is allowed and "Remember Action" is ticked, ERP is correctly creating an Exclude Rule.
But if the Ask Rule is not in the Vulnerable Processes Group, ERP is creating an Allow Rule which is not sufficient (lower priority).

2) If a process is learned, an Expression not related to the process is shown in Events.
The expression is one of my rules but i don't know why ERP is displaying it while a process is learned.

Code:

Action:  Allow/Learning Mode
Process Path: C:\test\Homedale.exe
Command Line: "C:\test\Homedale.exe"
Parent: C:\Program Files\totalcmd\TOTALCMD64.EXE
Parent Signer: Ghisler Software GmbH
Expression: [Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.CmdLine = /c w32tm.exe /stripchart /computer:* /dataonly /samples:1] [Parent.Name = C:\Windows\System32\WaaSMedic.exe] [Action = Allow]
Category: Learning Mode

3)
I think to mitigate the following, it might help if ERP is selecting "Exclude" (instead of "Allow") in advance if an alert for a vulnerable Process is displayed and if the user tries to create a Custom Rule for it.

4) If a Vulnerable Process is launched:
Lockdown Mode: After a click on "Block" in the Alert dialog the Notification window does appear.
Lockdown Mode (Auto-Block "Ask" Actions...) : the Notification window doesn't appear.
Alert Mode: After a click on "Block" in the Alert dialog the Notification window doesn't appear.
= Shouldn't the Notification Window appear in all three scenarios?

 

Cool McCool @mood.

I will wait for Andreas to have his code team sew up those finds before finally replacing my last holdout with their great v3 ERP.

This security application is outstanding for the Power Users!! too.

NVT did say after some fine tuning thru these runs that they intend to shrink or otherwise modify the way rules are set into a more streamlined pattern. Looking forward to all of this.

 

After trying out build 19, at first I was puzzled by the lack of prompts from rundll32.
Then I remembered that Andreas said he improved the internal rules.
Maybe he made an internal rule that allows whitelisted software, installed in program files folder, to load a dll by means of rundll32, without a prompt?

 

rundll32 shouldn't be blacklisted anyway, you need it. maybe he blocked it being called from user-space.

 

It used to be set to "ask", and it still is set to "ask", but it seems that it doesn't ask when the parent is in program files folder. What is your opinion of an internal rule like that, @guest?

I am still plagued by delay in program launching, when ERP is installed. Kind of frustrating. For some strange reason, Foxit Reader is the most severely affected. It launches 5 X slower than without ERP. Can't figure it out.

 

Did you tick the "Allow System File" or " Allow All Software from Program Files folder"?

i use the portable version, so i can't tell.

 

It is probably "caused" by this: Allow Known Safe Process Behaviors
Even if there is an Ask rule for rundll32.exe, specific things will be allowed.
"Action: Allow/Known Safe Process" will be shown in the log-file/in Events for these allowed processes.

 

@mood

Haven't especially investigated yet but can't those internal coded Allow Know Safe Process Behaviors be modified/changed to adapt to a user's more preferred preference? I assume not but interested if it's been tried with any success or not. I assume as Hard-Coded it and other built-in such rules by design are untouchable-prohibited from user change

 

As these are internal rules i don't think they will be made editable for the user (or even viewable)
If a user wants more control, it might be better to untick such options. But more alerts can be expected, as not only safe process behaviors are affected but also command-line strings from ERPv3 which has been incorportated into the option:

 

Good enough for me @mood. Thanks.

If Andreas determines some slight modification can be implemented to better suit and adapt with SAFETY he surely is open to looking those over and seeing how well it agrees with users findings.

You are a Gold Mine of info @mood. Very much engaged seriously. Thanks so much for diving deep into it.

 

You're welcome

 

Watch now. Andreas seriously reviews guards post on this product in-particular.

Wouldn't be a bit surprised he springs another new release anytime now

 

Yes, both of them.