New Antiexecutable: NoVirusThanks EXE Radar Pro

yes i have the same thing, it just doesn't follow any rules, like mood says.

 

Phew!
Good thing I didn't updated yesterday due to the lack of time...

 

I thought it was just a problem with pre-existing rules.db yesterday, but no, it doesn't follow your alert-rules at all.

Other bug: Sometimes the alert sound does not play before the alert opens. I assume it gets blocked by ERPs block-everything-when-an-alert-is-open. It plays after I close the alert.
This was also the case for 18, but I forgot to tell.

 

Oh, thanks for posting this already and with actual information instead.
Can't you play the sound (let audiodb.exe start) before you block processes or would that be unsecure?
NVTERP could play "Never Gonna Give You Up" from Rick Astley infinitely with very low volume to stop audiodb from closing. (omg this would be the funniest thing ever... imagine the headlines! "Security software rick-rolls you in order to fix bug")

 

@__Nikopol @puff-m-d

Confirmed, will fix that issue later or tomorrow.

You can downgrade to test 19 for now.

 

Hello @novirusthanks,

Thanks , as always ...

 

-1

 

Bug/Issue: With version 19 I get spammed with alerts when using OPSWAT MetaDefender:

Code:

Date/Time: 2018-07-22 17:19:11.298
Action:  Allow/Protection Disabled
PID: 8304
Process Path: C:\Windows\System32\cmd.exe
SHA1: 3CE71813199ABAE99348F61F0CAA34E2574F831C
Signer:
Command Line: C:\WINDOWS\system32\cmd.exe /S /C ""C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"  --version > "C:\Users\###\AppData\Local\Temp\OPS9819.tmp" 2> "C:\Users\###\AppData\Local\Temp\OPS981A.tmp""
Parent: C:\Users\###\AppData\Roaming\MetaDefenderApp\x64\mdproxy.exe
Parent SHA1: DF3C99D5CEB1E810353A9E56BCFED461A5A9E79F
Parent Signer: OPSWAT, Inc.
Expression: -
Category: -
User/Domain: Distelzombie/CHAOSLAPTOP
Integrity Level: High
System File: True

This is because
A: cmd is a vulnerable process and can't be excluded or allowed in any rule afaik, and
B: The files in "C:\Users\###\AppData\Local\Temp\*.tmp" get created with different names many times per minute. (Appear to be either a problem because of timeout due to getting blocked by ERP or because MetaDefender has a bug.)
Those files are created because MetaDefender reads the version of VBox.

 

The filename is changing each time, this means you should use a wildcard in your exception-rule else these alerts will never stop.

Code:

Before:
Command Line: C:\WINDOWS\system32\cmd.exe /S /C ""C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"  --version > "C:\Users\*\AppData\Local\Temp\OPS9819.tmp" 2> "C:\Users\*\AppData\Local\Temp\OPS981A.tmp""
After:
Command Line: C:\WINDOWS\system32\cmd.exe /S /C ""C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"  --version > "C:\Users\*\AppData\Local\Temp\*.tmp" 2> "C:\Users\*\AppData\Local\Temp\*.tmp""

 

Good to know Yet there is still issue A

 

This is very common with files in several locations under the %Appdata% directory, and other Windows userspace directories where the filename is constantly changing, so highly granular Path rules are simply not possible. All you can do is forego some security in the Path rule to the point where you're not going to get inundated with alerts. A few I had when I ran Windows 7, using the Process Attack filter on the now unsupported and outdated Jetico firewall:

Code:

"C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-*.exe"
"C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\{*}\MPSigStub.exe"
"C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\{*}\*.exe"
"C:\Users\*\AppData\Local\Google\Chrome Beta\User Data\SwReporter\*\software_reporter_tool.exe"

 

New release with fixes is no doubt being cooked up and coded already. Can't wait too. This WAS the version to replace the final v3 holdout and am looking forward to tweaking the pieces out of many interactions that also improve performance as well as security. NVT is went really big on this and OSA, something many of us are pretty darn grateful for.

 

With appropiate exclusion rules, issue A is solved too. Exclusion rules are allowing launching of vulnerable processes without any alert.
But only specific events should be excluded, not the whole command (not recommended: [Proc.Name = cmd.exe] [Action = Exclude])
Cmd.exe is not without a reason a vulnerable process, it can be used for malicious purposes.

 

It's never really working right. Maybe I just suck at making rules. xD
To be clear: I did make a universal rule for all CMD.exe processes with MetaDefender as parent. Yet they still showed up.

 

Here is a new v4.0 (pre-release) test21:
https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test21.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

So far this is what's new compared to the previous pre-release:

+ Removed the option "Distinct to" on Expression Builder
+ Fixed adding a rule via "Alert Dialog" -> "Remember the action"
+ Fixed some rules that have no "\" at the end of the Path field are ignored
+ Fixed support old rules that have no "\" at the end of the Path field
+ Change tray icon based on Protection Modes
+ All blocked processes (via Lockdown Mode, Auto-Block Ask Actions, Manually Blocking via Alert Dialog etc. now displays the Blocked Process dialog (if the user has this enabled)
+ Learning Mode now uses a - (hyphen) or blank character for all expressions when a rule is auto-created for the first time
+ Remember THE Action checkbox in Alert dialog is re-captioned to now say Remember THIS Action since it's better/proper English
+ If the rule action is Allow and a user chooses Remember This Action via the Alert dialog the rule is created as an Exclusion now. Before it was Allow but this is 2nd most priority, not 1st
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@__Nikopol

Rules for vulnerable proceses or any other rule that has Action = Ask should have Action = Exclude (so it precedes the Action = Ask and will be allowed to run).

Here is an example:

- Rule for cmd.exe with Action = Ask

Code:

<category>Vulnerable Processes</><action>Ask</><expression>[Proc.Name = cmd.exe] [Action = Ask]</><enabled>1</>

- Rule for cmd.exe to allow a specific command-line string:

Code:

<category>Alert Dialog</><action>Exclude</><expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.CmdLine = "C:\Windows\system32\cmd.exe"] [Action = Exclude]</><enabled>1</>

See the [Action = Exclude]

The correct rule for your case, based on the log you posted, should be:

Code:

<category>UnCategorized</><action>Exclude</><expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32\] [Proc.CmdLine LIKE C:\WINDOWS\system32\cmd.exe /S /C *C:\Program Files\Oracle\VirtualBox\*] [Parent.Signer = OPSWAT, Inc.] [Action = Exclude]</><enabled>1</>

Untested, but should work fine.

Hope it helps =)

 

Thank you very much for your great work
The rule I had created was an [Action = Exclude] rule. That's why I was saying it doesn't work for vulnerable processes. But I will test that again with the new version and make sure that it does not work, if it does.

 

@novirusthanks- Unremarkable mention, but is it doable or of interest to insert a setting where the audio alerts can be splittable as before in v3 where the user can configure separate audio alerts independently for ALERT vs BLOCK in place of one sound WAV for both as it is currently.

 

Ah good that you mention audio. I was about to ask for a simple option to set the wav: Right now I always copy "Windows Balloon.wav" in the folder and rename it to "loon.wav"

 

@novirusthanks
This also happens in Alert Mode. After launching an unknown file and allowing it (+remember), in Events a wrong expression is shown.
To be more exact, ERP is adding the "last created rule" into the expression field.
(Edit: A few hours later i can see that ERP is picking some other rule and is placing it into the field)
For example:
a) For testing i have created this rule and it is the last created one: [Proc.CmdLine = test*test*test] [Action = Allow]
b) And this rule appears now after allowing and creating a rule for an unknown process:

Code:

Action:  Ask/Allow
Process Path: C:\files\dnsdataview\DNSDataView.exe
Parent: C:\Program Files\totalcmd\TOTALCMD64.EXE
Parent Signer: Ghisler Software GmbH
Expression: [Proc.CmdLine = test*test*test] [Action = Allow]
Category: Alert Dialog

 

@novirusthanks- When using an application such as Process Hacker to RESTART EXPLORER the RadarPro.exe shows up in Task Manager again but the Tray Icon doesn't immediately return to the Task Bar Icons. Experienced on 8.1 after closing EXPLORER + RESTART.

A couple more Process Hacker RESTARTS of RadarPro finally brings it back. There is an old app named RunMe which is a launcher which to my surprise is very well coded for an abandoned project. Even a hard Explorer crash and it stays up and active. Don't know if there is some coding that can keep RadarPro's Tray Icon on-top and active after an Explorer Full Live Restart or not but not that it's critical or anything. Simply a curiosity that raised itself on this Test-Build 21 today.

///EDIT-Disregard any mention again of RadarPro icon missing after Explorer restart. Must have been a heavy load on the memory at the time. Subsequent repeats and restarts of explorer the RadarPro Tray Icon flies right back in place as expected. Finnicky glitch of some sort on this end-heavy memory load pressing resources at the time. All is OK.

@mood- Am attempting to recreate that find-could you offer few more detail what your experiencing on that? Regards

 

Just try to launch an unknown process, tick "Remember this action" + Allow and then have a look into the expression field in Events (Ask/Allow line)
This has already been fixed for Learning Mode and i guess a similar fix has to be done for Alert Mode too.

 

a) test21 - Learning Mode isn't retained after a reboot.
After switching to Learning Mode, rebooting and logging in, the protection is showing "Protection disabled".

b) A maximum number of 100 Events are displayed in the "Events-tab.
Is it possible to show a higher number of entries? Using of a multi-process browser is enough to have only browser-related entries in Events and all other entries are disappearing very fast

c) The window of the Expression Builder resizable, but the size is not remembered.
It would be nice if ERP is remembering the size (at least the width) so it hasn't to be resized each time.

 

Pick it apart @mood. NVT appreciates it and you are amazing with ambition to help find issues that can be fixed and make ERP flawless for all!

 

+100