New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    @novirusthanks It would be cool if you could make it so that, when a UAC prompt appears on the secure desktop at the same time as a NVT ERP prompt appears, we don't get stuck on the secure desktop without being able to do anything because of the ERP prompt blocking process execution until resolved and we're stuck on the secure desktop after we've pressed Yes or No for the UAC prompt, with the only way to exit the secure desktop being to use ctrl+alt+del, this happens quite frequently to me actually
     
  2. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    @novirusthanks
    I really wish you would hold off on any new feature requests and release a new, stable version 4.
     
  3. guest

    guest Guest

    NVT betas are usually as good as stable builds. Just pick one build that works well enough for you and stick with it for a while.
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Good is my OCD does not mess with my ability to install betas yet. :p
     
  5. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v4.0 (pre-release) test32:
    https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test32.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    Build 32

    + Fixed: The display of the notification dialog when a process is blocked on users that have the sidebar on top, left or right
    + Fixed: After enabling of "Password Protect Power Options" and entering of a wrong password, the "enter password"-dialog should re-appear so the user can enter the password again
    + Fixed: Support for the ESC-key in the "Enter Password"-dialog (= "ESC" dismisses the password-dialog... the same as a click on "Cancel" or "Alt+F4")
    + Fixed: The password-dialog doesn't need to be displayed if the protection mode "isn't actually changed"
    + Fixed: When Right Clicking on the Icon (in the Taskbar) and then selecting Exit, in the Confirm Exit Dialog, the active button is default set to "YES", maybe change it to "NO", so you don't accidentally exit the program
    + Fixed: Add a "Reset Password"-button (hold down CTRL + ALT + SHIFT when you right-click the ERP tray menu to pull up the menu)
    + Added new signers to default list of Trusted Vendors List
    + Minor fixes and improvements

    * About the new signers added to Trusted Vendors List:
    * Many users have sent us lists of signers extracted from their PCs, so we added most of them to the list, excluding Nir Sofer, TeamViewer, Ask Toolbar, MS-signatures, etc.
    * If you find some signers that you think should not be listed there, just let me know.
    * All these signers (1000+) should help in reducing alerts.

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    Let me know if you find any issue or FPs with this new beta build.
     
  6. guest

    guest Guest

    Unfortunately i'm still having a small delay (+/- 1 sec) when I launch some portable applications. ( ex ccleaner)
     
  7. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    But you don't have delay when launching "non-portable" exes? That really doesn't make much sense
     
  8. guest

    guest Guest

    Software located under program files and program files(x86) have no delay for me. But when I launch a portable located elsewhere (ex:desktop) some of them are affected by a delay.
    I tried in a real machine but also in a VM, same result. Others have also reported the same problem earlier.

    (BTW a reboot is necessary after the installation of NVT ERP in order to face the issue)
     
  9. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    Did you reboot after you uninstalled the old version of ERP and only then install the new one?
     
  10. guest

    guest Guest

    Yes of course. Even deleted all the remnent files.

    The issue is related to ERPSvc.exe, because when I kill it the delay is gone.
     
  11. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    Well this is interesting, if it also happens in a clean VM, it could be related to specific hardware or OS version or something like that. The dev is really the only one that can fix it and understand what and why it's happening, it would help if you could provide more information
     
  12. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Thanks for the new version.

    But why add the signature of ASK Toolbar o_O That does AFAIK Browser Hijacking or ... ?
     
  13. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Thx @SHvFl

    :thumb:

    Another question please is your Copy of test32 signed ??

    Edit: Downloaded another copy and that was signed
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    All these trusted vendor certs added might give a way to bypass ERP. I delete all of them except for just a few certs related to my other Security Software. I think adding that many is a bad ideal.
     
  15. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Good idea !!
     
  16. guest

    guest Guest

    "Excluding Ask Toolbar etc..."
     
  17. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    hahahahahahaah

    :eek::-*

    I'm sorry. I will immediately follow (not start ;)) a course in comprehensive reading :blink:

    Edit: Good Catch @mood
     
    Last edited: Jan 13, 2019
  18. guest

    guest Guest

    @novirusthanks
    test31 and earlier: The list of Trusted Vendors was fine. The most important ones were included (AV's, Antimalware software, INTEL, .. .and the like)
    After a click on "Add Default Vendors" some people might disable some or a lof them but in general the list is good.

    But now after seeing the huge amount of Trusted Vendors in test32, i propose a button like "Add additional Vendors" if someone really wants so much Trusted Vendors >1000 added to the list.
    "Important" Trusted Vendors can still be maintained into the regular Trusted Vendors List "Add Default Vendors" by the developers.
    = Now after a click on "Add Default Vendors" the list doesn't get filled up with tons of entries.
     
  19. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    The way I see it, there's 3 types of users:

    Big Daddy: He knows everything, he can scan the code of programs just by looking at them and immediately detects evil presence, there's no hiding from him, malware is completely hopeless when facing this user

    Office Slave Employee: The IT admin is normally the one who configures everything manually in an enterprise environment (at least for bigger ones), to him trusted vendors don't matter because the office employee will only be allowed to run software which is already present on the system and required for work, he won't be downloading and running new software (exes)

    Average Home User: And this is where the trusted vendors list matters. This is the user who'll want to download and run new exes, and he doesn't always know what's good or bad (otherwise he'd be Big Daddy). We allow software from safe locations (assuming NVT ERP is installed on a clean system) such as program files and system files, we allow popular (doesn't have to be google chrome-popular) software by using the trusted vendors list, etc. Our goal is to make the average user have as little prompts as possible (or blockages, which could lead to false-negatives) How? By adding as much trusted rules as possible (of course, we make sure the signers and rules are actually legit) Because for the average user, prompts = bad. There's no one there to tell him "this exe is good, this is bad". So when present with a choice, he might make a bad decision, especially if he knows there's a false-negative (legit software that is not trusted by some of the many rules such as trusted vendors), he'll be even more inclined to think "nah this is just a false-negative again" and allow the prompt. That is why, I think having more trusted vendors is a good thing, because the people that will be using them are the ones who must not face prompts at any cost. If you think you're knowledgeable enough to edit the trusted vendors list yourself, chances are (highly-likely) that you don't need them
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Highly likely I don't need them. I uncheck that case "Allow Processes Signed by Trusted Vendors", always.
     
  21. guest

    guest Guest

    I tried again in a new VM running W10 1809 (previous VM was still under 1803). The only setting I disabled was the the uac. Without ERP CCleaner portable ran without any delay. With ERP installed I got a delay (+/-3 sec).
    This time I also installed CCleaner (under program files). Without ERP I got no delay but with ERP installed I got a delay (+/-2 sec).

    It seems that the location of the soft isn't the cultprit after all and it doesn't matter if it's portable or not as I first thought.

    Anyway the problem seems to be much worse because some software are suffering from this issue and others are not. And for now no way to understand why.
     
  22. guest

    guest Guest

    Probably the command-line parser having more to analyze when portable.
    If I'm not wrong, exes in program files are allowed by default..
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Used to be early on brushed off because of the name-novirusthanks-but turns out it's a Conqueror after all.

    Since this ERP and OSArmor went viral and progress moved forward there isn't even been an inkling of any intrusions on my windows systems. That's quite some statement of effectiveness since no AV whatsoever is been on these systems since first install at the start of releases.

    As far as the name RADAR-by golly it's a radar alright too. On certain occasions ERP lights up an Alert which interrupts whatever process is triggering it-phantom or live attempt-this thing is SOLID!
     
  24. BananaMoe

    BananaMoe Registered Member

    Joined:
    Sep 8, 2018
    Posts:
    6
    Location:
    Universe
    @novirusthanks: is there actually something like a public issue tracker for ERT? I feel like I'm losing track of features that have already been proposed and thus ain't sure if I should propose them...

    @ all developers here:
    how do you handle python or js development? I don't want to allow python.exe or node.exe in general, but with all the subprocesses opened by VS Code and Atom the development becomes really annoying with a new popup (with a different command-line) every few minutes. If we had an option to allow all ancestors and not just the direct parent (which was already proposed multiple times I think), I could just allow python for that ancestor and be happy. How do you guys handle it currently?

    Thanks
     
  25. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    You said you don't want to allow python and node.exe in general. So, you'll have to check every prompt. You're asking "how do I not allow node.exe, but also not have to resolve a prompt for every instance/cmdline of node.exe?" Well you can't do both at the same time, pick one. You can use wildcards or whitelist general cmdlines, or just whitelist the exe (without specifying a cmdline in the rule, so it works for all cmdlines). Of course, the most annoying thing is with each update the hashes will be different and you'll have to re-create the rules (or swap the hashes manually in the rules, or not use hashes for the rules which is a bit less secure but still more than enough)

    However, you also said you'd be happy if you just allowed all child processes of an ancestor, so that makes me think that you don't actually want to monitor every instance by hand since you already know what's going on when you launch them. So you probably meant, you don't want a general python.exe rule so that it doesn't randomly start, or idk what you meant. Well you can use parent process rules for that. For example, in my rules code.exe can do whatever it wants (no cmdline), but it can only be started by itself (after it has already been started) and by explorer.exe, which happens when I open the shortcut on the desktop for vs code
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.