New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes correct, I did use the ERP + OSA combo on my Win 8.1 desktop. But to be fair, I'm still testing OSA on Win 10, I think the problem with weird CPU spikes from the System process might be caused by AppCheck. Or perhaps by a combination of OSA running together with AppCheck. And perhaps Sandboxie also plays a role.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Exactly. Looks like those layered apps, one of them is enough to present some issue. You could always go the old fashion route and eliminate one by one disable or temporarily remove, then review again if anything improves or not. Conflicts are always a possibility.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I have done some testing on my Win 10 system and so far, everytime when I install OSA, I will eventually see the problem, but I believe I also had it with AppCheck. So for now I have removed them on both my laptop and desktop. So I don't think it's caused by Sandboxie and I also don't have any problems with EXE Radar on Win 8.1, on Win 10 it doesn't work correctly though.
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I dunno about you @Rasheed187 but it sure would be a relief to see NVT team back at the efforts of programming ERP once again. For an organization/company that is rolled out tons of Windows programs already, some of which I find really useful-Driver Radar Pro for one, it just from our standpoint doesn't seem to be so much of a task with the knowledge and skill they've proven to date.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    ERP 4 appears to have a bug that renders the user's System completely unusable. I tried looking at some System Process Properties by right clicking in the Event Viewer (as shown in the 3rd image from the left below), and ERP's GUI turned black and lost most of it's functionality. From that point on ERP was unable to prompt me for anything that would normally cause ERP to give the user a prompt. If the user is in Alert Mode and something on the user's machine executes that would normally trigger a prompt, then the system will become unusable because ERP will intercept the attempted execution without giving the user a prompt. Since ERP does not support multi-threading it will not allow anything else to execute on the system because the system is tied up with that single thread attempting to execute in the background. The user will not be able to launch any additional apps or shut down their computer. I made the mistake of trying to launch "cmd" which is on the vulnerable process list, so I had to do a hard shutdown.

    I'm using Windows 10 x 64 Pro 20H2.
     

    Attached Files:

  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Another reason it's expected that NVT would get around to updating this once fantastic program.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I wonder if NVT will continue to support ERP 4. I reported a bug in this thread about a year ago, and never heard anything back. I also made a few recommendations and never heard back from them. They have a bad track record of developing software, and then dropping development after a short period. If they decide not to continue development for ERP 4, then I will have to find something else to use that monitors user defined command lines and also uses Whitelisting. I would use SecureA+, but it's a little too heavy on the system to use with other security apps. I already have 1 too many Security Apps installed. I normally use 3 real-time security apps, but i'm presently using 4. I would like to go back to using 3 again. I don't count Shadow Defender because I use it on-demand and it virtually has no impact on performance.

    Edited: 10-8-21 @ 7:35 (edited part in red).
     
    Last edited: Oct 8, 2021
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    All we can do as user's of ERP 4 is try to hold out in waiting just to see if it get's some attention too. As beneficial as OSA is been with it's development it almost seemed like ERP 4 was going to be next up from their assembly line but nothing yet.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    OSA will never catch as many threats as ERP considering the list of vulnerable command lines I monitor, and the Whitelisting used by ERP.
     
  10. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    SecureA+ is VERY light on my system. The only real-time security I use, besides SecureA+, is a firewall & MalwareBytes Anti-exploit. I haven't been stung in the past several years but, IF I ever do get infected, I always have several weeks of prior clean images available. Regular imaging to an external hard drive is THE best security of all.

    Back on topic --- I was very much a fan of ERP until NVT kept bloating it, & increasing its complexity, because he listened to several bored, over-teched users -- several of whom are no longer members here anymore. Before version 4, ERP was simple enough for my maiden Aunt Puffy to use. As such, it was very sellable as a great mass-marklet security app for the general public. Starting with version 4, however, NVT listened to the bored techs & began turning ERP into something for computer science majors, geeks, security hobbiests, & IT's. In its present version 4 state, it is no longer mass-marketable AT ALL. Thus it would be totally unsound financially to update it.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Interesting position. Sort of the same one our beloved @Peter2150 also took issue with in our open and closed conversations/discussions. He felt Ver.3 was quite sufficient at the time and was quite reluctant to move over to ERP 4, at all if he ever did. Perhaps it was the complexity of 4 compared to version 3. It was also pointed out that the same complexity of sorts in ERP 4 was attractive to those other sects of NVT-ERP user's.

    ERP 4 still sports on only a couple eight systems of mine but their unheralded DriverRadarPro is been a driving force on this end and that one is a MUST on any my systems including Windows 10 that keeps a watchful eye on drivers/sys services that load or attempt to load.

    Extremely invaluable piece of work. I had on one system a quirk where the USB ports were seeming to malfunction. DriverRadarPro was instrumental in troubleshooting. There are a pair of system drivers that absolutely are needed to load for efficiency of USB Ports.
     
    Last edited: Oct 9, 2021
  12. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I very much miss Peter2150"s wise & friendly presence here at Wilders.

    As for ERP, if NVT would revert to version 3 and tweak it (merely tweak it) to bring it up to date for latest threat vectors and for full compatibility with WIN10 & WIN11, I would buy it in a heartbeat.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    ERP v3 was indeed less complex to use. I have stopped using ERP v4 because I was getting tired to keep having to whitelist stuff and keep having to disable protection when installing apps. However, whitelisting is still useful to protect noobs who only need to use a handful of apps.

    I'm not sure about this. OSArmor will easily block advanced malware that's trying to use clever tricks like using so called LOLBins. What it won't do is blocking newly downloaded apps from running, but it's the AV's job to make sure those apps are clean.
     
  14. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,872
    What exactly is wrong with version 3? This isn't an AV.
     
  15. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    That's a very good question. EXE Radar Pro is in the "anti-executable" family. As such, it doesn't need sugnatures (& signature updates) as does an AV.

    Ver 3 is not fully compatible with WIN10. For that matter, neither is version 4. If you are running Win 8 or Win7, Ver 3 should work fine. The same is true for Ver 4.

    The heart of Exe Radar Pro (ERP) is a whitelist. If an executable tries to run, ERP checks to see if it is on the whitelist. If it isn't, ERP blocks it & notifies you. You must then decide whether to let the executable run or not. To make that decision, you can:
    1- Do an on-demand scan of the executable with whatever AV you are using. (If the executable turns out to be a nasty, SHAME on your AV for ever letting that executable get onto your system in the first place!)
    2- Do an on-demand scan using VirusTotal.
    3- Run the executable in a sandbox or using Shadow Defender
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    By the way, you can also set ERP to notify you whenever certain "safe" executables try to run. This is VERY handy for monitoring an essential app such as rundll. Rundll is quite "safe" when it runs when it's supposed to run. However, it can cause trouble when run by the *wrong* app for the *wrong* reason at the *wrong* time.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Scripting or powershell is typically used to initiate these attacks, and OSArmor alone is excellent at stopping them if the additional protections are enabled to guard against them. Of course if you also use something like Hard_Configurator or DefenderUI with built-in Windows Defender, then SRP rules can be enabled to even further enhance security with a simple but effective anti-executable configuration for a home setup.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes exactly, OSArmor + Win Defender (controlled by DefenderUI) should block advanced malware. But if you still prefer to use whitelisting, you have no choice but to use ERP, sadly enough it was quite buggy on Win 10.
     
  18. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    No choice but ERP? How about SecureA+ or VoodooShield?
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Good point, but I meant when it comes to choosing between OSA and ERP. And currently I don't really like VS, but it will soon get a new GUI, so I might give it another look.
     
  20. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Uhhh .... how about giving SecureA+ another look? I would very much value your thoughts about it.
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Unless OSArmor also uses whitelisting then there is no way it will intercept as many attacks as ERP. ERP will prompt the user for ever single new executable that attempts to run unless it has been explicitly whitelisted. OSArmor only prompts the user if an executable attempts to run that matches one of it's rules. That would be considered a blacklisting method of mitigation instead of whitelisting like ERP uses. Only alloying what you know is safe is a much more restrictive policy than trying to block threats by matching known attack patterns. When I tried OSArmor it appeared to me that the goal was to have a security tool based on the same technology used by ERP, but not as intrusive on the user. Unless something has changed, OSArmor tries to make most of the decisions for the user and allows some executables to run without prompting the user. Is this still the design model being used by OSArmor?
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No sorry, I was never interested in SecureA+, mostly because I'm not really into AV's. But I do know that you seem to be quite content with it, and from what I read about it, it seems to be pretty good protection wise.

    I know what you mean, and you're right. OSArmor is imply trying to tackle attack methods used by real life malware. For example, let's say you somehow get tricked into running malware and your AV won't block it. Then OSArmor will step in if this malware is using certain system processes also known as LOLbins. It will also block browsers from running child processes in case of an exploit attack. But whitelisting should in theory block ALL new executables depending on the configuration, which makes it more secure and also more annoying. So it's a case of balancing convenience with security.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Executables don't magically launch on their own. Scripting or powershell methods, for example, are typically involved and that's where OSArmor comes into play. Also, SRP will prevent executables from launching from user space. SRP can be used in even home versions of Windows when H_C or DefenderUI is used.
     
  24. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    SRP? Salt River Project? Scottish Revolutionary Police? Small Round Pickles? :rolleyes:
     
  25. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,872
    SRP = Software Restriction Policies. Andy Ful's Simple Windows Hardening is a simple toggle on portable application for novices. Techies can install Hard Confiigurator to setup moire restrictive policies.

    Given ERP's shortcomings on Windows 10 and Windows 11, this helps to beef it up.

    Although the joke about the acronym is much appreciated!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.