New Antiexecutable: NoVirusThanks EXE Radar Pro

@Quassar

Rules, logs, etc are stored here:
C:\ProgramData\NoVirusThanks\EXE Radar Pro

Settings are stored here:
HKEY_CURRENT_USER\Software\NoVirusThanks\EXERadarPro
HKEY_LOCAL_MACHINE\Software\NoVirusThanks\EXERadarPro

 

Do you guys get an alert whenever you print something?
I just bought a printer and I seem to be getting 2 alerts per print

example:
C:\Windows\system32\Rundll32.exe Prnntfy.dll,AsyncUILoaderEntry Local\{1D6C2BE7-E069-427A-9AE7-3A9F16E9724C}_ASYNCUI

RunDLL32.exe C:\Windows\system32\spool\DRIVERS\W32X86\3\hpinkstsC611.dll,RunDLLEntry FRIENDLYNAME=HP Officejet 4630 series;JOBID=13;SERIALNUMBER=CN51K592MM05Y0DOCNAME=frozen_olaf_flower_color_page.jpg (740×562);MONITORNAME=Dynamic Print Monitor;CALLSTATE=PRIMARY;

 

@Overkill

You can add this to the WhiteList->Command-Line:

And:

 

Thanks Andreas

 

Thanks for the help, but that's not what I meant. I often test apps with the help of Sandboxie, so I don't actually want to make permanent rules, I just want a way to quickly get rid of the "vulnerable apps" alerts. I had the same problem with TCP Optimizer 4.00, it keeps wanting to run powershell.exe.

So perhaps "install mode" can play a role in this, if you put ERP in this mode, it should ignore "vulnerable apps" alerts. If you close the process, then ERP should disable "install mode". Of course, it shouldn't matter if the app is actually installed or not.

http://www.speedguide.net/downloads.php

 

Couple of suggestions:

1) If a command-line rule exists (normal path or with wildcards) and the process hash has changed, the current alert only shows "Application changed". It would be more informative/useful if it included that the original rule was a command-line rule (eg. "Application changed - Command-line rule"), so that I know to whitelist the command-line instead of the process.

2) Further to (1), if the original rule included wildcards, I want an option on the alert dialog to just update the hash for the matching command-line wildcard rule (eg. "Update existing rule") - at the moment I have to create a new non-wildcard rule and then manually edit it.

 

Another suggestion - Allow command-lines to be black-listed. Without this, there may be certain command-lines I wish to always block, but my only optins are either block the process completely, or be prompted every time.

 

ERP keeps crashing at startup on my new x64 laptop

Problem signature:
Problem Event Name: APPCRASH
Application Name: EXERadar.exe
Application Version: 3.1.0.0
Application Timestamp: 553820d4
Fault Module Name: EXERadar.exe
Fault Module Version: 3.1.0.0
Fault Module Timestamp: 553820d4
Exception Code: c0000005
Exception Offset: 000000000018ea94
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional Information 1: f041
Additional Information 2: f04181b72a0abc8e5d00468ec286e2de
Additional Information 3: 2727
Additional Information 4: 2727324a8f7768ce79db608c7cac8425

 

@novirusthanks

I just realize that I had a huge security hole in my ERP configuration. I noticed that MSI files can run without any alert in "lock-down mode". Shouldn't it be a standard vulnerable process?

 

It was suggested before but also rejected.

 

@Overkill

Please try this new beta build:
http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_12052015_BUILD1.exe

+ Added more safe command-line strings
+ Minor fixes and optimizations

To update:

1) Close ERP from trayicon->exit
2) Uninstall ERP completely
3) Reboot the PC (very important)
4) Install ERP

@Dzp5t

What other security software do you have installed ?

It is started fine on my Windows 8.1 64-bit OS.

@Rasheed187

Yes, as siketa said it was rejected time ago. Problem is that msiexec.exe is used by Windows Updates and also by many other AV/General software. So adding msiexec.exe to vulnerable processes would generate a lot of alert dialogs. Personally I have yet to find a malware that exploits msiexec.exe (but I may be wrong of course), you may need to add it to "Vulnerable Processes" manually if you want to be alerted everytime it is executed.

 

Thanks Andreas, i'll try it out soon

 

@novirusthanks thank you!

 

v3.1_12052015_BUILD1

 

Yep, working great here as well. CPU usage 1.89% only

 

Still crashing at startup

 

@Overkill @Mister X

You can delete the bugreport image/text (it contains sensitive info about your PC and ERP) from your posts.

Just send me by email the bugreport.txt so I can look at it

Already other 3 users have sent me the bugreport.txt, in the next hours these crashes should be fixed.

Thanks for reporting them

 

OK, I see. I also don't know if exploits are using this process, but I still think it's a hole, because executables should never be able to run without user permission. I have added it to "Vulnerable Processes", and I don't use any software that triggers alerts about msiexec.exe anyway.

 

@Overkill @Mister X

Please try this new beta build:
http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_13052015_BUILD1.exe

+ Fixed the two ERP crashes

To update:

1) Close ERP from trayicon->exit
2) Uninstall ERP completely
3) Reboot the PC (very important)
4) Install ERP

Please let me know if ERP works fine now.

 

Still crashing, bugreport sent

 

May I ask, are we nearing final release yet. I have been running the stable release and reading about the upcoming improvements Im excited. This beta release program seems to be going on for ever.

@novirusthanks Any remaining features that are yet to be incorporated in final release?

regards.

 

Tried the new beta, compliments to ERP, nice program with lot's of options. I noticed the donation option, does this mean that you are planning to make it freeware/donation-ware?

Would it als be possible to add the (allready installed) publishers currently in UAC protected folders?

Thx Kees

 

bug report sent for v3.1_12052015_BUILD1

Installed v3.1_13052015_BUILD1

Thank you