New Antiexecutable: NoVirusThanks EXE Radar Pro

Yeah...you could leave it empty and recommend in the text description what files user could put there (cmd.exe, msiexec.exe, regsvr32.exe, rundll32.exe, wscript.exe, etc.).

 

Or possibly list all of the sensitive processes that could be exploited (I'm sure you know better than us ) but leave them unchecked by default so it won't throw up warnings that will confuse the average user. Then an experienced user could check and enable those processes he/she wanted...... I'm not sure how hard adding 'check boxes' is, but it's just my thought.

Keep up the great work, it's fun to watch the evolution.

 

Excellent idea too.
It is more user-friendly (does not require user to browse for files).
List all files as in http://postimage.org/image/5w9dcibpb/ and put checkboxes in front of each line.

Well....let's leave nvt to decide about it...he is the man behind code...

 

Can you guys provide official guide for NVT ERP? It seems like there is so much information in this thread, some is outdated some is useful. It would be really helpful for those that are trying it for the first time.
Now, I am giving this anti-executable my 4th try (after I resolve activation issues). Hopefully this time things will work out better.

 

There is a help file inside application but is not updated.
It is listed in Todo list for one of next versions though...

 

In this video ERP protection was broken but how?

youtube.com/watch?v=5KXbnIhhODc
youtube.com/watch?v=8_frYKeTllA

 

Doesn't really show how it infects. Just shows that some sort of an exploit starts a command prompt. Not really sure if anything is "infected". Would be nice if the creator gives some additional info.

 

exactly

 

The tested version was ERP Free, not ERP Pro (and it is old now).
It lacks some important features (like alert for exploit processes run by rundll32.exe and regsvr32.exe, msiexec.exe, etc.).
The tester didn't show all ERP settings nor Events tab so we could not see what parent process was allowed.
In the near future, ERP will probably stick only to Pro version.

I'm sure the developer can and will explain what happened...

 

@jo3black1

After v2.7.3 will be released, I will make sure to write a well detailed help file that covers all the new features added in ERP, the basic usage, the recommended settings, etc.

@mendes

I watched that videos but I am unable to understand what happens, the guy that made the video did not explain anything, so I can only think that it was caused by the regsvr32.exe or rundll32.exe (legit Microsoft system files used to load DLLs) that loaded the payload installed by an exploit for IE6. I also contacted the guy asking for a PoC or a code sample, he never replied.

 

Ditto. I left a comment on his video but hasn't contacted me yet.

 

Anyway, the fix for such exploits has been introduced in v2.7.2 and is further enhanced/improved in v2.7.3.

 

And don't foget to check the option to block executables from USB! If you had it running, you wouldn't have caught the hospital's malware.

 

- siketa


I was almost decided on trying the free version to see how it behaved on my system. - Maybe now no point? Does the pro version have a trial period? Or have I misread the posts and the free version is now just as secure?

-cheers,
feandur

 

Yes I would! It was my USB flash drive that got infected. There is no way to install NVT ERP on USB. Note that I store all of my personal data on USB flash drive and not my main Windows SSD.
Besides I am still waiting for email response from NVT regarding my activation issues.

 

You can compare editions at http://www.novirusthanks.org/product/exe-radar-pro/.
nvt said that they will probably drop Free version and introduce trial of Pro version.

 

NVT ERP has to be installed on clean system.
Its job is not to detect and clean but to prevent.

 

Okay, first of all big thank you to the developer in taking interest in my activation issues. It turned out to be a simple solution.

Now I did few tests and I got questions:
1. I have added Program Files and Program Files 86 to the whitelist. I set the ERP to lockedown. Now I downloaded hitman pro and tried to execute it from Downloads folder. Of course, I was glad to see that the unknown executable was blocked. However when I place Hitman Pro in Program Files it executes without any problem. Now isn't this a security risk? Can malware possible download itself into Programs Folder and execute without any intervention from ERP?

2. I have ERP starting with windows. However I noticed that it takes several seconds for it to start. ERP loads after 5-10 seconds, I have noticed that during this time my system is completely unprotected. HitmanPro.exe (unknown to ERP) was able to execute from the desktop. Again, isn't this a security risk? What if we already downloaded malware/virus and then on the next reboot it simply installs itself while ERP is still starting.

3. Okay last question. Similar to number 2. Assuming I ran ERP on lockdown and the computer downloads malware. What happens when I disable ERP to install a trusted software? Wouldn't this be another security risk? Now with ERP disabled, whatever malware it prevented from executing will have an open door.

 

it was allow even in lockdown mode because hitmanpro has a digital signiture but if you untick in program settings the allow sign programs or even where it says from program files{the folder}when it is untick for sure it will be block

 

1) I don't think malware can download itself in ProgramFiles folder.
2) Was it GUI or service that was started with delay? BTW, I don't have this kind of issue.
3) Why would malware launch itself in that moment (unless you trigger the process)? In theory, it is vulnerability but in real life....

 

The box that trusts signed programs is unchecked. HitmanPro.exe still gets blocked when in downloads folder. So that's not the issue.

 

I don't know which one started sooner or later. Still during the initial 10 seconds on boot ERP was not keeping the computer on lockdown. I was able to execute HitmanPro.exe from the downloads folders. After ~10s I am unable to do so.

 

My 2 cents.

You don't need to manually whitelist anything, program files are auto-allowed.

Theoretically, IF an exploit bypasses ERP, it can drop anywhere it likes. Red October drops payload in Program Files/Windows NT folder. Unless it also has a way to bypass UAC though (not impossible), it will trigger UAC. What are the chances that an exploit is written to bypass both ERP and UAC? Not many. ERP isn't exactly your "mainstream" security application, that every malware coder has in mind in his "applications i must be able to bypass" list. You can disable the auto-allow of program files, but it's too much of a pain. And usually malware prefers the Windows folder. Remember: ERP isn't a full blow HIPS. It's an antiexecutable. Usually, you will have 1 chance to stop something and tries to be user-friendly. You can't expect it to have the same depth of defence as full blown HIPS like Comodo, OA, Outpost etc. The user-friendliness and lightness though are also its advantages.

If a malware runs at startup, it means it has already infected and it autoruns because it has installed a driver/registry entry after having somehow bypassed ERP. So doesn't matter if ERP runs faster or not, you 're already infected. Hitman Pro executed either because you had it installed before reboot or because you manually executed it before ERP loaded. It didn't execute by miracle.

Malware needs a trigger event to start infecting. You need to visit an infected webpage, click a malicious exe, open a folder with an exploit taking advantage of a win hole (like the WMF exploit years ago, taking advantage of preview). It's not like it wakes up from nothing and thinks "he disabled ERP, let's go for it!". Of course, if you visit an exploited web page while ERP is down or if you download and execute a malicious exe, you ll be infected.


Why disable ERP? I don't put it in Lockdown mode, i simply click "OK" in "allow once" and the program i want to install, installs fine. It's not too annoying and you don't have to disable anything.


Just my thoughts, the dev will be able to give you the "expert" answers.

 

1) If an app running admin is exploited it could be used to drop a file there
2) This is not a GUI issue, even blacklisted apps can be launched during the delay but NVT say fixed in next version.
3) An exploited (but whitelisted) app, say Java or your pdf reader, could drop a file and create a start-up entry to launch it before ERP protection is enabled.

Not saying either scenario is likely but possible surely given ERP does not restrict whitelisted apps?