New Antiexecutable: NoVirusThanks EXE Radar Pro

Huh, very interesting, thank you

What are your settings set to?

 

First I did not understand what you were saying with "I trust most of what's on my system" and at the same time you lock applications in a LUA-jail (AppGuard) and put them on hand-cuffs (Exe Radar Anti-Executable). When this is how trust looks like, how would . . .

Then the meaning of "so I let those things do what I want" dripped through my brain and everything became clear with a big grin.

 

Pete you don't get a lot of pop ups from a setting like this?
Also are you in lock down or just under protection?

 

Thanks Peter

 

Thanks for the reply.

It seems like NoVirusThanks EXE Radar Pro is not protecting.

I have tried adding a process to BlackList & I could still run it. There is no prompt or event in the Events Log.

I do not have this problem prior to this or 1 version earlier.

 

The whitelist is not empty.

 

I think he was talking about Events, not Whitelist...

 

Yep got a simular line of defense using Windows Pro features (got an Ultimate, but also find AppGuard to much hassle)

1. Use Protected mode of IE and Low/Untrusted Intergrity of Chromium, to seperate everything in proces from the rest of the system

2. Deny execute on shared, download and media folders for Everyone (ACL) and block autorun/deny execute access to USB's (GPO)

3. Deny execute on everything outside Windows & Program files on all files for all users except Admins (SRP), so still can install with right click "run as admin".

4. Deny elevation of unsigned programs (Chromium, Classic Media Player, Evince-PDF, 7-ZIP) through UAC. Gave Outlook a mandatory Medium Level Integrity with icacls.

I just found the "trust most versus I let them do what I want" humereous way of describing a tight deny execute (NVT)/deny elevate (AG) policy, considering you have SBIE at hand to use as Sandbox. So IMO your setup is build around the same principles, only your implementation is the fort knox version of mine.

 

Unofficial Todo/suggestions list for future ERP versions:

1. Update of Help File
2. Automatic uninstall (without waiting for service shutdown)
3. Alert popup optimization (https://www.wilderssecurity.com/showpost.php?p=2180495&postcount=1376)
4. Internal updater
5. Auto refresh of Processes tab (without changing tab view)
6. Auto alphabetical order of processes in Processes tab
7. Make "CPU" column in Processes tab (show usage like in Task Manager)

 

> then I whitelisted ... Documents and settings

Wouldn't that generally be a poor decision?

D&S is a place open to you.
Therefore a place where malware could drop something.
And if something is then dropped into D&S & as you have allowed anything therein, you have then given given malware a foothold on your system.

I would expect no, & would want no executables within D&S, unless perhaps you save downloaded programs on your desktop or something like that.

 

For max security without a real time AV I went a different route. This is how I run on a known clean machine (base system re-image with only OS, updates, drivers and ERP is first program installed) This procedure can also be used on a seasoned machine, as long as it is known clean.

1 After install, select NO to add system protected processes.
2 Right click tray icon and select add running processes to White list.
3 uncheck automatically allow system protected processes and auto allow program files in settings tab. Uncheck hide the popup, so you have to manually close it. Check play sound (your choice).
4 Reboot.
5 I let the machine idle for a period of time and I white list any pop ups that I get. Usually 5-6
6 Start to "use" the machine and white list any popups. Right click desk top, windows update, task manager, WMP, IE, control panel, reboot, sleep, ect, ect... Usually 20-30 popups.
7 Reboot, let idle again for a short time, use the machine again by doing anything that I can think of (except CMD, I don't white list that) and white list anything that I forgot to do earlier.
8 Install all my software, and white list once installed. (I install with ERP OFF, as I know all of my programs/installers are clean. Things like CCleaner Portable, Chrome, MBAM, HMP, ect..)
9 Leave in default mode NOT lockdown.


Yes, this setup isn't for everyone, and it does take about 90 minutes, but at the end of the day, nothing else will ever run that I am not alerted to, and since this is my one and only line of defense, it's how it has to be. Do expect 2-3 rogue popups for the next 72hrs. Leaving your machine running over night will reveal these.

This in my opinion is the most secure setup. Also, my machine is only used by me and never anyone else.

 

I was under the impression that whitelisting Docs and Settings would only whitelist the executables in that area at the time of the whitelisting, and not just blanket whitelist the entire folder. So wouldn't anything dropped in there and executed later, still get you a popup and blocked? Or am I understanding how it works incorrectly?

 

Ok, very good. Thanks Peter.

 

@novirusthanks the issue with the Fast User Switching has disappeared on my PC, so kudos on resolving that!

and regarding the disable prompt (https://www.wilderssecurity.com/showpost.php?p=2198095&postcount=1633) this only happens in a Limited User Account and not in an Administrator account for me.

 

@NoVirusThanks:

I've been working on a concept for the EXE Radar Pro popup window, tell me what you think.

Maybe this will give you some ideas


Here they are:

With the Process Execution indicator (Orange Bar):


Without the Process Execution indicator (No Orange Bar):


Plus, I was thinking...would it be better to place the popup window in the lower right-hand corner of the screen, instead of the center of the screen?

Anyways, I hope you like it

 

Great work!
I prefer first option cause orange color means: take it seriously!

Since you obviously have a talent for art, try next:
Make it smaller so it would consist only important informations.
Other infos should be in additional or expanded window.
Make an arrow or a link to open it.

 

Thanks, I appreciate that

 

Such kind words, thank you for that


What would you consider important?

Process, Path, Description, Signed for main?

Then the rest of the info when a user clicks More details....

Bitness, Cmdline, MD5 Hash, Parent, Publisher?

So, kind of like a link text that say's More details..., then it expands more info when a user clicks it?

EXAMPLES:​

Basically, something like this?

Main popup (Less info):


Expanded popup (When clicking More details...)


These are just concepts, it's up to the developer on how he wants to implement dimensions, info, placement, etc....