New Antiexecutable: NoVirusThanks EXE Radar Pro

I understand the sentiment but it's overstated in my view.

The Achilles heel of any AE is social engineering type attacks. If you think a file is safe you'll disable protection, click allow at the pop-up etc. That's understood. It also frustrates me when people go to Mal0de and MWD download a bunch of exes and 'wow, look how good this is'. Imagine that an AE that blocks the execution of a file

However, right off the top of my head I can think of many advantages of using AE type software (particularly in lock-down), many of which NVT have noted above, but just 2 prove to me good AE is anything but 'stupid and useless':

1. Prevention of unwanted/unintended/drive-by style installs
2. Prevention of other system users installing things you don't want on your computer

I for one think they are quite clever and useful .

Cheers

 

I understand your position, but most of the features doesn't provide security to a home user, just a sense of control of what is going on, which helps you to be "more" sure that your computer is "clean". Of course an AE is a must have in any other case, when it's a public computer, or it's in a restricted environment.

Regarding the whitelisting and cloud, you can get it for free just by syncing NVT with Cristal Security. Cristal security is free so it can use VT as much as it wants. Of course in this case you will need to talk with the developer, I think he will be open to this.
Also he is working in some kind of local/cloud whitelisting so maybe this could be something where you can collaborate.
http://www.crystalsecurity.eu/
http://www.crystalsecurity.eu/#support
https://www.wilderssecurity.com/showthread.php?t=317258

On the other hand you can use VT even being a paid application. You can check up in VT any file using the hash and without using the API.
https://www.virustotal.com/en-gb/file/[SHA256]/analysis/
This could be done and shown in every popup. And when the file is not found offer a link to the user to upload the file.

Also you can't use the API but that doesn't mean that you can't use VT services.
https://www.virustotal.com/es/documentation/public-api/

 

I have a question for NVT Experts here. Under the tab "Advance, vulnerable processes" there are about 12 files which are there by default. Is there any other files or processes I should add to increase the protection?
Thanks in advance for help.

 

Thanks Peter, it's appreciate. I don't have Java, so I guess I am all set then.

 

I'd add runas.exe in both System32 and SysWOW64 (if you're running 64 bit).

Later...

Bob

 

ERP is in Alert Mode. When I execute a vulnerable process (one that is added to vulnerable processes tab) no alert is shown. No matter which processes I add to vulnerable processes I do not get any alerts upon executing these processes. For example I added CCleaner process as a vulnerable one, but there are no alerts when executing CCleaner. There are many more examples but without succeed. Your help is really appreciated.

 

Yes, I am adding the actual executable file. My ERP's version is 2.7.7 build 25

 

Done! Thank you Trespasser.

 

@ guest

I must say that I disagree, the only apps that you should trust are security tools, and that´s because you haven´t got a choice.

It´s just like saying that all HIPS are useless. The whole point of AE and behavior monitoring HIPS is to alert you about strange or unwanted actions by apps.

AE can also stop exploits (so called "drive by" attacks) from running on your system.

Plus you can lockdown the system, handy for protecting NOOBS that don´t know a thing about computer security.

 

KUDOS!

 

I was getting tired of the default beep sound of ERP alerts, so I found these below and I like them...it would be cool if Andreas could create some custom sounds for ERP.

I can't really explain the sounds, but they will get your attention

http://rghost.net/48505829
http://rghost.net/48505834

 

Andreas,
I have a couple of standalone executables (HJSplit v3.0 and Marxio-FCV v1.6.15) that I keep in a folder within Documents (named Apps) along with procexp64 (gets an alert) that do not produce an alert from ERP 2.7.7.

Is there an reason why they are allowed to execute or is this a bug?

Regards,

Bob

 

Andreas,
I'd wish to withdraw my above report about ERP 2.7.7. I re-imaged my laptop, installed the usual suspects (including ERP 2.7.7), but this time I didn't copy over my NoVirusThanks configuration folder to ProgramData like I normally do (which I'm finding is a bad idea). Afterwards, the two previously mentioned executables (HJSplit 3.0 and Marxio-FCV) produced an alert message from ERP.

Sorry for the fuss or false alarm. .

Later...

Bob

 

I hope we'll get a new build soon....

 

Delayed protection

This is my first post to this forum. I am running NVT in Lockdown Mode (extreme) with stealth mode in a standard user account on Windows 7 with Microsoft Security Essentials.

After a boot it takes a long time for the lockdown to begin. The lockdown does not begin until after MSE finishes its initial check. So there is a period of nearly two minutes when I can start any program on the computer. After the lockdown begins NVT functions as expected. It seems that the lockdown should begin before the user interface allows the opening of a program. Am I doing something wrong? Any help or advice would be appreciated.

Thank you,

John

 

@Bob

No problem, thanks for the update

@syrog

That looks strange, see this faq:
http://novirusthanks.org/help-files/exe-radar-pro/#faq8

Do you have alerts for other processes (different from CCleaner) ?

@John

It has been fixed in the next version, it should be released in 1 week

 

@novirusthanks

I tried to add

C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe
C:\Program Files\NoVirusThanks\EXE Radar Pro\ERPx64Svc.exe
C:\Program Files\NoVirusThanks\EXE Radar Pro\ERPx86Svc.exe

to Comodo Firewall's HIPS allowed rules as you advised. Surprisingly, there was no "ERPx86Svc.exe" in the program files of NoVirusThanks!

I mentioned CCleaner just as an example. There are no alerts for no processes whatsoever. Actually since the installation of ERP I did not get any alerts and did not feel it is present.

I have windows 7 Pro x64 bit if that help.

 

Of course, "ERPx86Svc.exe" runs only on Windows x86.


To avoid further confusion, I suggest Andreas to put notes in help file about x86 and x64 versions.

 

@syrog

Yeah, you have a x86 OS and that means you will have only these files:

C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe
C:\Program Files\NoVirusThanks\EXE Radar Pro\ERPx86.dll
C:\Program Files\NoVirusThanks\EXE Radar Pro\ERPx86Svc.exe

This is the correct rules that should be applied to Comodo products:
http://novirusthanks.org/help-files/exe-radar-pro/#comodo-erp

Let me know if that works.

@siketa

Yes, I agree, I will add a note about it.

 

I read through ERP help file today and at the very end, under recommendations, point 3 it says “Do not use a proxy or tunnel with EXERadar.exe”. My question is: why is this not advisable? I used ERP with the KISS tunnel quite a few times and everything seemed to work fine. I am working with Windows XP, WSA and AppGuard. Looking forward to an explanation.
JDS