New Antiexecutable: NoVirusThanks EXE Radar Pro

Andreas. . .

Any chance of adding the option to a future release to open ERP minimized when started manually (not started with Windows)? Or, maybe it's already there and I just missed it

 

Hey! Me too!

 

-> Peter2150 - The malware referred to is quite a bit more sophisticated than merely an executable being able to be stopped from executing. So far it is the only malware that was seen to have incorporated four zero-day attacks at one time for starters. They were not mere .exe files. Thank you for trying to answer the question though.


-> novirusthanks - If your programme has not been tested against stuxnet than that is understandable. If it has been tested against it and has been found to fail (so far) would you not deem it at least an honest admission even at the expense of the reputation of your programme? Every anti-malware programme on the market and those which are not are being constantly developed to be better and more effective in their mission to protect. So far there is no single programme which has been shown to be 100% effective against all malware tested against it.

Of course we all know here on the Wilders forum that a layered approach is only the start of proper security considerations to protect one's computers.

Inquiring minds wish to know......

Best regards and thank you for your efforts at attempting to develop a good and worthwhile programme.

 

@everyone

Thanks for the votes and reviews

@Q Section

I am out of town till Saturday.

When I will be back at work (Saturday afternoon or at the max on Monday) I will setup a virtual machine with ERP, then I will try a StuxNet sample to see if it is correctly detected by ERP and I'll report the results (I didn't tested it time ago cause I forgot to do it).

@TomAZ

Yes, it can be added, I added it in the todo list.

@Defenestration

I'll check it on Monday and I'll see what can be done.

 

Stuxnet is very different.....still would like a demo of ERP against it.....

 

What does this mean? How can I check what it is trying to do? It pops up several times per day. It does not matter if I allow it or not, it keeps popping up.

 

You can whitelist it using wildcard (check the help file) or remove msiexec.exe from the list of vulnerable processes.

 

I don´t get it, how is it different?

If it´s loaded manually, ERP should stop it. If it´s loaded by an exploit, then it should normally also be stopped, depending how serious the flaw (exploit) is.

 

Stuxnet used (among other things) a direct kernel exploit that could bypass any driver-based security software. The exploit is patched now, but ERP would not protect against it.

(The CIA has a lot of money to spend on effective exploits. Hate to say it, but simple binary whitelisting is not going to put the kibosh on their espionage efforts.)

 

Thank you very much. It will be appreciated.


novirusthanks <-- Is a good example of the sort of chap along with his/her excellent responsiveness as a developer we all wished all developers would emulate.

 

From what I can decipher, what makes stuxnet extraordinary is that its version information is identified as a Microsoft driver and it had a valid digital signature issued by legitimate PC component manufacturers...

 

Btw, I was thinking, is it perhaps possible to make a feature that lets you block browser extensions in for example Mozilla, Opera and Google Chrome? Or even better, an ability to block ANY file extenion?

Yes, but that doesn´t mean that ERP shouldn´t be able to stop it from executing.

 

Lets hope so

 

Twice now since installing 3.0, I've "lost" my ERP lists. Don't know whether or not I have a conflict somewhere causing this, but has been a little annoying. It hasn't been a real serious issue because I had exported all of my settings and lists and was able to just re-import them again.

However, just wondering if anyone else has experienced this?

 

Same here, same specs.

 

might try install " ... as an administrator " if you haven't already

 

Still waiting for the Stux test...

 

I had time to test ERP against Stuxnet and ERP correctly detected both attempts of Stuxnet .lnk files to load the malicious .DLL file and the .TMP file:

The loading of the malicious file ~WTR4141.tmp is blocked when the first .lnk file is executed:
http://postimg.org/image/6ufb5btmr/

The loading of the malicious file dll.dll is blocked when the second .lnk file is executed:
http://postimg.org/image/o2xh7ci9t/

Both .lnk files make use of the system file rundll32.exe to load the malicious payloads.

@TomAZ

Another user has reported that issue, it is very strange anyway I will try to reproduce it here.

So far, there are 3 bugs reported by users on ERP last version:

1) Since I have installed ERP I now have the language indicator visible near the clock. When I close ERP the indicator vanishes and when I reload ERP it appears. I cannot seem to turn it off as every reboot puts it back?
2) Sometimes when ERP is closed or the PC is restarted the lists are emptied (probably a conflict with another security software, just a guess)
3) In Windows 8.1 64-bit sometimes the process name is empty (but the PID is displayed correctly) in the alert dialog

 

Thank you, sir! Good show!

 

When the latest round of MS updates came my way i received these two notifications by ERP.



Note the first screen (left) was copied from member silver0066 on post #3356. This prompt did not freeze my computer but prevented me from opening any software like MS snipping tool, hence the copy of prompt from this member. Once i clicked on allow, the PC returned to normal prompting the second screen. These two prompts occurred during MS patch update installation.

Is it recommended to put ERP in disabled mode or learning mode before MS updates? I have checked " block processes signed with invalid or revoked certificates" in settings. Should i uncheck this for better compatibility?

Thanks in advance
Regards

 

The process msiexec.exe is used sometimes by Windows Update to install specific updates, you can whitelist both commandlines.

Before you run the Windows Updates, I would recommend switching to "Disabled Mode" so in case updates require msiexec.exe, there will be no delay.

 

Thank you for your response. Ill take that advice
Regards

 

I have noticed something strange but I don't know what is causing this

Sometimes my NVT Icon will just be gone from the Notification Area, the NVT service however is still running.

I have to click the NVT shortcut on the Desktop just to get the Icon back.

In the meantime I also don't get any alerts.

No idea, what's causing this, no messages in the NTV logs or in the Win Eventlogs.

Running Win 8.1.1 x64 with Appguard and EAM and NVT in Alert Mode

 

Is it there when you click on "Show hidden icons" button in the tray?