Driver Radar Pro v1.5 (Freeware)

Awesome! Thanks for explaining that

 

Hello, just to check, does driver radar pro block all system executables such as .sys .drv .cpl .scr etc.?

 

http://www.novirusthanks.org/products/driver-radar-pro/

 

Duh i was thinking of exe radar :O

Brain fart

 

Is this a good security app to use.

 

Released a new version:
http://www.novirusthanks.org/products/driver-radar-pro/

[24-01-2015] - v1.6.0.0

+ Improved protection against malformed driver loads
+ Improved the installer and uninstaller script
+ Added option to save only events of blocked drivers
+ Added option to log only blocked drivers
+ Minor fixes and optimizations

To update:

1) Close DRP
2) Uninstall DRP
3) Reboot PC (very important)
4) Install DRP

@Cch123 @Dragon1952

DRP blocks loading of unknown kernel-mode drivers and thus it can block rootkits and other nasty malware that loads a kernel-mode driver.

 

Why is logging disabled by default?

 

@siketa

Ops, I reuploaded the setup file:
http://www.novirusthanks.org/products/driver-radar-pro/

It has enabled by default the logging to file and the "Automatically startup with Windows".

 

Interesting, I will check it out. Normally HIPS don't even white-list drivers, but it's not a bad idea.

 

On second thought, I wonder if this is indeed a good idea. What if DRP malfunctions and starts to block important drivers? Then your system won't boot up correctly. There is also no alert-mode. I think it's better to alert only about tools that try to load or install new drivers, white-listing is not needed IMO.

 

@novirusthanks
System freezes or goes unresponsive a few seconds while opening MultiMonitorTool with DRP enabled (all modes). No freeze with disabled.

Code:

C:\Windows\System32\RDPREFDD.dll
C:\Windows\System32\RDPDD.dll

Code:

http://www.nirsoft.net/utils/multi_monitor_tool.html

 

@busy
Andreas (NVT) was kind enough to allow me to beta test some of the latest and greatest projects and your reported issue should now be fixed =) Perhaps the newest beta of DRP will be released soon. Thanks for the bug report

@Rasheed187
I don't see this happening. DRP is likely using a clever and secure way to ensure that all system32 drivers required by the OS can be safely loaded. In the strange event that DRP is somehow unable to respond to a driver load request it has the ability to detect this and allows the driver to load, because if it was blocked then it create havoc, as you mentioned. You can simulate this condition by using a tool like "Process Explorer", select "DrvRadarPro.exe", right-click it and choose "Suspend". Now try running software that will load a driver, it will be allowed since DRP is not functioning and .exe <-> driver communication cannot be successfully established. Hope that answers your inquiry

@Dragon1952

I think so too! It's one of my favorite products by NoVirusThanks Company Srl and I find it very useful. Personally, I mainly use it for collecting malware drivers to study their behavior and I've a friend with a malware research blog who uses it as well for the exact same purpose

@Cch123

Yes, it can block any/all drivers loaded by the kernel. Scr and .Cpl are not kernel drivers, they are usermode executables (use EXE Radar Pro to block these). Loadable kernel drivers are .sys (system driver file) and specialized .dll (kernel mode DLL such as RDPDD.dll which is mentioned in this thread)

 

Thank you, Mage.

 

Thanks for the detailed answers Mage

A new beta-build can be downloaded from here:
http://downloads.novirusthanks.org/files/DrvRadarPro_Setup2.exe

+ Improved kernel-mode driver
+ Added VirtualBox *.r0 drivers to the WhiteList (Config Wizard)
+ Allow to select any file extension when whitelisting drivers
+ Added a check to make sure the file to whitelist is a valid driver
+ Improved saving of whitelist on Standard User Accounts
+ Minor fixes and optimizations

To update:

1) Close DRP
2) Uninstall DRP
3) Reboot PC (very important)
4) Install DRP

@busy

Your reported issue should be fixed in the new build, please confirm it when you have time.

 

Thanks, but I still don't think it's a good idea. It's better to only alert about new drivers.

 

@Rasheed187

Do you mean you prefer the functional behavior to alert for newly loaded drivers like ERP does for processes and prompt the user to interact with the decision to allow/block them? Or do you mean just a simple alert and nothing else, as in not blocking them at all?

 

@novirusthanks

This issue is not fixed for me in DrvRadarPro_Setup2.exe (Version 1.6.5.0 - 3 April 2015).

Code:

[Driver: C:\Windows\System32\RDPENCDD.dll] [Image Base: 0xA20000] [Image Size: 0x29000] [Publisher: Microsoft Corporation] [Description: RDP Encoder Mirror Driver] [MD5: FF6148B1C150DA05D35C68D143AD6DEA] 

 

@busy

Can you try with this new beta-build ?
http://downloads.novirusthanks.org/files/DrvRadarPro_Setup3.exe

To update:

1) Close DRP
2) Uninstall DRP
3) Reboot PC (very important)
4) Install DRP

 

Yes I mean the first one, that makes more sense, you should be able to block new drivers. You shouldn't mess with drivers that are already loaded automatically on system startup. Of course I do believe that DRP will probably work just fine, but in theory there is risk involved with it, that's why most HIPS don't offer an option to white-list drivers.

 

@novirusthanks

Thanks, this version fixed the issue.

 

Hello,
Been running 1.6 and must have forgot to watch thread. So, I missed #139
Anyway, just noticed when I un-plug / plug my usb wired mouse. DRP blocks and my machine has to close/restart. WER wants to be sent to our M$ friends.
Scenario: I wanted to check my touch pad. So, I un-plug wired mouse which allows touch pad. Quick check. Then plug in wired mouse. DRP blocks driver and shutting down / restart.

Why does DRP not recognize wired mouse that 15 seconds before was in use.
TIA

 

This is the stuff that I was afraid of.

 

Oh...?
v1.6.5
I've become shy. This morning before plug in my thumb drive. I put DRP to 'Learning'. Noticed more 'Learning' than expected....
Maybe, I need to 'Learn' my wired mouse...?

 

Too bad the title of this thread shows version 1.5. I hadn't realized we had advanced to 1.6.5. I shall update forthwith.

I am staying tuned to this thread more regularly in the future -- bjm's posts are antenna raisers.

 

Yeah, I was hoping Rasheed187 would clarify "stuff"#147