New Antiexecutable: NoVirusThanks EXE Radar Pro

Thanks for that information. It was helpful!

 

Maybe this is the problem: ERP identifies these processes by hash value. So when you get a major Windows update, and those processes change, you need to refresh your Vulnerable processes list.
Just reset it to default, and it will take care of itself, and then you add your extras, like regedit or whatever.

 

One should be able to overcome this in the next version - when it comes!

I have many vulnerable processes based on this list: https://excubits.com/content/files/blacklist.txt so I am looking forward to it.

 

Later should upload the new beta version, some new previews here:

 

Thanks, nice to know you are getting close to releasing the new beta.

 

I guess we have to start from scratch with v4, i.e. nothing can be imported from v3?

 

@novirusthanks
The PID is shown as a hexadecimal ID. Can it be changed to a decimal ID in the settings?

 

The Command Line parser seems pretty good, detailed and tweakable, ERP seems ready to take back his throne of King of Anti-Exe.

 

Yippee!

Almost candy time

 

ETA?? (/me is getting excited!)

Does anyone here use Image for Windows? I screwed up my VNTERP config and atabases from an earlier image. I think the rules are stored in c:\ProgramData, but the corresponding directory in the image was zero bytes. I think IFW has a problem backing up these rules. Can anyone confirm?

 

I have sent a PM to some users with a link to download ERP v4.0 Beta 64-bit (First Release).

Beta testing for this first release is private to a limited number of users (PM me in case), it will be public for the second release.

This beta version should be tested only on virtual machines and it has not yet all features included (i.e Vulnerable Processes).

@paulderdash

Correct. The structure of the rules is totally different.

@mood

It will be fixed on the second beta release.

 

Thank you @novirusthanks

 

Ok, thanks

 

Hi Andreas,

so first feedbacks after 10mn:

Win10 Home x64, real testing system (No VM here), ran on SUA alongside other solutions (no conflicts so far) and set on Alert or Lockdown Mode.

1- install went smoothly, it was not complicated ^^
2- Resource usage very low as expected.
3- no issue on SUA

questions:

1- Why SHA1 as default and not SHA256? SHA1 isn't worthy those days from what i heard.

Overall it is quite stable, alert a displayed properly, good job , i will keep posting.

 

@novirusthanks

1- I see that ProcPermitDialog on taskbar can't be closed, supposedly or not? @Peter2150 @Mister X @mood , do you have this behavior too?

2- Windows default's Metro Apps like Calculator, Mail, etc...aren't whitelisted by default, could be a no go for some people.

 

@Peter2150 ok thanks

 

Issues:
1) The alert dialog is not the topmost window and it is "hidden" behind other windows
2) Moving the scrollbar in "Events" is smooth, but it is the opposite in the file dialog "Expression Builder / Read Data from file". There it is jerky, and sometimes the scrollbar doesn't move after a click on the small arrow buttons of the horizontal or vertical scrollbar.
3) "Rule Editor - Categories": The category "Alert Dialog" is a category which cannot be edited or deleted. I guess this was the intention of the developers. In this case the "Edit" and "Delete" button should be greyed out.
4) After a right-click on the tray-icon and "Exit", a memory leak has occured. Details:

Spoiler: Memory leak

An unexpected memory leak has occured. The unexpected small block leaks are:
29 - 36 bytes: TChangeLink x 25, UnicodeString x 10
37 - 44 bytes: UnicodeString x 10
45 - 52 bytes: UnicodeString x 2
61 - 68 bytes: TBitmap x 15
117 - 124 bytes: TBitmapImage x 15
133 - 140 bytes: UnicodeString x 3
189 - 204 bytes: TMenuItem x 25

ProcPermitDialog.exe has exited with a Exit Status of 0x0, but after that i can see 3 Process Creations and 3 Process Terminations in a row:
Rightclick on the tray-icon & Exit:
[Process Termination]
Process: C:\ProcPermit\ProcPermitDialog.exe
Exit Status: 0x0
3x:
[Process Creation]
Process: C:\ProcPermit\ProcPermitDialog.exe
Parent: C:\ProcPermit\ProcPermitSvc.exe
3x:
[Process Termination]
Process: C:\ProcPermit\ProcPermitDialog.exe
Exit Status: 0x0

Confirmed

 

Issue:
(Events) If a column is too small to show the whole content, a tooltip is displayed. That's fine, but the same tooltip is shown for all other events.
a) "Microsoft Windows Pu..." can be seen on the screenshot, but it is "Microsoft Windows Publisher". If i hover of this name with the cursor, a tooltip can be seen.
b) Now i move my cursor over to a different name (Nir Sofer), and now i see the same tooltip (Expected Result: no tooltip)

It seems it is showing the tooltip of the selected event for all other events too.
The only column which is showing correct tooltips is "Date/Time"

 

Thanks Andreas. Will do some tests later today on second Win 10 Pro x64 v1709 16299.19 machine, though I doubt I will pick up anything more than the illustrious @guest, @mood, and @Peter2150 (no particular order) .

 

Confirmed

Not on my side

confirmed, several clicks on the arrow are sometimes needed.

you have to go to > Edit Expression > Read Data from File > select a file, then the rule is created and editable.

not happened (yet) on my side.

1- A right click context menu for selected rule in the Rules tab will be appreciated.

 

Thanks for testing guys =)

I could reproduce all reported issues, including the memory leak.

@mood

Do you mean these scrollbars (when selecting an exe file via "Read Data from file"):



@guest

Yeah, we may pre-add a rule like this to allow all MS Windows Apps:

Code:

Process -> Path -> Like to -> C:\Program Files\WinodwsApps\Microsoft.*
Parent Process -> Signer -> Equal to -> Microsoft Windows Publisher
(OPTIONAL) Parent Process -> Name -> Equal to -> C:\Windows\System32\svchost.exe

We can switch to SHA256 on the next builds.

That is a bug, will be fixed on second release.

 

Thanks Andreas for sharing