New Antiexecutable: NoVirusThanks EXE Radar Pro

Will be fun to test it (after the long break)

 

Finally

 

No, you have to import them from the CSV file linked on Andreas post.

 

Okay guys, share your enhanced VPL lists in csv format...

 

If I understood right, wildcards are fully supported.
So why doesn't the default VPL list have something like this:
*powershell*

Instead of, or in addition to, specifying the two standard paths of powershell.exe.
Wouldn't it cover more attack scenarios, to wildcard the VPL?

 

1 The csv file does not include wscript and cscript. I think they should be on any default VPL list
2 How to whitelist command line from the prompt? I clicked on allow, and it made a global allow rule for the vulnerable process itself.
It is overly awkward to go into settings/rules and create a new rule for every command line that pops up.

 

Hate to be a chronic kvetch, but:
1 learning mode creates a global allow rule for vulns, instead of whitelisting the command line
2 switching between user accounts sometimes causes tray icon to disappear, not sure if this affects protection or not (I was in learning mode)

 

Thanks for sharing...no way not to test it

 

In making command lines, please explain
equal to
distinct to
like to

 

@JoWazzoo

Yes

No, all is new.

No, all is new.

It installs to C:\Program Files\NoVirusThanks\EXERadarPro

@WildByDesign

Stable v4 may be paid, but may also be freeware, we'll decide when it prior to release offcially.

@Peter2150

Vulnerable Processes are not yet built-in, you need to download the .csv file I posted and import it in ERPv4.

@shmu26

I made the Vulnerable Processes list very quickly, and yes can be used wildcard if preferred.

I have updated VulnerableProcesses_Rules.csv file, it can be re-downloaded and imported:

http://downloads.novirusthanks.org/files/VulnerableProcesses_Rules.csv

equal to = is equal to ---> i.e C:\Windows\Explorer.exe
distinct to = is different to (may be removed since it may not be useful, we added it only for testing some things)
like to = is similar to (wildcard supported) ---> i.e *notepad*

Can't be done in this build, but I was thinking this:

a) What do you think about this possible improvements for the Alert Dialog:

Option 1: We put "checks" on process fields that will be used when "Remember the action" is checked:



Option 2: We open "Rule Editor" when "Remember the action" is checked:



b) What do you think about joining "Rule Editor" and "Expression Builder":

 

Yes, please.

I also think that "distinct to" and "like to" aren't needed, "equal to" should support wildcards, too.

 

what people here think about :

"option 1 is the default then put an "advanced option" button in the alert dialog leading to option 2"?

option 1 as default can be handled easily by basic users, while a button opening option 2 (with merged editor and builder) will satisfy advanced users.

 

After opening a rule you always have to click on "Edit Expression" to edit it. Combining of the Rule Editor and the Expression Builder would be a good enhancement.

 

+1

 

+1

 

What means "Manage excluded processes"?...what processes should we consieder? For me it would more comfortable to open "system explorer" in which we can point needed app or open something like own processes manager to point needed one. Next thing - is it possible to add feature to exclude whole folders with its content?

 

Maybe it can be implemented with a setting like: "[X] Enable combined Rules Editor" (disabled by default) or something similar.
After enabling it, the "combined editor" is always shown.
(...else it will end in an "click-orgy" if a lot of rules has to be edited in a row)

 

@mood just merging them by default is the simplest way.

 

@mood @Peter2150

Just merging "Rule Editor" with "Expression Builder" should make things much easier and faster.

To make things easier, we're thinking about "splitting" OSArmor into modules (DLLs) and integrate its "internal whitelisting rules" into ERPv4.

So it will auto-allow all safe process behaviors (i.e Sandboxie Start.exe that uses cmd.exe to clean the Sandbox folder, rundll32.exe safe command-line strings, processes related to Windows updates, and so on). This way you will need to write less rules for vulnerable processes and you would get less alerts.

@ichito

"Manage Excluded Processes" allows you to exclude notification dialogs (like "Process Blocked" dialog) of specific processes.

Useful if you block say "C:\test.exe" and you don't want to be notified everytime it is blocked with the notification dialog.

 

@novirusthanks

Thanks for making the beta available to us mere mortals

A couple of questions if I may...

When I get ERP to create rules automatically from dialog alerts, it doesn't include any parent process information - is that expected? It seems counterproductive to have to amend the rule manually afterwards by copying and pasting the parent info from the ERP log file.

Would it be possible to enable the functionality where you could create a rule directly from an individual event entry in the Events tab. For example, it would be really efficient to be able to right-click on an event, select "add rule" from a popup menu and then for ERP to bring up its rule builder, populated with all the relevant process info from the event. IMHO this would make creating rules retrospectively a lot easier and quicker.

 

I had an alert of a blocked process, but didn't have time to read it. Please give the option to have alerts viewable until I manually close each one.

Also, why separate the rules in pages- 1 of 3, 2 of 3, 3 of 3? It doesn't seem to group rules and I can just as easily scroll through one page as I can three different pages.

 

Sounds good.