New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    Allowing all software in the program files folder allows Windows apps to run because the WindowsApp folder is located in the Program Files folder. Having the Windows apps setting unchecked still allows the apps to run. It should be allow all software in the program files folder with the exception of the WindowsApps folder, shouldn't it?
     
    Last edited: Apr 2, 2018
  2. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v4.0 (pre-release) test5:
    http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test5.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed option "Allow All Software from Program Files folder"
    + Rules are now checked for existing conflictions by action (Allow, Deny, Ask)
    + Expression Builder Parent Process "Name" field renamed to "Full Path Name" for clarity
    + Expression Builder Parent Process "Hash" (SHA1) field is now moved above "Signer" field
    + Removed the option (checkbox) "Block Suspicious Process Behaviors" from "Settings" tab
    + Pre-filled the "Hash (SHA1)" field for Parent Process when from "Custom Rule"->"Edit Expression" is clicked on Alert Dialog
    + Improved fix for "black screen" or "desktop is not loaded" issue
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    We'll add a new action "Exclude" that will be used to exclude (allow) an event (something like "Safe Command-lines" on ERPv3), it will override the other actions.

    What do you think guys?

    @Charyb

    We'll discuss about it.

    @mood

    Will check that delay and CPU usage behavior.
     
    Last edited: Apr 3, 2018
  3. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    @novirusthanks
    thiis fixed

    this is not
    thanks for updates
     
  4. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    one more thing when i hover mouse on erp its show "protection disabled" or other modes(depend what i select before exit gui)
    but reall mode still remain alert mode
     
  5. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    @novirusthanks
    When I edit certain rules in my list of rules, all of the fields in the expression builder are shown as empty.
    I think it maybe something to do with the length of the command line as it appears to only effect rules with very long command lines.

    I have reverted back to earlier test builds (3 and 4) and they have the same problem.

    Here is an example rule (Chrome Lastpass plugin) that does not display correctly:
    Code:
    <category>Lastpass</> <action>Allow</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.Hash = 7C3D7281E1151FE4127923F4B4C3CD36438E1A12] [Proc.CmdLine = C:\Windows\system32\cmd.exe /d /c "C:\Program Files (x86)\LastPass\nplastpass.exe" chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.8854e0a3fd73a9cd > \\.\pipe\chrome.nativeMessaging.out.8854e0a3fd73a9cd] [Parent.Name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe] [Parent.Signer = Google Inc] [Action = Allow]</> <enabled>1</> <comment></>
     
  6. guest

    guest Guest

    Yes. I did a "command-line test" and after adding of a rule with 257 (or more chars), it appears empty.
    256 chars or less seems to work.
    ERP_test5.png

    Note #1: Switching the status of rules from Enabled->Disabled or the other way around seems to have no effect and more editing features doesn't work too (all rules are affected)
     
    Last edited by a moderator: Apr 4, 2018
  7. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Thanks @mood for validating my report :thumb:
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v4.0 (pre-release) test6:
    http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test6.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed variable-length string for process name, command-line, etc
    * Note: Old Rules.DB file in \ProgramData\NoVirusThanks\EXE Radar Pro\Databases MUST be deleted before running the new build
    * Or you can export any current rules you have and import after the new rules.db is created

    + Fixed Edit Rule dialog for saving fields such as Disable/Enabled status, Category, Action etc.
    + Fixed "the protection mode is always reset to Alert Mode"
    + Fixed Show the actual (active) protection mode when I hover with the mouse over the tray icon
    + New Action = "Exclude" to globally exclude (allow) specific events
    * It will override the other actions and will be checked as first
    + Improved order to check actions and auto-allow options
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    You can use the new Action = Exclude to exclude events from Action = Ask rules.
     
  9. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
  10. guest

    guest Guest

    Not exactly.
    By enabling of the checkbox "Allow Trusted Vendors", ERP is "enabling" a pre-defined list of Trusted Vendors but the user doesn't know what Trusted Vendors are actually on the list.
    But i know for sure that at least "Google Inc.", "Invincea, Inc.", "NVIDIA Corporation" are on the list (and of course "NoVirusThanks Company Srl" ;)).
    The action "Allow/Trusted Vendor" in the logfile can give a clue:
    Code:
    Action         : Allow/Trusted Vendor
    Expression     : -
    Category       : -
    SHA1           : E5F54A2F3A004AF4C3CD24883B4F1CE38EE583D8
    Signer         : Google Inc
    
    Action         : Allow/Trusted Vendor
    Expression     : -
    Category       : -
    Signer         : NoVirusThanks Company Srl
    
     
  11. guest

    guest Guest

    @novirusthanks is it possible to get back the editable trusted vendor list tab? i don't need hundreds of vendors, only those i currently use.
     
    Last edited by a moderator: Apr 5, 2018
  12. TheErzengel

    TheErzengel Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    38
    Location:
    WWW
    :(
     

    Attached Files:

    • ERP.jpg
      ERP.jpg
      File size:
      14.6 KB
      Views:
      13
  13. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    @novirusthanks
    Thanks for the latest update.

    A couple of feature suggestions if I may:

    Would it be possible to add an extra column to the Rules panel that shows the date and time a rule was last used? I am trying to determine if I have rules that have either never been used or not used recently. I have a feeling a number of my rules are redundant or not defined properly, but can't easily tell which ones they are.​

    Would it also be possible to add a filter to the Events panel so only certain events are shown. e.g. filter on "Action" to only view "Allow" events or filter on "Category" to only view "Learning Mode" events? Perhaps you could also add a Search function similar to what''s available in the Rules panel.
    Update: Potential Bug found!

    Not sure if this only affects my PC, but when my laptop is in a locked state (Win + L) no events are captured or recorded by NVT ERP4. As I'm not in front of my PC when it's locked, the events being missed are mainly regulary occurring scheduled tasks. What is interesting is NVT OSA is picking up on these events and recording them in its log files.

    NB. This is on a Windows 8.1 x64 Laptop. I've not tested this on my Win 10 x64 PC.
     
    Last edited: Apr 5, 2018
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v4.0 (pre-release) test7:
    http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test7.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + Right-click option "Enable Selected Rule(s)" on Rules tab
    + Right-click option "Disable Selected Rule(s)" on Rules tab
    + Improved "Allow Known Safe Process Behaviors"
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @shmu26 @Charyb

    Yeah, As @mood said, ERP uses a pre-defined list of trusted vendors (signers).

    @guest

    Sure, we will add the possibility to allow users to view and edit the list on the next builds.

    @TheErzengel

    Can you test this new build 7?

    What's your OS? Is it 32 or 64-bit?

    @askmark

    I saved your suggestions, thank you.

    About the possible bug, I will take a look at it.
     
  15. TheErzengel

    TheErzengel Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    38
    Location:
    WWW
    The last build (test 6). My OS is W10 64bit v1709

    :)
     
  16. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    Test 7 has been running with no issues here. However, there is one minor annoyance. I have the option under "Settings" > "Sound Effects" > "Play the system beep sound when the Alert Dialog is displayed" enabled. There seems to be a sort of delayed action when the alert dialog is displayed. The system beep sound does not happen when the alert dialog is displayed but is delayed until you make a selection with the alert dialog. You end up not hearing the system beep sound until after the fact. I believe that the system beep sound should happen simultaneaously with the alert dialog being displayed.
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Trying to get back into ERP, I am obviously doing something wrong.
    I have a few vulnerable processes, which are set to "ask", and when I make allow rules for the relevant command lines, the vulns keep on asking me again and again. They are ignoring my allow rules.
    What am I doing wrong?
    exe_radar_pro_4_setup_test7
     
    Last edited: Apr 10, 2018
  18. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    You need to change those Allow rules to be Exclude rules. They will then take priority over the Ask rule.
     
  19. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Thanks. That was it. The prompts are slowly dying out.
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    There is an "exclude" rule doesn't work. Log says:
    Date/Time : 2018-04-10 22:14:45.906
    Action : Allow/Excluded
    Expression : [Proc.Name = rundll32.exe] [Proc.Path = C:\Windows\System32] [Proc.CmdLine = C:\WINDOWS\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll",AdminAction64 3 0] [Action = Exclude]
    Category : UnCategorized
    PID : 8356
    Process : C:\Windows\System32\rundll32.exe
    Integrity Level: Medium
    User/Domain : ME/DESKTOP-######
    System File : True
    SHA1 : 1C99C20757B039D88F59B02B7753A730A90BF2AD
    Signer :
    Command : C:\WINDOWS\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll",AdminAction64 3 0
    Parent : C:\Windows\SysWOW64\rundll32.exe
    Parent SHA1 : 620C1913EB3BAC6D0261EBB081BBBF3D71858C06
    Parent Signer :

    I needed to shorten the command line to get it to work:
    C:\WINDOWS\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\*

    Is the command line too long?
     
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    It seems as if some vulnerable processes are not being blocked. See screenshot.
    I tried a few of them, and I got mixed results. Mshta is blocked, but wscript and others are not.
    Maybe this is similar to the bug that @Peter2150 reported earlier?
    Or is there something special about executing from Search Everything?

    EDIT: Both with ERP and with OSA, results are erratic when blocked processes are executed from Search Everything.

    Date/Time: 2018-04-11 08:49:05.676
    Action: Allow/System File
    PID: 9236
    Process Path: C:\Windows\System32\wscript.exe
    SHA1: 88B5CF3DBAEE54C8BA8CE1273EBE833264C266DA
    Signer:
    Command Line: "C:\Windows\System32\wscript.exe"
    Parent: C:\Program Files\Everything\Everything.exe
    Parent SHA1: 669B619C8560A6A21DF424D774AD9C94B6BC0701
    Parent Signer: David Carpenter
    Expression: -
    Category: -
    User/Domain: shmue/DESKTOP-QFDS7K2
    Integrity Level: Medium
    System File: True


    Capture2.PNG
     
    Last edited: Apr 11, 2018
  22. guest

    guest Guest

    Look closely at the output - "Action: Allow/System File"
    You have selected: "Allow System Files" in the Settings.
    In this case the setting seems to have a higher priority than the deny-rule (to verify: untick the setting and for example wscript.exe will now be blocked)
     
  23. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    That's an interesting point. But I get different results if I execute the files from Explorer. If "Allow System Files" overrides block rules, then the results should be consistent. Also, I should not see the same behavior in OSA, where such a setting does not exist.
     
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Okay, to test it, I disabled "Allow System Files".
    True, I now get a prompt for system processes that I set to "ask". But I also get a prompt for system processes that I did not set to "ask".
    If you disable "Allow System Files, you don't really need much of a VPL, because all the unsigned Windows processes will prompt.
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @shmu26

    Yeah,looks like System Files are checked before "Deny" rule and from the XML file I uploaded I set wscript.exe to "Deny" but if you run it it will be allowed because it is a System File. If you set it to "Ask" then it works as expected. I will update the order moving "Deny" before System Files. Will upload the new build on the next week.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.