New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Does anyone have the link to the most recent v3.1 build? I thought it was around page 188, but I haven't been able to find it. I like v4, but 3 seems easier to use and has more option ATM.
     
  2. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I think you can actually do more as far as mitigation goes with Version 4, it's just not as user friendly. This makes it more difficult to beta test also because there is no documentation available yet.
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Nope. Respectively take and side with ERP4 for it's exceptional capability to raise notice as needed and the sensitivity it affords a user to visually and immediately identify and give you option to set aside the founded process into an acceptable category for you to settle your mind it is safely locked into a rule of containment.

    In my experience and opinion of course.
     
  5. guest

    guest Guest

    The true power of ERP was and still is its command line parser, feature OSA will never have since it was originally design to be a silent app for Average Joes.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    But what I'm trying to figure out is if these certificates are already present on the system, or are they imported by ERP? And where are they stored, is it some internal ERP file? I've always wondered about how security tools implement this.

    Seems like the first is fixed, but column-size in Events are not saved. I don't want to see most columns, but after restart of ERP, I have to resize/hide them again.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    ERP 4 has parent child control though which ERP 3 did not have. You can take a vulnerable application like a web browser, pdf reader, Office apps, media player, etc., and define exactly what child processes are allowed to be spawn by that vulnerable application. If a vulnerable application is exploited then it will have a very difficult time spreading beyond the exploited app to become persistent. The combination of command line checking, and parent child control will make it much more difficult for exploits to bypass if used correctly.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    :thumb:

    Truer words just cant be spoken or typed. ERP is raised the bar with PC Security and you can add the performance hit, well there is none.

    That in and of itself is a testament to some very finely detailed and no doubt painstaking code setting, line by line, with very rigorous internal effort to their software refining process. Whatever that secret might be. :rolleyes:

    ERP 4 for me is akin to hi-rise aluminum manifold w/Holley 4 barrel double-pumper with a dual point distributor, 80,000 Volt Coil plus slingshot 6:14 ring n pinion for those who know what all that means.
     
    Last edited: May 19, 2018
  9. guest

    guest Guest

    Yes, ERP stay a real anti-exe, no more, no less. No bloat features.
     
  10. guest

    guest Guest

  11. guest

    guest Guest

    FYI:
    With ERP v4 it is possible to block applications from opening other executables (with the help of Parent Process rules)
    (For example: a browser is only allowed to launch specific executables, all other executables [even if they are whitelisted] are automatically blocked)

    Two steps are needed:
    a) Deny-Rule: First the application must be blocked from opening all other executables
    b) Exclude-Rule: In the case of for example Google Chrome, chrome.exe needs to be able to execute chrome.exe, so it must be excluded.
    Code:
    Chrome
    [Parent.Name LIKE *\chrome.exe] [Action = Deny]
    [Proc.Signer = Google Inc] [Parent.Name LIKE *\chrome.exe] [Action = Exclude]
    
    Firefox
    [Parent.Name LIKE *\firefox.exe] [Action = Deny]
    [Proc.Signer = Mozilla Corporation] [Parent.Name LIKE *\firefox.exe] [Action = Exclude]
    or
    [Parent.Name LIKE *\firefox.exe] [Action = Deny]
    [Proc.Signer = Mozilla Corporation] [Proc.Path LIKE c:\Program Files\Mozilla Firefox] [Parent.Name LIKE *\firefox.exe] [Action = Exclude]
    
    Sumatra PDF
    [Parent.Name LIKE *\SumatraPDF.exe] [Action = Deny]
    
    Code:
    <category>Browser</> <action>Exclude</> <expression>[Proc.Signer = Google Inc] [Parent.Name LIKE *\chrome.exe] [Action = Exclude]</> <enabled>1</> <comment>Google Chrome</>
    <category>Browser</> <action>Deny</><expression>[Parent.Name LIKE *\chrome.exe] [Action = Deny]</> <enabled>1</> <comment>Google Chrome</>
    
    <category>Browser</> <action>Exclude</> <expression>[Proc.Signer = Mozilla Corporation] [Proc.Path LIKE c:\Program Files\Mozilla Firefox] [Parent.Name LIKE *\firefox.exe] [Action = Exclude]</> <enabled>1</> <comment>Mozilla Firefox</>
    <category>Browser</> <action>Deny</> <expression>[Parent.Name LIKE *\firefox.exe] [Action = Deny]</> <enabled>1</> <comment>Mozilla Firefox</>
    
    <category>PDF</> <action>Deny</> <expression>[Parent.Name LIKE *\SumatraPDF.exe] [Action = Deny]</> <enabled>1</> <comment>Sumatra PDF</>
    
    
    Step (b) isn't needed if the application doesn't need to execute other processes.
    And of course there are a lot of other variants of how the Deny-/Exclude-rules might look like.

    The above rules might introduce some blockings. If this is the case the blocked process should be excluded ("Events" + "Create Rule from Event"; important is to include the Parent Process in the rule [it is not selected by default if a rule is about to be created])
     
  12. guest

    guest Guest

    @novirusthanks
    Importing of Rules:
    If for example a file with 100 rules is imported and one of these rules is already existing an error dialog is shown: "Rule importing failed!"
    At first the user has the impression that not a single rule has been imported but this is not the case.
    99 rules have actually been imported, only one rule hasn't been imported.
    Is it possible to show a different dialog (and perhaps more information)? For example: "99 rules have been imported, 1 rule was ignored" / "Some rules couldn't be imported" or something similar (instead of showing of an error dialog)?
    So the user now knows that importing was (partly) successful.
     
  13. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Just a quick update:

    Here is a new v4.0 (pre-release) test15:
    http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test15.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + On "Expression Builder" form, renamed "Process" to "Child Process"
    + User is able to highlight/select "more than one" Trusted Vendor and after clicking on "Delete Vendor" all highlighted/selected Vendors are deleted

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @Cutting_Edgetech

    Done, renamed Process on top to Child Process.

    "Child Process" (the old "Process") section handles details about the child process.

    "Parent Process" section handles details about parent process.

    Some examples:

    If you set Parent.Name = C:\WINDOWS\explorer.exe and Proc.Name = test.exe and action = Allow:

    C:\WINDOWS\explorer.exe will be allowed to execute any process named "test.exe"

    If you set Parent.Name = C:\WINDOWS\explorer.exe and Proc.Name = test.exe and Proc.Path = C:\MyFolder and action = Allow:

    C:\WINDOWS\explorer.exe will be allowed to execute the process named "test.exe" and located in C:\MyFolder

    @mood example is perfect to control child processes of vulnerable applications:

    https://www.wilderssecurity.com/thr...ks-exe-radar-pro.300552/page-273#post-2758024

    In short, you can block any child process executed from vulnerable applications (using Deny-action) and then, if the application needs to run child processes, you can allow only known and safe child processes (using Exclude-action).

    @mood

    Yes, will be added on next build.
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Interesting dialog describing the process chain set internally and rules selections.

    Also proactive measures available to configure per desired preference or result if you will.

    Appreciate that.

    Thanks @mood @Cutting_Edgetech others and as always great work @novirusthanks
     
    Last edited: May 20, 2018
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I think the big thing right now is trying to make it as user friendly as possible without giving up functionality, and Security.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thanks!
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    For informational purposes: I have had PresentationHost.exe on my Blacklist for at least 3 years, and it has not been blocked a single time. I thought you might like to know that.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I have been using Test 15 on Windows 10 x64 Educational Edition 1703 in my VM since yesterday. I have not identified any bugs yet.
     
  19. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    I have installed the latest build on my Win 10 x64 Pro and it looks oke. But one question please

    Goto Main Window - Settings - View Edit Vendors - Add Vendor, you have to type in there the full name of the Vendor for example I added "Ghisler Software GmbH" ( The Maker of Total Commander). Why not add the possibility to read the info from the FileName in the "Add Vendor" dialog ?

    Oke you can copy the vendor name from one of the Rules, but I think this way is easier.

    Edit: 15:12

    I just found out that when in "Trusted Vendors" list and you right click on a vendor you have the option "Extract Signer From File", strange place for that IMHO
     
    Last edited: May 22, 2018
  20. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Noticed something cosmetic

    In the Rules list, both Added and Updated also have Ms (Milliseconds) so they have the following format HH:mm:ss:fff.

    HH:mm:ss, would suffice I think
     
  21. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Found something else (Minor indeed :thumb:)

    Steps to reproduce :
    - Add a new rule
    - Select Read data from File
    - Browse to any file
    - Save Rule

    Now click Export Rules
    - Click the ... next to file in the "Export Rules" dialog
    - Save as Dialog is pointing to the same directory as "Read Data From file" was pointing to and NOT the last directory "Rules.xml" was saved to.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Does Allow Mode give an Audit of what would be blocked in the Event Log if Protection was enabled?
     
  23. guest

    guest Guest

    "Action=Deny" Blocked processes will still be blocked if Allow Mode is being used.
    "Action=Ask" Processes will be allowed in Allow Mode.
    Unknown Processes will be allowed.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I would recommend adding an Audit Mode that informs the user what would have been blocked/allowed if they were operating in Alert, or Lockdown Mode. This will be a very helpful tool for Admins, and it's a feature I would use at home also. It would help identify problems before they occur. It would also be a very helpful tool NVT could use. They could write experimental rules, and see what would be blocked on the system without causing any damage to the system.

    Edited 5/23/18 @ 7:23
     
    Last edited: May 23, 2018
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Can you confirm the bug that I reported?

     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.