New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. guest

    guest Guest

    Yep, sometimes it is hard to "catch" events if the list is scrolling down because new processes are launched.
    Adding of a checkbox "Auto-scroll Events" or something similar could be indeed useful:
    ERP_Idea_Auto-scroll_Events.png
    ...and a search box:
    ERP_Events_Suggestion_Search Box.png
     
  2. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v4.0 (pre-release) test25:
    https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test25.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + Updated "Home" tab
    + Fixed "Show Last N Events in Viewer"
    + On "Expression Builder" changed the name of "Like to" to "Like to (Wildcard)"
    + "Distinct To" re-added to Expression Builder to support already existing rules (via Editing). "Distinct To" is only dynamically removed from New rule creations (Add button on Rule Manager and Create Rule from Event in Events Tab). This allows for backwards compatibility for previously existing rules that used Distinct To and restricts the future use of it in New rules
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @mood

    About this:

    https://www.wilderssecurity.com/thr...ks-exe-radar-pro.300552/page-283#post-2773595

    I think it was caused because you had a rule with Action = Distinct to

    Can you try the new build 25?

    @iammike

    Thanks a lot for all the testings!

    Personally here I am not seeing the delay you noticed.

    You may see a very small delay with new processes on first execution, then we use a smart caching system to avoid it.

    Also take in mind that it may need a few milliseconds to validate a Signer in some cases.

    @Rasheed187

    Please share them here so I can add them to safe behaviors.

    That's strange, works fine for me here, but will double check it.

    Does it happens always or randomly?

    @EASTER @Mr.X

    Already in the todo list ;)

    We'll need to discuss it later and see how to implement it now that there are many processes filds to match.

    Maybe we can do that only for rules that have proc.Name + Proc.Path + Proc.Hash (added via Learning Mode, for example).

    Now that you can match many processes fields, you can drastically reduce needed rules.

    In most cases instead of checking file hash (that changes frequently), you can just check the process path + signer (for example).

    @askmark

    Wrote in the todo list =)
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks @novirusthanks as always. Looking sharp (+ Updated "Home" tab) :thumb:
    e.jpg
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks @novirusthanks

    Request: could add to disable protection up to reboot time?
     
  5. guest

    guest Guest

    I can assure you that i have no rule with "Distinct to" and i have never created such rules (Only rules with "Like to" and "Equal to")
    I tested it again with a clean database (test24), created a single rule and used "Copy/Duplicate Selected Rule".
    RadarPro_test24_2) Editing of rule_error dialog.png RadarPro_test24_3) Editing of rule.png
    "Edit selected Rule" always works correctly, but not "Copy/Duplicate Selected Rule" if "Like to" is in a rule.

    But ok, it works now (test25) and no error dialog appears anymore :)
     
  6. guest

    guest Guest

    I can offer two of them:

    WaaSMedic.exe (System File) is launching cmd.exe (Vulnerable Process) each day:
    Code:
    Process        : C:\Windows\System32\cmd.exe
    Integrity Level: System
    System File    : True
    Signer         :
    Command        : /c w32tm.exe /stripchart /computer:time.windows.com /dataonly /samples:1
    Parent         : C:\Windows\System32\WaaSMedic.exe
    Parent Signer  :
    
    rundll32.exe (Vulnerable Process) is launched after a rightclick on the taskbar volume control icon and clicking on "Playback device":
    Code:
    Process Path: C:\Windows\System32\rundll32.exe
    Signer: 
    Command Line: "C:\WINDOWS\system32\rundll32.exe" shell32.dll,Control_RunDLL mmsys.cpl,,playback
    Parent: C:\Windows\explorer.exe
    Parent Signer: Microsoft Windows
    Integrity Level: Medium
    System File: True
    
     
  7. guest

    guest Guest

    Hi guys,

    I'm also having a delay when I open some apps. But it only occurs when I open apps not located under "program files". I've a folder full of portable apps and most of them suffer from it.
    The delay starts after rebooting the computer after the installation of EXE Radar Pro.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It always happens. I personally like to completely hide certain columns, but they keep coming back after ERP restart. I think the only good solution is to give an ability to choose which columns should be visible like in Process Explorer and almost every Nirsoft tool. BTW, the bug that I reported with the Event Viewer is fixed, it now correctly shows the last 2500 entries, and I like what you have done with the Home tab.

    Now some other comments, can you make columns sortable in Events? Can you perhaps tell me how to allow certain parent processes to execute a blacklisted process? With that I mean only certain processes should be able to run explorer.exe, svchost.exe and firefox.exe for example.

    And one thing I didn't understand is why a certain system service is allowed to run in Lockdown mode but as soon as you kill it and switch to alert mode, you will be alerted about it upon launch. Is this normal behavior? I do use the "Allow System Files" setting, but this system service is not related to Windows.
     
  9. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    novirusthanks, are we ever going to get native windows skinning like version 3? That allowed ERP to use the windows theme. This god-awful whiteness burns my retinas. Seriously, I'd almost rather look at John Goodman in a thong than the ERP 4 eye-burning-monstrosity of a white GUI, and that ain't pretty.
     
    Last edited: Aug 20, 2018
  10. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    I would also like to see this extra information re-added because it can be used to see if a process has already been ruled upon.

    Also, if the hash has changed for an Excluded process, an option to just update the hash of the existing rule without prompting would be useful for me - if it's been blocked once, there's usually for a reason and I'm not interested in being prompted for it again.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Kind of the way I was looking at this.

    Plus I like your suggestion of the Hash change of Excluded Process once prompted on, as Option to update existing rule, which in reality what you would be doing anyway once you Excluded it again-of course after confirming it was indeed safe and not tampered externally. I've practiced using ResHacker to make small changes to Menu lists, change font types, or even resources in some of my SAFE files and ERP v3 Alerts to this change AS CHANGED with an amber ribbon whereby so far v4 simply identifies it's Alert with "UNKNOWN PROCESS DETECTED"-which serves purpose but would seem better suited if it could identify similarly as v3 on this particular type.
     
  12. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    Agreed. I also prefer native windows look.

    Also, for "Block processes when running from USB", can you add options to a) Ask user (with Allow/Block) and b) Whitelist certain USB devices (I assume each USB device has some unique ID which could be used as signature).
     
  13. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    Few comments:

    - Rule list position reset to top after rule modified. It would be better if list position was not changed IMO
    - If Custom rule created from Alert, the alert is not closed after Custom rule is saved.
    - What happened to Protection disabled until reboot from tray icon menu ?
    - When a rule is created, don't discard any of the information, so it can be re-used later. eg. Suppose a rule is created without the Parent Process being enabled. The Parent process info should be kept, but the field just unchecked/disabled. This would allow you to easily use it at later date by just enabling the checkbox, without the need to determine parent process again.
     
    Last edited: Aug 24, 2018
  14. guest

    guest Guest

    @novirusthanks
    One more useful addition would be if the Alert Dialog is displaying the "Product Name" or "File Description" of executables.

    The good thing, this specific information which is saved into executables stays the same even if the file itself has been renamed.
    And it might help to have an additional piece of information about the file, for example:
    Code:
    Name: setup.exe
    Path: C:\Users\xxx\AppData\Local\Temp\7zS8CEDSAD1
    Description: Firefox Installer
    
    Or:
    
    Name: procexp64.exe
    Path: C:\Users\xxx\AppData\Local\Temp
    Description: Sysinternals Process Explorer
    
    Name: hmpalert3.exe
    Path: C:\files
    Description: HitmanPro.Alert
    
    After hmpalert.exe has been renamed to xYx.exe:
    Name: xYx.exe
    Path: C:\files
    Description: HitmanPro.Alert
    
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Keep those suggestions and/or needs-for-fix flowing everyone.

    It's absolutely amazing to me how improved and more convenient ERP v4 is progressing along each and every release.
     
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    I feel like a kiddo with brand new toy! /:argh:
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Persistent issue-exclusive to Win 8.1 platform only? Untested with Win 10.

    During overload extreme heavy memory loads-forcing an explorer crash (not from Process Hunter) but Windows own "the application is not responding" press End Process-Radar Pro tray icon doesn't reseat back to tray. Simple restart Radar Pro from an alternate source sets it back in place again. Not mission critical since the Radar Pro process continues uninhibited. More like a Control Form issue? or other.
     
    Last edited: Aug 26, 2018
  18. guest

    guest Guest

    Perhaps ERP is not listening for the message "TaskbarCreated" and therefore isn't re-initializing the taskbar notification icon after a crash:
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Yep, entirely likely and sort of an ages old issue with Window's platforms-frameworks. Remember that antique app Run Me launcher? The whole desktop can go down and turn pale blue but that little Windows XP app won't budge for anything. It stays locked in place. Of course it's not resting on the Taskbar set either. It's a Tab that protrudes from the top or either side of your user screen. Just saying though. Microsoft Windows any version never have seen to it to improve the taskbar area, and in 10 actually is more annoying then ever to me. LoL

    As long as Explorer is tethered with the taskbar notification area-and it's really drilled in on Win 10-when it crashes, boom out goes the icons-connections to some software menu too.
     
    Last edited: Aug 26, 2018
  20. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    https://winaero.com/blog/how-to-start-file-explorer-in-a-separate-process-in-windows-10 there's that
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
  22. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    @novirusthanks

    Super Ugly Bug
    : Edit Selected Rule > Rule Editor > ... > Categories > Add

    If you add a category with more than 31 characters including spaces, corruption of ERP's files appear:

    a)
    All categories vanish:
    cat.png

    b) Right-click > Close Exe Radar Pro main gui

    c) Run Exe Radar Pro gui again then this dialog shows up:
    bounds -1.png

    d) Now ALL rules are gone!!! :oops:
    gone.png


    Alright, I can understand and accept the limitation but at least I expect the program not to crash and blow up my rules.
     
    Last edited: Aug 28, 2018
  23. guest

    guest Guest

    i wonder what is the name you gave to that category LOL ;):argh:
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    I knew you were gonna replay, I knew it!!! :argh:
    Code:
    Command Line WhiteList Wildcard
    I'm refining my rules for that stupid interpreter called CMD line, well its gui and wanted to create a new category /doh

    Just saw my old rules database back from ERP v3.x and found that name and copy paste... BOOM!!!
     
    Last edited: Aug 28, 2018
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    One thing is certain. There's no such thing as a dull moment in here :eek::argh:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.