New Antiexecutable: NoVirusThanks EXE Radar Pro

ProgramData is specifically meant as the place to put global/system-wide settings/data (ie. for all users), while <User>\AppData is meant for user-specific settings/data. You could have a checkbox setting to allow the user to specify they either want global settings for all users, or to have independent settings per user, but that brings in extra complications (eg. what to do if it's set to user specific settings, and it's changed to global settings - whose settings to use?)

EDIT: You can always use a junction point on NTFS partitions to re-direct them to a user specific folder (on a different partition/drive).

 

no, in case of multi-user systems, locating the config file in each user profile is logical.
The way it is right now is perfectly fine, i don't see the point of even discussing it.

 

Yes, it is fine as it is now

 

Not for me. I started the discussion because of this:

And all above arguments are valid, I agree, so I also believe it's better to leave the paths in their current state, except that one above which by the way is empty. If it has any use, Andreas could move it into C:\Users\MrX\AppData\Roaming\NoVirusThanks\*

That's all I want.

You guessed right.

 

- If Custom Rule buton selected on Unknown Application Detected Alert dialog, the checkboxes on the subsequent Expression Builder dialog do not match the alert dialog (eg. if I check "Command Line", "Parent Process" and "Parent Signer" on alert dialog, these are left unchecked on Expression Builder dialog)

- Can you append beta number to end of main window title (ie. "NoVirusThanks EXE Radar Pro v4.0 Beta 29")

- Can you append full version number string to tray icon tooltip (ie. "NoVirusThanks EXE Radar Pro v4.0 Beta 29")

 

Thanks @Mr.X- A little delayed in increasing my own VP list and this share is a wonderful help.

ERP 4 absorbed it right into the pack.

 

You're welcome, note that my list is set to "Ask" when a vuln proc is called but you can change the "action" as well according to your own liking.

 

1. Not sure what everyone else thinks about this, but can you merge the Rule Editor dialog and Expression Builder dialog (ie. put all the Expression Builder fields on the Rule Editor window) ?

I don't like to have to click again to actually edit the rule. Is there a reason for splitting them out into two separate dialogs ?

2. If the Expression is long the text in the "Expression" column on the main window is truncated, even though the column is wide enough. If you double click the rule and then Save on the Rule Editor window (without changing anything), all the text in the Expression column is no longer truncated.

 

3. Can you make the Alert dialog resizable and remember the size/position for future alerts.

 

Unless this has been fixed already (saw this in version 27) the user cannot check to see if Windows is updating if ERP prompts the user. I was online doing school work when I suddenly began receiving several prompts for various vulnerable processes. The only ones I remember for sure were XCopy.exe, and cmd.exe (there were more). The first thing that came to mind was that Windows might be updating. I tried to check, but Windows Start Menu got stuck on the screen each time due to receiving additional prompts from ERP. Each time it would take about 30 second for the Start Screen to close before I could make another attempt to check to see if Windows was updating. I was never able to get past the Windows Start Screen. I tried accessing Windows Update through the notification center also which would be faster, but was unable due to more ERP prompts.

If this is expected behavior then I feel something really needs to be done about this. ERP kind of forces the user to make a decision without any way of getting more information about what is trying to execute. ERP does not allow the user to launch their web browser also to get information on unknown executables attempting to launch, and with Millions or maybe even Billions of possible executables that could run on a users machine it is impossible to know them all.

I'm using Windows 10X64 Pro Version 1709.

 

When I was over at Malwarebytes making a post a few days ago I had ERP test 29 block schtasks.exe, but I could not get the prompt to close. It got stuck on the screen for quite some time before it finally allowed me to close it.

I was operating in Alert Mode. I'm using Windows 10 x64 Pro version 1709.

 

Did you select the auto-close option in settings?

 

This is intended behaviour. As long as the prompt is not answered, no other process will be started.

 

how is this compared to rehips ?

 

Given this example, surely either program1.exe or cmd.exe would run program2.exe, and so unless program1.exe started cmd.exe asynchronously (which is unlikely if it has to complete before program2.exe is run), then program2.exe would not be started until cmd.exe had finished). However, if another unrelated process (eg. firefox.exe or notepad.exe) was started, then ERP could either prompt/allow immediately, without it affecting program1.exe/cmd.exe/program2.exe.

Maybe I'm missing something else, but given the example, it certainly seems possible to alert asynchronously.

 

totally different.

ReHIPS = sandbox + Application Control (kind of anti-exe)
ERP = Pure and very solid anti-exe, but nothing else.

ReHIPS offers more protection than ERP because of its sandbox, ERP granular control of processes is higher than ReHIPS.
All depends of what you are looking for.
Note than both are for "advanced" users, people who have good skills with Windows processes and can handle complex softs.

 

Yes, but I clicked on close multiple times to close it, and it did not close.

 

I figured it was intended behavior by design, but it blocks the user from being able to check to see if Windows Update is running. They need to provide some way of being able to see if Windows Update is running.

 

use a bandwidth monitor, if you have a full speed download, then you know.

 

The ERP prompt would block you from accessing the Bandwidth monitor, wouldn't it?

 

depend how you set ERP and where the monitor is installed.
In my case, i installed Rainmeter in Program Files (and enabled the network monitor, a kind of widget always on the desktop); ERP is set to allow execution from Program File, so no issues.
And even you use another location, you can still create an allow/exclude rule.

 

I think you may have misunderstood me. I'm saying you probably wouldn't be able to access the bandwidth meter due to ERP blocking something else that is not part of the meter utility. When ERP blocks something it will not allow anything else to be accessed by the user until the user answers yes or no to the prompt, including the Bandwidth Meter in Program Files. Unless the Bandwidth GUI happens to be already open, and visible it would not be of any use.

 

It is loaded at boot on the desktop, if not i won't have any use for it.

 

IMO it's not a practical method to make sure that it's Windows update running unless it gives an alert that Windows is updating at the time one begins receiving ERP prompts. Does it inform you that Windows is updating, or are your relying on the amount of bandwidth being used to assume that it's Windows update?

Regardless, I just downloaded rainmeter, and i'm reading about it. I may be interested in using it if it does not use much resources.

 

Unless you download movies at that time, i don't see much files that will use your full bandwidth for more than 1mn. The only case was my Metro Apps being updated.
Maybe not the best way to know, sure, but it works for me.

installed version: 0.5% CPU , around 30mb WS