New Antiexecutable: NoVirusThanks EXE Radar Pro

A bit off-topic, but what does MBAE do that HMP.Alert doesn't do?

 

Thanks

 

Yeah, but HitmanPro.Alert is eventually going to operate just like EMET (From what Erik tells me), wouldn't adding both be considered overlap?

 

Come on, Andreas....
http://www.youtube.com/watch?v=VZ2HcRl4wSk

 

We have released NoVirusThanks EXE Radar Pro v2.7.7, read more details and screenshots here:
http://www.novirusthanks.org/news/article/released-novirusthanks-exe-radar-pro-v2-7-7/

Changelog:

[18-07-2013] v2.7.7.0
+ Added buttons Allow and Block with drop-down menu in the alert dialog
+ Optimized list of whitelisted commandline strings for x64 and x86 OS
+ Changed file description of services to "NoVirusThanks EXE Radar Pro x64/x86 Service"
+ Added option "Notify me when a new version is available"
+ After Menu-Restore Default Settings action: "Close the balloon hints after" is set to 5 secs
+ Fixed issue when exporting an empty list, when the settings are imported, the list is cleared correctly
+ Added option "Check for Updates" in Help menu
+ Created an auto-updater application used to automatically update to the latest version
+ If user do not want to update to the new version, remind of the new version available everytime ERP is started
+ When the main window is maximized and then closed, the window state is saved correctly
+ Added option "Allow Microsoft Windows 8 Start Screen processes" to reduce popups in Windows 8 OS
+ Optimized Settings window (removed icons, added Signed Files tab, optimized text, etc)
+ Added new custom mode: "Lockdown Mode (Basic)" that is same as "Lockdown Mode" but it ignores the "Vulnerable Processes"
+ Added new custom mode: "Lockdown Mode (Advanced)" that is same as the old "Lockdown Mode" but it will show an alert dialog for "Vulnerable Processes"
+ Added new custom mode: "Lockdown Mode (Extreme)" that is same as "Lockdown Mode" but it will block "Vulnerable Processes"
+ Added new custom mode: "Alert Mode" that is the default mode (alert when an unknown process is executed)
+ Updated the tray icon popup menu with the new custom modes
+ Removed the tab "Custom Modes" from the Settings window
+ Renamed option "Custom Modes" to "Protection Modes" in tray icon
+ Optimized the tab "Balloon Hints" in the Settings window
+ Protection mode can be changed only from the tray icon
+ Optimized saving of whitelists
+ Added options to reset lists to default, export lists and import lists
+ Added option "Search Hash on VirusTotal" on Quarantine, Blacklist and Whitelist RMB
+ Fixed saving of whitelists items from the alert dialog
+ Optimized auto-generated whitelist of system processes for Microsoft Windows 8.1 OS
+ Optimized the configuration wizard
+ Minor fixes and optimizations

Thanks to all beta testers and all users that helped with suggestions, support and ideas

To update to the new version:

1) Close NoVirusThanks EXE Radar Pro from the tray icon -> RMB -> Exit
2) Uninstall the old version
3) Download the new version from http://www.novirusthanks.org/product/exe-radar-pro/
4) Install the new version

Brief explaination of the new "Protection Modes":

Alert Mode: it is the default protection mode enabled, it shows the alert dialog everytime an unknown process (not whitelisted) tries to run in the system.
Lockdown Mode (Basic): it blocks every unknown process (not whitelisted) and it ignores processes listed in "Vulnerable Processes".
Lockdown Mode (Advanced): this is the old "Lockdown Mode", it blocks every unknown process (not whitelisted) and it shows the alert dialog when a "Vulnerable Process" is executed (if the commandline string is not whitelisted).
Lockdown Mode (Extreme): it blocks every unknown process (not whitelisted) and it blocks also processes listed in "Vulnerable Process" (if the commandline string is not whitelisted).
Trust Mode: it allows any process except blacklisted processes.
Disabled Mode: the real-time protection is disabled, all processes are executed and logged in the Events tab

 

Congratulations to NVT team and all beta testers/users!

 

Nice update, thanks

 

Looks like there are 2 clicks needed to allow something (compared to 1 click in previous versions)?

 

No, it was 1 click only for "Allow Once".
In old popup you had to select an option (2 clicks: on dropdown arrow and on option) and then click on OK button.
Remember?
It was 3 clicks....now there are only 2.....


It is more logical and convenient to separate options, like in other applications.....
The list with mixed options could easily confuse users...

 

Andreas, any news about public beta?

 

I need few more days and it should be released

 

You are right, I remember, but I also remember that I have used "Allow Once" all the time and other options rarely (other "allow options" only in the beginning, and "block options" sometimes - usually when some installer tries to launch my web browser).

In other apps when you click the arrow you get more options and when you click the button you get default action. But I understand that some users would never click on that arrow, so ... But than again how do you get the noob to use this kind of app in the first place.

 

Well, I guess Andreas can not make ALL users happy.
You will have to get used to the new layout....

 

@Pliskin

Personally I was using almost always the "Allow Once" option of the previous alert dialog, but using the two buttons it is more usable for most users, since if an user want to allow a process, he just clicks the button "Allow" and then he can select the preferred option, same for "Block" button. The option to have the "Allow" button that will auto-allow-once the process and the arrow that will drop-down the other options is an idea too. I will check this.

 

Excellent job, Thanks for all your hard work.

I love this new version, running so smooth

 

Working flawless here!

 

Same here, thanks for the nice job NVT.

 

Send you a PM, since this is a ERP thread

 

Hello,

I am having an issue with version 2.7.7. Version 2.7.6 ran fine with no problems. The issue I am having is there are several applications that will run without an alert from ERP. It is just some applications that do not trigger an alert, not all. No alerts are happening with files in the x86 program file folder but all other folders seems fine so far. I have the allow files in the program folder unchecked. I am on Windows 8 Pro x64. Nothing on my system changed, just uninstalled 2.7.6 and installed 2.7.7 with a reboot in between. Any ideas or anyone else seeing this? I have ERP uninstalled at the moment but I do remember two applications that always triggered no alerts, xnview and geekuninstaller (with this one a 32 bit process is launched which does not trigger an alert, and the 32 bit process launches a 64 bit one which does trigger an alert). It is just strange as nothing but ERP changed on my system.

 

Hello again,

This may be an obvious statement but I thought I would add it. Of course for the items that are being alerted to, the ERP DLL is being injected into those processes. For the ones that do not alert, the ERP DLL is not being injected into those processes. The only other security application I am running is Eset Smart Security and 2.7.6 worked fine with it. I have totally disabled all of ESS but that has no effect. I cannot determine why on some applications (32 bit) that the ERP DLL is not being injected and the process will start with no alert.

 

puff-m-d, good find if it holds up to be true.

Also, I have a small complaint. If I disable ERP, to install an application for instance, I naturally have to enter my password to confirm it, but since 2.7.7 I now have to reenter my password to reactivate it. In 2.7.6 I didn't have to do that.

I like receiving notifications when ERP reactivates itself when I disable it for whatever reason, but since 2.7.7 I receive notifications at bootup that ERP is in Alert Mode. These notifications are tied to the balloon hints notifications option. There doesn't appear to be any way to stop them without losing my ERP reactivation pop-up.

I'll give 2.7.7 a little bit longer to see if I grow to like it better but I'm thinking of going back to 2.7.6.

Later...

Bob

 

@puff-m-d

When ERP doesn't detect new processes, in most cases, it means the AV or HIPS installed in the system is blocking ERP to do some things, for example, with ESET AV 6 you need to allow ERP to do file, registry and other modifications in the ESET HIPS module.

Please open the advanced settings in ESET and follow these steps:

1)

Setup -> Enter advanced setup... -> Computer -> Antivirus and antispyware -> Exclusions

Click on "Add" and select the folder where is installed EXE Radar Pro, example:

C:\Program Files\NoVirusThanks\EXE Radar Pro\

And click on "OK" button.

Screenshot: http://postimg.org/image/9xlliockd/

2)

Setup -> Enter advanced setup... -> Computer -> HIPS

Click on "Configure rules..."

Click on "New"

In the "Name" editbox type: EXE RADAR PRO

In the "Action" select "Allow"

In the "Select applications" click on "Add..." and select all .EXE and .DLL files present in the EXE Radar Pro installation folder, example:
C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe
C:\Program Files\NoVirusThanks\EXE Radar Pro\ERPx64.dll
C:\Program Files\NoVirusThanks\EXE Radar Pro\ERPx86.dll
C:\Program Files\NoVirusThanks\EXE Radar Pro\ERPx64Svc.exe

Now move to the next tab "Target files" and put a check in "Use for all operations"
Now move to the next tab "Target applications" and put a check in "Use for all operations"
Now move to the next tab "Target registry" and put a check in "Use for all operations"

Click on "OK" to save the settings.

You should now have something like this: http://postimg.org/image/9x2fjmgkz/

Reboot the PC.

Let me know if now ERP works fine.

@Trespasser

Yes, since now the "Protection Modes" can be changed from the tray icon, I added the option "Password protect chaning of Protection Modes" because this way other users of the PC cannot change (enable) Protection Modes.

What can be done here, is to probably add an option to password protect only the "Disabled Mode", so when you switch from "Disabled Mode" to "Alert Mode" you will not need to type the password, but when you switch to "Disabled Mode" you will be required to type the password, what do you think ?

I will fix this

 

I was considering purchasing but have a quick question.

I am using Outpost Firewall Pro with proactive protection and was wondering if ERP would be useful for me or would there be conflicts?

Thanks

 

Hello Andreas,

Thanks so much for the detailed, very easy to follow instructions. ERP is now working as it should.

There must be some bug in disabling all of the protection modules within Eset. I had previously disabled HIPS (which takes a reboot), disabled all of the protection modules, and disabled the personal firewall. The Eset GUI reflected the fact that all modules were disabled (supposedly). I still had issues after doing all of that but in error then ruled out Eset as the conflict.

Thanks again as both your knowledge and excellent customer service always amazes me .....

 

@puff-m-d

You're welcome, I am glad ERP is now working fine

@Charyb

Some users already run Output Firewall Pro togheter with EXE Radar Pro and so far they have reported no issues. With ERP you have full control on what application can run and what not, you can allow only specific commandline strings of a process and block the main process executions, manage events of allowed/blocked processes, use lockdown mode to allow only already whitelisted applications, and so on. I believe it can be useful