New Antiexecutable: NoVirusThanks EXE Radar Pro

Thanks for the status, much appreciated, excellent job as always

 

What is the purpose of the kernel-mode driver? against which kind of attacks it will offer protection?

 

It detects code executed by using thread local storage (TLS) callbacks.

 

I understand that is just an anti executable, and I used it years ago, I just wanted to understand what was the kernel mode exactly
http://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx
But I'm not sure if I have a clear view on why ERP will be better in kernel mode.

 

Trying to understand the order in which ERP checks the various white/black lists, and so which take precedence. When an exe is run, does it check the lists in the following order:

Blacklist - if found block it, else
Whitelist Trusted Vendors - if found allow, else
Whitelist Path Comparison - if found allow, else
Whitelist Trusted Folders - if found allow, else
Whitelist CommandLine Wildcard - if found allow, else
Whitelist CommandLine - if found allow, else
Whitelist Processes - if found allow, else BLOCK

If not, how does it work ?

 

So far, the last beta version seems to work fine, I am making it downloadable by other users as well, this should help us to detect possible errors in other OSs or in combination with other software. This is the download link for the last BETA version:
http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.0_09092013_BUILD2_V6.exe

Some notes:

1) You should allow ERPx64/x86Svc.exe in your HIPS/AV/FW to install/uninstall kernel-mode drivers
2) ERP should show a popup window "A new version is available for download...", just ignore it or disable the option "Notify me when a new version is available"
3) When you report a bug/problem, include the OS (specify if it is 32-bit or 64-bit) and other security software installed

If you have suggestions or if you want to report a bug, post it here so we can analyze it.

@Defenestration

Initially we check if the process is blacklisted, then we do the other checks to see if the process is whitelisted, and then the various lockdown modes are checked.

 

May I ask what changes are in v6?

 

This is the full changelog:

In V6 I've just fixed the Help -> Online Help File link.

 

Andreas,
what is the estimated release date for 3.0 final?

 

Just installed v6 on my main computer, thanks

On my XP machine I still get the driver handle error in v5 so i'm assuming it could still happen in v6?

Also, is it possible to add "remove nonexistent" in the commandline tabs like it is in process's tab?

 

@Overkill

In V6 I updated also the function to retrieve the driver handle, try that and let me know.

I have few questions:

1) Is ERPx64Svc.exe and EXERadar.exe allowed in ESET HIPS rules ?
2) How often do you get that error message about the driver handle ?
3) When you get that error message, if you re-run ERP, does the error come up again ?

@siketa

After the driver handle issue has been fixed for all users, I will need to check some other things and if ERP works fine, we can release it. Theorically, in 10 days it should be released.

 

1- Yes
2- very seldom but it does happen, usually when the pc starts
3- usually no, but once or twice it happened again

 

Hello everyone.
I've been beta testing the ERP 3 builds for a while now and am in general happy with them. In my opinion they are a better product than the ERP 2.7.x versions because they are catching executables that the fore mentioned let execute with no alert.

First of all, I'm running Win 8.1 Pro RTM 64 bit and I've been having a bit of a problem with one installer executable, Avast Free 9.0.200x, and the latest ERP 3.0 builds. If ERP is set on Alert Mode, then you click on the Avast installer executable you should then get a UAC prompt (if you have UAC set on maximum). Afterwards, for me, the Avast executable starts executing with no alert from ERP.

What I'd like is for some of you who are running the ERP 3.0 builds to try this test as well. Don't worry, you can stop the Avast install once it starts displaying options. Andreas has been getting a alert from ERP after the UAC prompt. Once even I got an alert from ERP, but overall Avast executes with no alert from ERP. I've went as far as to totally reinstall Win 8.1 64 bit from the install disc thinking maybe some application I had installed prior to my installing ERP was interfering with ERP but I ended up with the same result...Avast executed with no alert.

Can some of you try this test as well?

Thank you.

Later...

Bob

 

Thanks, Pete, for the reply.

I'm presently running Ubuntu on my laptop after an Avast Free 9.0.2005 install messed up how Sandboxie functions opening Firefox. It's easier to re-image back to Ubuntu via CloneZilla than to go the Macrium Reflect Rescue CD route to return to Win 8.1.

In answer to your suggestions, I always uncheck Trusted Vendors but I don't for signed processes. I will try your suggestions here shortly.

Again, thanks for the reply.

Later...

Bob

 

@novirusthanks
Sorry for the late reply I had no chance due to work load. following your instructions I get this message "Runtime error 216 at 000000000040BE55". However, when I change the rulset for ERPx64Svc.exe, EXERadar.exe, and ERPx64.dll in Comodo's HIPS rules window from "Allowed Application" to "Windows System Application" the message disappears, but still ERP does not function properly and I can not see (through Process Explorer) any ERPx64.dll module loaded into any process. For now I uninstalled ERP waiting for the next stable version. Please any help?

 

I do not see much benefit of running ERP with CIS.

 

I am using the firewall component of CIS only. I see what you mean, comodo's HIPS is really powerful, but I think ERP is not meant to be an HIPS. Furthermore, ERP's "vulnerable processes" feature makes me in more control of the processes I want to be alerted about upon execution.

 

I was testing them both in the same VM and everything unknown was sandboxed by CIS before ERP got any chance to react.

 

Pete,
I've re-imaged Win 8.1 back on to my laptop. During the initial ERP 3.0 install I always uncheck Trusted Vendors which also places a "No" in Menu>Settings>Signed Processes that I double checked when the Gui opened. So, nothing has really changed from what I normally do.

Edit:
Even in Lockdown Mode (Extreme) Avast Free's installer executable launches after the UAC prompt with no alert from ERP 3.0 Build 2 V6.

Later...

Bob

 

Bob, thanks for posting your issue here.

I tested the Avast installed and ERP v3.0 in Windows XP and Windows 7 and in my case its execution, after the UAC prompt, was always detected. I quickly tested this scenario also in Windows 8 64-bit and it worked. I will test it more on Windows 8.1 64-bit to see if I can reproduce the issue.

@syrog

I sent you a PM.

 

Andreas,
I will re-image to Win 8 Pro 64 bit here shortly and see how it goes. Actually, I should have done that before now. I hadn't thought of it. .

Later Andreas,

Bob

 

I re-imaged to Win 8 Pro 64 bit that only contained Windows Updates up thru August 14th 2013 and StartIsBack and nothing else. I installed CCleaner 4.06, Firefox 24 32 bit, Flash Player 11.9.900.117, and ERP 3.0 Build2 V6. ERP is set on Alert Mode. Trusted Vendors was unchecked during install. I rebooted, then copied Avast Free 9.0.2005.141 over from a usb drive. I clicked on it, I received a UAC prompt, then Avast Free started executing just like in Win 8.1.

This is perplexing.

SRP, when activated, stops Avast's execution cold, and I don't receive a UAC prompt. Shouldn't consent.exe only be allowed for executables in Program Files (including (x86)) and Windows, not in user space (just a thought)?

Later...

Bob