New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,838
    Thanks for the status, much appreciated, excellent job as always :thumb:
     
    Last edited: Oct 1, 2013
  2. guest

    guest Guest

    What is the purpose of the kernel-mode driver? against which kind of attacks it will offer protection?
     
  3. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    It detects code executed by using thread local storage (TLS) callbacks.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    1. Have you even trialed ERP. You keep asking questions, but no indication you have even tried the program. I ask because if you've looked at ERP you would realize ERP doesn't protect against "attacks". It is simply an excellent anti-executable.

    2. No extra protection against different kinds of attacks. Both user mode and Kernel mode protect against the same kinds of attacks, but kernel mode is more secure against being attacked.

    Pete
     
  5. guest

    guest Guest

    I understand that is just an anti executable, and I used it years ago, I just wanted to understand what was the kernel mode exactly
    http://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx
    But I'm not sure if I have a clear view on why ERP will be better in kernel mode.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    All security software is better in Kernel Mode. Keeping it very simple, kernal mode is at a lower level in the operating system. If a program is running in user mode another program running in kernel mode can get underneath it and shut it down or alter it. If it is running in kernel mode that becomes much more difficult.

    Pete
     
  7. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Trying to understand the order in which ERP checks the various white/black lists, and so which take precedence. When an exe is run, does it check the lists in the following order:

    Blacklist - if found block it, else
    Whitelist Trusted Vendors - if found allow, else
    Whitelist Path Comparison - if found allow, else
    Whitelist Trusted Folders - if found allow, else
    Whitelist CommandLine Wildcard - if found allow, else
    Whitelist CommandLine - if found allow, else
    Whitelist Processes - if found allow, else BLOCK

    If not, how does it work ?
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,148
    Location:
    Italy
    So far, the last beta version seems to work fine, I am making it downloadable by other users as well, this should help us to detect possible errors in other OSs or in combination with other software. This is the download link for the last BETA version:
    http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.0_09092013_BUILD2_V6.exe

    Some notes:

    1) You should allow ERPx64/x86Svc.exe in your HIPS/AV/FW to install/uninstall kernel-mode drivers
    2) ERP should show a popup window "A new version is available for download...", just ignore it or disable the option "Notify me when a new version is available"
    3) When you report a bug/problem, include the OS (specify if it is 32-bit or 64-bit) and other security software installed

    If you have suggestions or if you want to report a bug, post it here so we can analyze it.

    @Defenestration

    Initially we check if the process is blacklisted, then we do the other checks to see if the process is whitelisted, and then the various lockdown modes are checked.
     
  9. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    May I ask what changes are in v6?
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,148
    Location:
    Italy
    This is the full changelog:

    In V6 I've just fixed the Help -> Online Help File link.
     
  11. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    Andreas,
    what is the estimated release date for 3.0 final?
     
  12. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Just installed v6 on my main computer, thanks

    On my XP machine I still get the driver handle error in v5 so i'm assuming it could still happen in v6?

    Also, is it possible to add "remove nonexistent" in the commandline tabs like it is in process's tab?
     
  13. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,148
    Location:
    Italy
    @Overkill

    In V6 I updated also the function to retrieve the driver handle, try that and let me know.

    I have few questions:

    1) Is ERPx64Svc.exe and EXERadar.exe allowed in ESET HIPS rules ?
    2) How often do you get that error message about the driver handle ?
    3) When you get that error message, if you re-run ERP, does the error come up again ?

    @siketa

    After the driver handle issue has been fixed for all users, I will need to check some other things and if ERP works fine, we can release it. Theorically, in 10 days it should be released.
     
  14. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    1- Yes
    2- very seldom but it does happen, usually when the pc starts
    3- usually no, but once or twice it happened again
     
  15. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Hello everyone.
    I've been beta testing the ERP 3 builds for a while now and am in general happy with them. In my opinion they are a better product than the ERP 2.7.x versions because they are catching executables that the fore mentioned let execute with no alert.

    First of all, I'm running Win 8.1 Pro RTM 64 bit and I've been having a bit of a problem with one installer executable, Avast Free 9.0.200x, and the latest ERP 3.0 builds. If ERP is set on Alert Mode, then you click on the Avast installer executable you should then get a UAC prompt (if you have UAC set on maximum). Afterwards, for me, the Avast executable starts executing with no alert from ERP.

    What I'd like is for some of you who are running the ERP 3.0 builds to try this test as well. Don't worry, you can stop the Avast install once it starts displaying options. Andreas has been getting a alert from ERP after the UAC prompt. Once even I got an alert from ERP, but overall Avast executes with no alert from ERP. I've went as far as to totally reinstall Win 8.1 64 bit from the install disc thinking maybe some application I had installed prior to my installing ERP was interfering with ERP but I ended up with the same result...Avast executed with no alert.

    Can some of you try this test as well?

    Thank you.

    Later...

    Bob
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Bob

    Try it again your self, but this time do 2 things.

    1. Go into Menu>Settings>signed process and select No
    2. Go into whitelist>trusted Vendors and clear that list.

    See if that makes a difference.

    Pete
     
  17. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Thanks, Pete, for the reply.

    I'm presently running Ubuntu on my laptop after an Avast Free 9.0.2005 install messed up how Sandboxie functions opening Firefox. It's easier to re-image back to Ubuntu via CloneZilla than to go the Macrium Reflect Rescue CD route to return to Win 8.1.

    In answer to your suggestions, I always uncheck Trusted Vendors but I don't for signed processes. I will try your suggestions here shortly.

    Again, thanks for the reply.

    Later...

    Bob
     
  18. syrog

    syrog Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    32
    @novirusthanks
    Sorry for the late reply I had no chance due to work load. following your instructions I get this message "Runtime error 216 at 000000000040BE55". However, when I change the rulset for ERPx64Svc.exe, EXERadar.exe, and ERPx64.dll in Comodo's HIPS rules window from "Allowed Application" to "Windows System Application" the message disappears, but still ERP does not function properly and I can not see (through Process Explorer) any ERPx64.dll module loaded into any process. For now I uninstalled ERP waiting for the next stable version. Please any help?
     
  19. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    I do not see much benefit of running ERP with CIS.
     
  20. syrog

    syrog Registered Member

    Joined:
    Jul 13, 2013
    Posts:
    32
    I am using the firewall component of CIS only. I see what you mean, comodo's HIPS is really powerful, but I think ERP is not meant to be an HIPS. Furthermore, ERP's "vulnerable processes" feature makes me in more control of the processes I want to be alerted about upon execution.
     
  21. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    I was testing them both in the same VM and everything unknown was sandboxed by CIS before ERP got any chance to react.
     
  22. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Pete,
    I've re-imaged Win 8.1 back on to my laptop. During the initial ERP 3.0 install I always uncheck Trusted Vendors which also places a "No" in Menu>Settings>Signed Processes that I double checked when the Gui opened. So, nothing has really changed from what I normally do.

    Edit:
    Even in Lockdown Mode (Extreme) Avast Free's installer executable launches after the UAC prompt with no alert from ERP 3.0 Build 2 V6.

    Later...

    Bob
     
    Last edited: Oct 9, 2013
  23. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,148
    Location:
    Italy
    Bob, thanks for posting your issue here.

    I tested the Avast installed and ERP v3.0 in Windows XP and Windows 7 and in my case its execution, after the UAC prompt, was always detected. I quickly tested this scenario also in Windows 8 64-bit and it worked. I will test it more on Windows 8.1 64-bit to see if I can reproduce the issue.

    @syrog

    I sent you a PM.
     
  24. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Andreas,
    I will re-image to Win 8 Pro 64 bit here shortly and see how it goes. Actually, I should have done that before now. I hadn't thought of it. :).

    Later Andreas,

    Bob
     
  25. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    I re-imaged to Win 8 Pro 64 bit that only contained Windows Updates up thru August 14th 2013 and StartIsBack and nothing else. I installed CCleaner 4.06, Firefox 24 32 bit, Flash Player 11.9.900.117, and ERP 3.0 Build2 V6. ERP is set on Alert Mode. Trusted Vendors was unchecked during install. I rebooted, then copied Avast Free 9.0.2005.141 over from a usb drive. I clicked on it, I received a UAC prompt, then Avast Free started executing just like in Win 8.1.

    This is perplexing.

    SRP, when activated, stops Avast's execution cold, and I don't receive a UAC prompt. Shouldn't consent.exe only be allowed for executables in Program Files (including (x86)) and Windows, not in user space (just a thought)?

    Later...

    Bob
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.