New Antiexecutable: NoVirusThanks EXE Radar Pro

NVT,

I've got an issue with some .exe's running undetected by EXE Radar Pro. I run ERP in "Alert Mode". I've also got a folder of some handy system utilities that's in a folder on my D: drive (I can list these if you need them specifically). They're all just stand-alone .exe files and not installed to the OS.

On some of these .exe files, when I run them, there is no prompt from ERP and nothing comes up under the Events tab to show why it was allowed. So from what I can see, it looks like the .exe was just missed. Or perhaps I'm just missing something. Either way, I'd appreciate it if you could dig into this a bit. I'm certainly willing to help, just let me know what you need on my end.

 

@sg09

I could reproduce your issue, it'll be fixed.

@siketa

I had to change few things in the Win 8.1 fix, so still testing it in few boxes. I'll see how the tests goes and I'll keep you updated

@mattdocs12345

So basically you need to configure ERP so that no unknown process is executed in the PC correct ?

An example to do this, as Pete said, is this:

1) Enable the options:
-Allow Microsoft Windows system protected processes
-Allow processes signed by Trusted Vendors
-Allow all software from Program Files folder
2) Try to open all the programs that you would open regularly and whitelist all processes and all possible commandline strings
3) Restart the PC and try to re-open the programs you regularly use just to see everything is whitelisted correctly
4) Change the protection mode to "Lockdown Mode (Extreme)" so only whitelisted processes/commandline strings are allowed to be executed

@TomAZ

I'll look at that in few hours.

@francisw19

Actual ERP version does not fully support Windows 8.1 64-bit, I am working on it

 

Thanks Andreas.

 

Maybe ERP thinks it was a Doomsday.....

 

Doh! You're right, no worries then. I shall wait for Win 8.1 support.

 

Not here, for me latest log is 11-01-2014.

 

Mine was Jan 12th 2014 but I did not have puter on today.

I am still not sure what restore default lists does..

 

I have just one idea for this program that will make it even better then it already is, and that is when it is in lockdown mode (any level) you can right click a executable/program and add it to white list from there instead of having to open the interface. Just a idea.

 

Oh wow, I like this idea, a lot.

+1

 

Been testing out ERP for a few days and now I think I am ready to use Lock Down Mode. Do I have to do anything special to set it up? Oh I am running it along side AppGuard if it matters. Thanks

dja2k

 

you are good to go

 

Does NVT EXE protect against MBR tampering?

 

NVT ERP became a really solid product.

 

I'd love to know about this too. Also, does EXE Radar protect against DLL injections and system driver (.SYS) loads? Thank you.

 

Bingo! We have a winner. You can't inject or corrupt a MBR without something executing first.

 

Any word about 3.0 and the fix it provides for Windows 8.1?

Is it close to being final yet?

 

By making the whitelisted process to load DLLs? If EXE Radar also blocks DLL and SYS then at least they wouldn't be able to execute as well.

 

Correct, but ......., there is code executed in regular programs which process rich content, like your browser and its plug-ins. Also a lot of files we think only contain data, also contain (sometimes tiny bits of) code defining the structure or meta data or describe the way it is formatted (remember png and postscript exploits).

 

True but the majority of exploits will try to dispense an exe payload. Yes I know that there are exploits that change meta data and other data streams. I'm not saying that AE are the end all but merely a piece of the big security puzzle. I should be a little clearer when blurting out my opinions.

 

@Pete & KJ

I am the last one who will say you are not sufficient protected with AppGuard, SBIE, NVT, EMET or Comodo, WSA, SBIE, MBAE just putting things into perspective

 

Thanks Kees. I know you're just looking out for me. Appreciate it.

 

Running EXERadar_Pro_x86_x64_v3.0_09092013_BUILD2_V12.exe with Windows 8.1. (Is there an easy way to check if I have the latest beta?) I have AutoHotkey.exe listed as a vulnerable process. If I whitelist the commandline, the commandline is allowed to run. But if I use a wildcard in the string it triggers an alert. I have other commandlines with wildcards that work.

This is allowed to run: "C:\Program Files\AutoHotkey\AutoHotkey.exe" "E:\info\autohotkey\zztimers.ahk"

This triggers an alert: "C:\Program Files\AutoHotkey\AutoHotkey.exe" "E:\info\autohotkey\zztimer?.ahk"