New Antiexecutable: NoVirusThanks EXE Radar Pro

I booted my pc today and the driver handle error happened again and once more after rebooting, I have the latest version installed...EXERadar_Pro_x86_x64_v3.0_09092013_BUILD2_V15-05032014

09/03/2014 16:52:34 ZwLoadDriver (LoadDriver) failed to load nvterp (\registry\machine\system\CurrentControlSet\Services\nvterp) with error C000010E The operation completed successfully

 

I'm trying ERP with Appguard. I added Blue Ridge Networks to ERP's trusted Vendors list. Is there any need to make any exceptions for AG within ERP? I have already configured AG to allow everything from ERP.

 

So lately I have been having a bunch of these random folders that look like 32 character hashes showing being blocked by ERP. Something like:
J:\45fdd2d1762d14d08fec44889104\MpMiniSigStub.exe
J:\63fd2d1762d254d08fec44889104\MpMiniSigStub.exe

Parent Process:
C:\Windows\SoftwareDistribution\Download\Install\mpas-d_bd_1.167.838.0.exe

Command Line:
J:\45fdd2d1762d14d08fec44889104\MpMiniSigStub.exe WD /q

Did some research and found out that they're just Microsoft signature updater thing. So should I add it under the Path Comparison as:

Code:

*:\????????????????????????????????\MpMiniSigStub.exe

or

Code:

*:\*\MpMiniSigStub.exe

It seems safer to add the first example since the folder it's in must be 32 characters (at least from my understanding that the ? represent 1 character of any letters or numbers)?

 

@Overkill

That's strange, have you added a new security software recently ?

A possibility is that another software blocked the loading of ERP driver.

Let me know if the problem reappear.

@Enternal

I would prefer the first one:

Code:

J:\????????????????????????????????\MpMiniSigStub.exe

@Cutting_Edgetech

Adding Blue Ridge Networks to ERP's Trusted Vendors List should be enough.

@Rasheed187

Problem with SBIE is that ERP cannot catch the parent process of SBIE when you execute a .exe file inside the sandbox, I will see what can be done in this case.

About the behavioural blocker, I would prefer to maintain ERP a pure and easy to use anti-executable, adding an advanced BB would need a lot of development and testing time, but it may also create incompatibility issues with other security software. Allowing only trusted applications is a good additional layer of protection to prevent unknown programs from run in the system.

Surely ERP has become a solid program now, what it misses and what should be added in the next version, is the ability to use settings/lists per-user or globally by all users, the option to send the events in a remote website, the option to use the whitelists located in a remote website, optimizations about the usability and the service, improvements in the activation system, and the suggestions present in the to-do-list, etc.

@everyone

This is the RC for ERP v3.0:

http://downloads.novirusthanks.org/...x64_v3.0_09092013_BUILD2_V15-05032014_RC6.exe

What's new ?

- Wider dialog for Add new command line string
- Wider dialog for Add new path comparison
- Added "Remove selected item(s)" on WhiteList->CommandLine
- Added "Remove selected item(s)" on WhiteList->Parent Processes
- Added "Remove selected item(s)" on WhiteList->Path Comparison
- Added "Remove selected item(s)" on Advanced->Vulnerable Processes
- Added "Remove selected item(s)" on Advanced->Temporary Allowed Processes
- Optimized the population of the safe command-line strings
- Minor fixes and optimizations

I have reset the trial settings, so if you used ERP 30-day trial in the past, you can test this new version for other 30 days.

Also, in few days I should start a giveaway only for wilders users.

 

@ novirusthanks

Yes that´s a problem, for example Comodo Firewall (with HIPS) also gives alerts about this stuff, so I have to disable both CF and ERP, a bit annoying, so I hope there might be a workaround in the future.

Yes, it was a just an idea, but I can understand your point of view and I respect your decision.

Yes, I can understand these things are important at the moment. I do hope that you will change the context menu options a bit (tray-icon), for faster switching between Alert mode and Lock-down mode.

 

just install and it looks very nice and clean

 

It happens every so often randomly, My setup hasn't changed for quite sometime...I have ESET configured as you have it in your tut on your site.

 

Have you tried the last version RC6 ?

http://downloads.novirusthanks.org/...x64_v3.0_09092013_BUILD2_V15-05032014_RC6.exe

 

Yes, currently no issues...will post if anything changes

 

@Rasheed187

I'll look tomorrow at the SBIE workaround

@everyone

I optimized the process to obtain the driver handle, here is the new RC7:

http://downloads.novirusthanks.org/...x64_v3.0_09092013_BUILD2_V15-10032014_RC7.exe

If anyone find any issue just post here.

Cross fingers and in 2 or 3 days it will be released

 

Andreas , ERP is a dilemma for me !!!!

it is so well designed that i don't know on which machine to use it

 

Working well for me so far!

 

Andreas, remember when I said that once in a while when I forget to disable ERP while installing programs, it would completely crash? Well, I don't know what happen but ever since then with your new builds, I have not had a single crash. Amazing! Anyway, it's now very stable and very happy. It's an amazing program! Thanks!

 

Thanks Andreas, can't wait until the final version

 

indeed that is a good point but i like diversity

 

Q1: why is this option present in Custom Configuration?

 

Q2: What is the difference between Trust and Learning modes?

 

Thanks for the feedbacks guys

@Pete @Enternal @OverKill

Great, keep me updated if you get again that driver handle error.

@siketa

Processes related to Adobe Flash Player are executed frequently, such as when you watch a YouTube video, etc. So with "recommended options" enabled, the Flash Player processes are added to the whitelist, reducing the popup windows in specific circumstances. In the Custom Configuration you can disable that option if needed.

Trust Mode is used to automatically allow any new process except blacklisted processes.

Learning Mode, when enabled, auto-whitelists all executed processes, so it is easy to create the initial whitelist. You can set ERP in Learning Mode after it has been installed, then you use the PC normally for few hours, and then you switch back to Alert Mode or Lockdown Mode, so the whitelist is automatically created with all the processes executed while the Learning Mode was enabled.

 

Thanks, Andreas....no bug(s) to report so far....

 

Same here no issues so far

 

NoVirusThanks EXE Radar Pro v3.0 has been released:

[17-03-2014] v3.0.0.0
+ Improved detection of new processes using a kernel-mode driver
+ Detects code executed by using thread local storage (TLS) callbacks (thanks to Fabian Wosar and Liviu Itoafa for their PoC)
+ Do not show balloon hints when the PC is booted and the protection is enabled
+ Added option "Password protect disabling of real-time protection"
+ Remember the last enabled Protection Mode when ERP is closed
+ Optimized the loading of blacklist and whitelists when the PC is booted
+ Updated the menu Help -> Online Help File
+ Added option "View commandline string" in the popupmenu of Events/CommandLine tab
+ Removed completely whitelist commandline that used MD5 hash
+ Optimized the graphical user interface, settings window and prompt dialog
+ Simplified the configuration wizard
+ Merged the "Trusted Folders" tab with "Path Comparison" tab
+ Minor fixes and optimizations

Download link:
http://www.novirusthanks.org/products/exe-radar-pro/

If you are a v2.7.7 user, you should find this tool useful:

This is a small tool useful to merge the command-line strings that used the MD5 hash with the wildcard-enabled strings:
http://downloads.novirusthanks.org/files/ERPCmdLineMerger.exe

Usage is pretty simple:

1) Close ERP
2) Run ERPCmdLineMerger.exe
3) Click the button
4) Close ERPCmdLineMerger.exe
5) Open ERP

Update from v2.7.7 to v3.0.0:

The auto-updater should work fine, make sure to disable the other security software (or handle their alerts correctly) for a clean installation of the new version. You can export the settings/lists before run the updater (recommended), I think there will be no need to import them as v3.0 handles the old settings/lists.

Alternatively you can:

1) Uninstall ERP v2.7.7
2) Reboot the PC
3) Install ERP v3.0

Then if you want to merge the command-line rules:

1) Close ERP
2) Run ERPCmdLineMerger (to merge command-line rules)
3) Run ERP

Really MUCH THANKS to every user that has helped in testing, suggestions and support

 

Congratulations! I'm going to give it a try now.