New Antiexecutable: NoVirusThanks EXE Radar Pro

Hello Andreas,

First off, I really like the look and feel of the new layout... Very nice ...

I may have stumbled across a couple minor bugs though:

• Clicking on the "License..." button on the main GUI does nothing
• When I have a blocked event in the "Events" tab of the main GUI and right click "Add to whitelist", all proceeds as expected but upon examining the whitelist I find the process has not been added to it

For reference, I am on a fully patched/updated Windows 8.1.1 Pro 64 bit system...

 

I just tried switching from Alert Mode to Lock Down Mode (extreme), and ERP whitelisted all my running processes instead which I did not want to do. I could have sworn I had my mouse cursor directly over enable permanently. The dialog box apparently went away at the last moment which lead to me clicking on whitelist running processes. If you want to keep WhiteList Running Processes where it is then I would recommend giving a conformation prompt stating something like, "Are you sure you want to WhiteList All Running Processes?"

 

I'm seeing some inconsistent behavior from ERP with blocking executions that I do not understand. I have AppGuard installed as well. If I try executing a bunch of .exe files (installers in this case) sometimes AppGuard blocks them first so ERP does not have a chance to block their execution, and other times ERP intercepts them before AG does. Why would this be? All the files were .exe so I was expecting ERP to block them all either before AG, or not be able to block them at all due to AG blocking them first. I don't know what method ERP uses to block executions so i'm just a little puzzled. If I use Online Armor with AppGuard then OA always blocks executions before AG if it's a .exe ran directly from one's disk so that's what I mean by consistent behavior. If it was an exploit coming from a web app then AG might block it first, but that's off topic from my point.

 

Here also AppGuard blocks all the EXE files first unless AG is in Install mode or OFF mode

 

I am using latest version 8.0.4.70 im using the Webroot SecureAnywhere Anti-Virus. I Could not see it listed anywhere. Currently in middle of setting up the pc so i cant check at the moment as i have nothing installed. I Could be wrong but i think this was with the installer on the nvt site and not the latest build posted here but will check once i have everything installed.

 

Read the last PS line in post #3480.

 

Hello siketa,

Thanks, it is amazing to me that sometimes no matter how many times I look through a thread, I still miss something. I wonder if this is what they mean by "getting old" ...

 

The behavior i'm seeing is that ERP sometimes blocks them first, and sometimes AG blocks them first. If i'm using Online Armor with AG then OA always blocks .exe files before AG has a chance if i'm running them directly from my disk. If a .exe file was attempting to download by an exploit from a web app then AG might block the .exe from ever being downloaded, but that's off topic from my point above.

 

Hey, puff.....we all have our moments of fame!

 

@puff-m-d

I fixed now the "Add to whitelist" on the RMB on Events Tab

"Add to blacklist" had the same issue, fixed.

@Cutting_Edgetech

Good idea, I added the confirmation dialog "Are you sure you want to WhiteList All Running Processes?".

About your question regarding AG and ERP, I have not yet fully tested AG so I cannot say much about it.
ERP uses a kernel-mode driver to catch new processes, if another program uses the almost same technique, there may be some alternations in which one is detecting the process first.
I should test that scenario in the next week.

@J_Whacka

Sure, keep me updated here.

 

I would think that the main concern is that a *NASTY* gets blocked before it executes.

 

If you're talking about the Applications tab, I do show entries there and also in Command-Lines tab.

dja2k

 

Thank you for adding that! It will help me out with my butter fingers at least.

Thank you! I was just trying to understand what would cause ERP to sometimes block an execution before AG, and other times AG would block the execution before ERP with the same type of file. Maybe I should look into the chain of events which leads up to the execution to find an answer. There must be something different happening with some .exe files to cause the difference in behavior. I'm familiar with a few different coding methods used in HIPS, and AE's. Now that I know ERP uses a kernel mode driver that may help me pinpoint some possible causes. Thank you for the info!

 

Yes, that's definitely true. I just like to understand as much as possible. I hate when I can't make sense of something. My curiosity makes me learn a little more each day.

 

@novirusthanks

Any plans for the following, or is it possible?

1. Memory protection (Memory Shield)

2. Make ERP a full on running service, instead of a startup item (To optimize startup time)

 

What do you mean make ERP a full on running service? I thought ERP already was. It's listed as a service under services.

 

Take Comodo for instance (example), it doesn't place itself as a shared startup and service item, it runs strictly as a running service & scheduled tasks, nothing else (Doesn't show itself as running on startup). A way to know that it doesn't list itself as a startup item, is going into CCleaner and checking the startup items (Comodo won't be listed), because it's a full on service item.

From what I have heard, doing this can make a program load almost instantaneously.

This is what I meant by full on running service.

I remember talking this over with Andreas quite awhile ago, and he said that he would think about implementing such a feature.

This is the best way I can describe this, if it's a bit confusing, I am sure Andreas could shed some light on what I mean. Hopefully he remembers our conversation from awhile ago.

 

Hello Andreas,

Thanks for the quick reply.

I have also noticed that from the "WhiteList > Command-Lines" tab, the right click "Add new...", then clicking on "Add" after inputing the new command line seems to be broken also...

 

1 I wonder if it would make any sense to add memory protection, wouldn´t it become sort of like a HIPS?

2 I read your explanation, and I forgot about this method. Can you find Comodo´s startup entry with a tool like AutoRuns?

 

For #1: I think it would be a nice feature to implement, so that users don't have to rely on other software to achieve memory protection (EMET, HitmanPro.Alert, AppGuard, etc.). If implemented into ERP, all you need is ERP and nothing else, as far as memory protection goes.

For #2: I really couldn't tell you, I'm not running Comodo at this time, nor autoruns, plus my time is somewhat limited to test it.

 

If he does decide to add memory protection he should make it optional to enable because many users here use AppGuard, and ERP together. AppGuard already has memory protection so it may cause a conflict between the two products.