New Antiexecutable: NoVirusThanks EXE Radar Pro

@ Peter2150

On the other hand, "strict" parent-child control can sometimes also be handy, for example if some app tries to launch the browser, like act8192 said. But would it made any difference when it comes to blocking exploits, that´s the question.

 

The answer in post#3739 and Peter2150 above, mention command line strings. I understand that.
Since I don't run ERP, and was told someplace here that SSM is from the age of dinosaurs I may well be misunderstanding ERP, so apologies in advance for what follows.

There are applications which use no command line at all, just what can run what and what can be run from what process.
For instance (I'm reading some SSM parent-child checks on XP):
- Outlook can be started only by explorer and can start only notepad and my printer driver. No parameters.
- SeaMonkey and Opera can be started only by explorer and can start its own updater and plugin container (for flash on youtube)
- Opera can be started only by explorer and can start its own updater.
- Foxit reader can be started by explorer, and can start my printer driver.
- mmc.exe can be started only by explorer and, a can of worms - rundll32.
- CCleaner can be started by explorer and can start msiexec and few uninstallers which I used.
- msiexec can be started by services and CCleaner.
- ProcessExplorer can be started by winlogon and explorer and it can run explorer.
- Winlogon can run logonui, explorer, userinit, procexp (Process explorer).

Anything else wanting to run those programs, or if any of them want to start another process, SSM will block or alert - depending on its GUI setting.
So will "Lockdown Mode (advanced)" take care of parent-child stuff when there is no commandline at all? From the help webpage:

If Lockdown does work similar to what I listed, then the help web page might need some editing since it states:

 

That's my question as well.

 

Yes I agree, perhaps it would over-complicate things, and you can always add certain apps to the "vulnerable processes" list.

 

@novirusthanks
Thank you! The new version solved the issue with the garbled text in the Parent column for Chrome.

 

Running XP, beta 9 ran ok, installed 10 following your instructions re reboot etc, seemed to run ok but only for awhile, then it semi froze, in an odd way hard to describe (& keep this short). Saw that some other folks here were seeing some issues too, so I uninstalled 10.
You also mentioned

>>*Note that in this new build there are two new .dll files used by ERP:
C:\Program Files\NoVirusThanks\EXE Radar Pro\erpmodule.dll
C:\Program Files\NoVirusThanks\EXE Radar Pro\erpmodule32.dll<<

but I only have erpmodule32.dll on the hdd. erpmodule.dll not found anywhere. where could it have gone unless on some systems you're only supposed to get 1 of those 2??

 

I think only 1 dll comes for 32 bit systems.

 

@act8192

As @Peter2150 said, I think what you want to do is a bit over-complicated.

I believe there is no need to fully control parent processes when you can fully control process execution (globally).

I mean, with ERP you can create your personal whitelist of safe applications and command-lines allowed to execute in the system and block all the rest automatically (with the Lockdown Mode).

So lets take your examples:

With ERP, you just need to whitelist outlook.exe and notepad.exe, that's all.

Other unknown (not whitelisted) processes are just blocked.

With ERP you just need to whitelist seamonkey.exe, opera.exe, and plugin-container.exe.

If for example, opera.exe is exploited and it tries to execute a payload (malware), it will be blocked since it is not present in the whitelist.

Take in mind that even if opera.exe tries to execute cmd.exe, regsvr32.exe or rundll32.exe (that are vulnerable processes commonly exploited by malware/exploit kits payloads), they will be blocked too (or you will get an alert, it depends on how you have configured the Lockdown Mode) if the command-line string is not present in the whitelist.

Feel free to post here any other question you have so we can discuss it.

@simmersK00L

Yes, as @busy said, the DLL in 32-bit OSs is only one.

@Overkill

I emptied the application form title so it is hidden in Task Manager 's Applications tab (a small "trick" to protect ERP from a specific process termination technique).

@busy @TyRidian

I could fully reproduce the issue reported with CIS and the "HIPS enabled" option.

*I would recommend anyone to switch back to build v9 or to rename the DLLs erpmodule.dll and erpmodule32.dll to something else, so they will not be injected into new and running processes*

The problems is that CIS hooks the same user-mode APIs (Nt/ZwTerminateProcess) that ERP hooks for self-defense, and this makes both programs not compatible with each other.

Here are some possibilities to maintain ERP compatible with almost all other security software while having a self-defense feature:

1) Support self-defense only on Vista+ OSs in ring0 (without hooking any API) but not support self-defense on XP OSs

Pros: Maintain a good compatibility with other security software
Cons: On XP OSs ERP does not have a self-defense option

2) Support self-defense only on Vista+ OSs in ring0 (without hooking any API) and hook Nt/ZwTerminateProcess on XP OS

Pros: Self-defense is supported in both Vista+ and XP OSs
Cons: ERP will not be compatible with some other security software on XP OS
There will be more work to support XP-only OS
We need to hook some APIs in order to support self-defense on XP OS (that may lead to instability in some specific circumstances, ex: when another program hooks the same APIs)

Unfortunately on XP we have to hook some APIs (that is from user-mode or kernel-mode with SSDT hooks) to support self-defense.

My main focus is to maintain ERP stable and compatible with most security software and avoid code hooking.

What do you guys think about this ?

 

IMHO,self-defense is a must for any security software.

 

I see. I would move the erp build info maybe to the right and have the "block unknown applications from running' back to where it was.

 

Thank you for continuing to support XP! I presently have no stability issues whatsoever (. . .as pertains to my computer, that is. As to my personal stability -- it comes & goes.)

 

I'm grateful for XP support as well even though I still haven't decided if it makes sense for me to uninstall SSM and try ERP.
Still trying to understand few things just based on the help web page and a bunch of excellent answers from novirusthanks and others.

Edit:

FYI: avastSnx.sys hooks NTTerminateProcess. Whether ERP will conflict, who knows. Does any AV have to exist if ERP is used?

 

I'm warming up to that thought but not yet sure.

Let me try to rephrase my questions, just once more, bear with me.
Let's put it this way: I trust=whitelist Opera. I trust Outlook. I trust Foxit or PDF-Xchg viewer or Sumatra. I trust Word or Excel.
But I don't want Opera to be started from some http link in an Outlook mail or pdf reader or Word or Excel. No command lines involved far as I know. Can I do that sort of restriction in ERP? Based on this thread, I don't think so. Correct?

I understand that.

Very grateful for your thorough answers to my questions

 

@ novirusthanks

I´m having problems with the latest ERP version (from the website), it keeps displaying a tab on the Win taskbar, it won´t go away, and I can´t click on it. I´m back on Win 8.1 again. So for now I downgraded to an older version.

 

NOT correct. You could assign opera.exe as a "Vulnerable Process". Thereafter, any attempted run of opera.exe would cause ERP to pop-up an alert asking you if it is okay for opera.exe to run at that specific instance. You allow or disallow - a single click does the job.

ERP's need for you to click allow or disallow is a minor inconvenience compared with SSM, but ERP is current tech & SSM is not. Further, ERP doesn't use a jillion hooks like SSM. PLUS -- an occasional click exercises your wrist. (Example: my body is an atrophied mess except for my right wrist. So I can still hoist my coffee cup. Thank goodness for ERP's health giving benefits, wot?)

 

@bellgamin,
Thanks for (maybe) clarifying. But that's not quite the drift I got from this thread.
If putting it in the vulnerable group is a solution, well, then that's ok, I guess.
And mouse clicking on alerts is my hobby. Never thought of its health benefits

Does ERP have a really clean uninstaller or, if I try it, will I spend the rest of my life cleaning up the registry and system32 and all that?

Just curious and learning: Why do you consider SSM old tech? User friendliness? Hooks count? Some specific features? Not running on Win7 or 64-bit? As I read this ERP thread, as well as the thread on AppGuard, it seems to me SSM does all of what these two cool applications do. Doesn't it?

 

In my experience, ERP has always uninstalled fully & faithfully every time.

I do not *think so* -- but your question lies beyond my ken.

Perhaps Pete or Rasheed or one of the other Wilders doyens will give you an answer to your question.

 

Hello,

I have just discovered a conflict between the latest beta of NVTERP and Macrium Reflect. With NVTERP running in alert mode, I cannot start Reflect. I get the "Macrium Reflect has stopped working." message. I have tried the following and these do not help: adding Macrium to trusted publishers list and/or temporarily disabling NVTERP. If NVTERP is uninstalled then Reflect will launch. I have also discovered that if I both disable NVTERP protection and exit (shut down) the NVTERP GUI process (EXERadar.exe), Reflect will start. Here is the information from WER:

Code:

Source
Macrium Reflect Disk Imaging and Backup

Summary
Stopped working

Date
?8/?9/?2014 9:44 AM

Status
Report sent

Description
Faulting Application Path:    C:\Program Files\Macrium\Reflect\reflect.exe

Problem signature
Problem Event Name:    BEX64
Application Name:    Reflect.exe
Application Version:    5.3.7134.0
Application Timestamp:    53e3799b
Fault Module Name:    StackHash_587a
Fault Module Version:    0.0.0.0
Fault Module Timestamp:    00000000
Exception Offset:    PCH_26_FROM_ntdll+0x000000000009CA2B
Exception Code:    c0000005
Exception Data:    0000000000000008
OS Version:    6.3.9600.2.0.0.256.48
Locale ID:    1033
Additional Information 1:    587a
Additional Information 2:    587a0a8e1156a99b2e93b0c6b7eadfe9
Additional Information 3:    1f77
Additional Information 4:    1f773c154fc6510ec519f7c5fb97d0c4

Extra information about the problem
Bucket ID:    a73aebcfdc186a975123a01a4b9c1cfc (81702240822)

It appears that and so I am assuming this has something to do with the new NVTERP self-protection feature...

Edited to add: If needed, I am on Windows 8.1.1 Pro 64 bit...

 

Hello Pete,

Maybe my explanation was not clear or you might have misunderstood me. I am not trying to update Macrium (or anything else), I am trying to do an image with Macrium. It will not launch and I get the has stopped working message. The only way I can launch Macrium is to either uninstall NVTERP or disable NVTERP protection and close/shutdown NVTERP. Otherwise, Macrium will not launch on my system. This just started with the latest NVTERP beta as all previous NVTERP versions has worked fine with Macrium (was able to launch Macrium and do an image)...