New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well lets see what are magician Andreas has to say. Who knows
     
  2. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    I personally agree with @Peter2150 as you can switch to "Allow Mode" (or "Disable Protection") when you need to install a software.

    The "Allow Mode" automatically allows (without adding to the whitelist) any new process, except for blacklisted processes that are blocked.

    Personally I always switch to "Allow Mode" when I have to install a software (trusted).

    I always switch to "Alert Mode" when I have to install a software that is bundled with adware (to block the payload, just in case it is executed).

    An "Install Mode" could work as this: auto-allow all processes started by the "setup.exe" (or "setup.tmp") parent process, but this could generate some alerts as some DLLs or other files may be loaded by using a system process (such as cmd.exe or rundll32.exe) with a different parent process. Or alternatively ERP can enable "Allow Mode" until "setup.exe" or "setup.tmp" has terminated, but if you run "sample.exe" while the software is being installed it will be executed, so it would be not good.

    @Paul R

    Click on "WhiteList" -> "Command-Lines" -> Right-click with the mouse and select "Add new..." to add the command-line to safe command-line strings:

    It is a safe command-line string used by the OS for "Customer Experience Improvement Program" (CEIP):
    http://msdn.microsoft.com/en-us/library/dn449424(v=winembedded.82).aspx
     
  3. Paul R

    Paul R Registered Member

    Joined:
    Aug 5, 2014
    Posts:
    59
    Location:
    Bury, Lancashire
    Thanks NVT,

    Although on checking, i have already opted out so why it wants run is strange.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Currently I´m not using ERP, but I did install it on a new Win 8 machine, and the thing that bothered me to most was having to switch from one "mode" to another. With System Safety Monitor (HIPS+ Anti-exe) I run either in "alert mode" or in "lockdown mode". So whenever I want to install or run some app that is not whitelisted, I go into "alert mode", and then I can choose to either trust the installer with "install mode", or I can monitor the installation. After that I can switch back again to "lockdown mode", it´s that simple. So I really think that this function is needed. :)
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I am not quite sure what you are asking for, as I do what you describe all the time. BTW can use SSM on your new machine?
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ Peter2150

    The thing is that the "install mode" option needs to be in the "alert window". This way you won´t have to go in to "allow mode". And SSM doesn´t work on Win 7/8. :)
     

    Attached Files:

  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thats fine, but this isn't SSM. And I think it is terrible idea with the newer installers that slip stuff in like open candy. If you go into install mode you get that like it or not. To avoid it you need to click thru. Problem is SSM was then and ERP is now.
     
  8. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    254
    Location:
    Poland
    Have smb to give key to Exe radar pro im would be glad to use these software :O on my system.

    Magic werb " Please"
     
    Last edited: Aug 27, 2014
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not sure what you are asking, but license exchanges, etc are a TOS violation.

    Pete
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for stating the obvious, yes I know that SSM isn´t ERP. But that´s not the point, is it? The point is that I´m trying to come up with idea´s that will make the product easier and more handy to use. And in case you haven´t managed to figure it out yet, you don´t have to click on "Install Mode" if you don´t completely trust the app. :)
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Lets see what Andreas thinks
     
  12. Cch123

    Cch123 Registered Member

    Joined:
    Oct 27, 2013
    Posts:
    15
    Hi guys, would just like to find out if Exe radar pro has any advantage over Kaspersky trusted applications mode. Is it worth to run them together?
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Depends on what "trust" means in kaspersky. For example how does kaspersky handle apps like rundll32.exe, cmd.exe,wscript.exe, and all the other system apps that can be misused? Answer that and we can give you a good answer.

    Pete
     
  14. Cch123

    Cch123 Registered Member

    Joined:
    Oct 27, 2013
    Posts:
    15
    It doesn't really control those apps like exe radar does. It extends whitelisting to scripts like Vb, js etc. so if they are not on the whitelist, they can't run. In the end, they do the same thing, that is to prevent malicious scripts from running.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I think you've answered your question. ERP provides granular control over apps like rundll32 and cmd, etc, where what you are saying is Kaspersky doesn't.

    Pete
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ novirusthanks

    I was reading an article about the CryptoWall Ransomware, and I wonder how ERP could protect against this. Should "vssadmin.exe" be added to "Vulnerable Processes" or will that cause any problems? :)

    This is from the article:

    "When CryptoWall is first executed, it unpacks itself in memory and injects malicious code into new processes that it creates. It creates an "explorer.exe" process using the legitimate system binary in a suspended state and maps and executes malicious code into the process's address space. This malicious instance of explorer.exe then executes the following process: vssadmin.exe Delete Shadows /All /Quiet"

    http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Rasheed

    I'll take a stab at this for you.

    1. I wouldn't add vssadmin.exe to vulnerable processes list or do anything else to impede it. It us for the MS Volume Shadow Service and is crucial for imaging and backup apps. Having it stopped by a pop up could be trouble some.

    2. The key in terms of ERP is the "When CyptoWall is first executed" That is where ERP should stop it, as from a read of the article, it is probably going to come as some form of user initiated download. Remember ERP is strictly an Anti Executable so after that it's bye bye.

    3. How I run ERP to help protect me. First knowing my system is clean, I whitelist everything in Windows,Program Files, and Program Files(x86). I turn off trusted vendors and checking certificates. Then I run in Lockdown Mode. Only way anything is going to get by is if I screw up.

    4. How do I protect myself in terms of my total security setup.

    a) I run SBIE, so right there any unexpect downloads are stopped. I run SBIE, with only certain processes allowed to start and/or access the internet.
    2) I download something I am not 100% sure I run it from my desktop, and I run it with appguard guarding it. This should contain any memory games.
    3) I also run EIS/EAM from Emsisoft. This will prevent download if a threat is detected(tested) and also challenge any code injection.
    4) The biggie. Don't click on links in dumb emails. We all get them and they aren't to hard to recognize.
    6. I run Raxco's Instant Recovery so if I do screw up by accident, I can easily undo what ever happened. I also image frequently
    7. If and when I do get curious about what's up with a strange email I will look at it in a virtual machine. My virtual machine has the same security software as the host, plus I have all the VM applications guarded for memory isolation.

    This is my approach

    Pete
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks, but to clarify I´m talking about a theoretical scenario where you download some malicious app that turns out to be CryptoWall. Let´s say it comes up clean (AV can not spot it), and it can even notice that it´s being executed in the sandbox so it will stay quite. So now the only way to disrupt it, is with HIPS.

    But anyway I was going a bit off topic, what I was thinking is: apps should not be able to run vssadmin.exe freely. How to solve this problem without causing any problems? One solution is "strict parent-child process control", and this will complicate things, I suppose. :)
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Now I have to ask why I bothered answering you. Frankly I could care less about theoretical scenarios you've dreamed up to justify your "HIPS" which I presume means SSM. So try not running Vssadmin.exe freely with your child parent rules, and see what happens, but this thread is about ERP not HIPS, or ERP vs HIPS. So try it but try it with the /quiet switch.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ Peter2150

    I was thinking the same, you seem to have completely missed the point, so I won´t bother trying to explain. ;)
     
  21. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    I agree with @Rasheed187 that an install-mode option on the alert window would be useful. The problem with manually switching to Allow mode is that your system is vulnerable to other threats while the install is taking place until the mode is switched back to Alert mode.

    SpyShelter has a similar option on the alert dialog, which works in the same way @novirusthanks suggested, and it's very useful.

    If you trust the installer, you can just click Installer mode on the alert window, and if you want to monitor it then just click the normal Allow button.
     
  22. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    I agree..."install mode" option in pop-up alert is useful even not in no-HIPS like ERP. I'm using both mentioned apps - SS and ERP and I see difference during installation process of trusted app.
     
    Last edited: Sep 11, 2014
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Good point, didn´t even think of that. :thumb:
     
  24. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    I saw this quote by one of the developers, ZeroVulnLabs, of Malwarebytes Anti-Exploit:

    and was wondering if ERB will also prevent the Duqu payload from executing ?
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ Defenestration

    Well that is the thing, to me it´s still not clear if specialized anti-exploit tools like MBAE are better at stopping standard exploits/payloads compared to AE tools like EXE Radar and AppGuard. Yes I know, AppGuard offers more than a standard AE, but that is not the point. In the last test that was sponsored by Malwarebytes, a lot of tools performed badly (including Kaspersky) but the exploits were quite advanced, so I´m not sure how EXE Radar would have performed. :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.