New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    Hello All!
    I have installed ERP Free with Software Restriction Policy and played really nice! :thumb:
    By the way, just wonder, version 2.7.0.0 is the latest free version or am I missing something?
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,656
    Location:
    USA
    If they use the most commonly encountered exploits in the Wild in their test then I would not be surprised if a good solid AE like ERP scored even higher than applications that only specialize in exploits. The fact is that the overwhelming majority of exploits do use some sort of payload. If the majority of the exploits they use in their test use more advanced exploit methods that do not use a payload then MBAE, HMPA, and EMET should score much higher than an AE alone. The best option would be to use them both if they do not cause an application conflict. You just have to be careful not to keep adding security application to your machine until you end up being the virus lol I like staying at 3 real-time myself. Also, always keep all your applications, and OS up to date with the latest patches.
     
  3. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,905
    Yes piling up security software with overlapping functions is a very bad idea. I only have 2 realtime monitors: Kaspersky IS and EMET, with AppLocker enforced. I tried MBAE and HMPA, however I don't feel like I'll keep either one of them since I am very satisfied with the free EMET.
    You made a very good point - yes it's very important to keep the OS and all programs up to date, which many ppl here fail to do.

     
  4. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    @Cutting_Edgetech

    Payloads can be executable files but don't have to be. There are different payload types, some of them execute in memory only. These are payloads as well.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,656
    Location:
    USA
    I was referring to payloads that actually write to the disk, but you bring up a good point.
     
  6. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Well, I wonder if ERP does block that? I'm sure AppGuard does and SBIE4 as well, but I'm not sure about ERP.
    As far as I know you would still need to execute malware to the dirty job in order to actually attack your memory security and have your memory security compromised, before that-nope.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,656
    Location:
    USA
    Will you add this to the default list of safe command line strings? C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy It was blocked by ERP, and it caused my VPN service to disconnect. As soon as I allowed it the VPN reconnected. I will be good for now since I whitelisted it, but if I ever roll my machine back to an image before installing ERP then it will be a problem problem again. Sometimes it takes a few hours before it runs. The problem with that is i'm not always at my machine, and it will cause my VPN to disconnect again. I could just add it myself, but I don't exactly trust that I will remember to add it if I roll my machine back a few months from now. I'm using Windows 7X64 Ultimate.
     

    Attached Files:

    Last edited: Sep 19, 2014
  8. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    OK....a month has passed since the last beta build.
    Andreas, when can we expect the final release?
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Yes I agree, I would not be surprised if "anti-executable" apps will perform just as good as specialized "anti-exploit" tools. Would be cool if someone could test EXE Radar, AG, MBAE and HMPA against the most used exploit-kits. :)
     
  10. natZONE

    natZONE Registered Member

    Joined:
    Oct 8, 2012
    Posts:
    31
    Location:
    Germany
    The GUI of ERP has no real password protection. It's easy to kill EXERadar.exe with Process Explorer as an unprivileged standard user and restart it again without password. The password you entered before is not requested. Also stealth modus cannot be activated via function keys. I tried it with F12 and <SHIFT> F12.
     
    Last edited: Sep 21, 2014
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Did you have self protection turned on?
     
  12. natZONE

    natZONE Registered Member

    Joined:
    Oct 8, 2012
    Posts:
    31
    Location:
    Germany
    Self-protection is on, and password is set. I still can kill ERP via Process Explorer v16.04
     

    Attached Files:

  13. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,052
    Location:
    Canada
    I have a question for Andreas or anyone else who would know the answer...

    I bought a new Laptop and I would like to know if I can transfer my actual licence on it? Or do I have to buy a new one?

    Thanks for help
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I think if you uninstall off the old machine, you should be able to install on the new one.

    Pete
     
  15. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,052
    Location:
    Canada
    Thanks Pete:)
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,170
    Location:
    Italy
    @Cutting_Edgetech

    Sure, that command-line string will be added in next build.

    @siketa

    So far I received only two emails about potential errors on ERP (that have to be verified), so the last beta build seems pretty stable.

    I implemented now "Install Mode" in ERP, will run some more tests tomorrow and then will upload here the new beta build.

    Wanted to add "Install Mode" to ERP before release the final build :)

    @Antarctica

    Replied to your PM.

    @natZONE

    "Self-protection" was meant to protect mainly from Task Manager (since it is a system process that may be needed by sys admins), as you can auto-block all new processes (and so Process Explorer would not be able to run).

    However, Process Explorer was not able to kill ERP the last time I tested it (as I remember), I will give it another test.

    "Password protect on exit" means that if you click on File -> Exit or from the tray icon -> Exit you will be asked to enter the pass.

    It has no effect when a process tries to kill/terminate ERP.

    @powerpack

    Yes, the last free (old) version is v2.7.0, but it is not anymore supported.
     
  17. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Export/Import Settings file open/save dialog doesn't remember previous folder (it always defaults to Desktop). For example, if I export the Application Settings to D:\MySettings\settings.erp, then export/import again, I expect ERP to set the file save/open dialog to D:\MySettings rather than Desktop.
     
  18. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @novirusthanks With new Install mode, are you making it so that it doesn't create new rules for the auto-allowed child processes ? This is my preference (ie. I just don't want to be bothered by alerts during install, but I want to get an alert if any of the child processes were executed again).

    EDIT (to avoid more posts :) ):
    Also, I think I suggested this before, but can you make it so that a double-click on a white-listed command line will open the View/edit window.

    You could also do the above for other lists (eg. open file properties for Applications and Whitelist entries, and Edit item for the File Location entries etc.)
     
    Last edited: Sep 23, 2014
  19. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    I run Shadow Defender and ERP blocked the main window from running (ie. Defender.exe) due to expired/revoked certificate when double-clicking the SD tray icon. ERP was correct in that the certificate is expired, but there dosn't appear to be any way to allow it without disabling certificate checking altogether. Even though it is expired, I still expected the normal Allow/Deny alert dialog to be displayed, but with the Certificate section highlighting the fact that it is expired.

    Another related feature I've requested before is the ability to disable signature/certificate checking, but still have the alert dialog show the certificate expiry date (even if it can't be checked for revocation)
     
  20. natZONE

    natZONE Registered Member

    Joined:
    Oct 8, 2012
    Posts:
    31
    Location:
    Germany
    Try the actual version of Process Explorer, you shall see you will be able to terminate the GUI of ERP. Furthermore, if you restart ERP which was just killed via Process Explorer, it does not ask you for the password you set before. This is definitely a vulnerability. You didn't defer to this argument I wrote in my review. Moreover, the password is not case sensitive.
     
  21. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @novirusthanks

    1. With latest beta, if you select "BlackList Process" from alert dialog, it doesn't get added to the Blacklist, so opening the same process again results in an alert.
    2. On Quarantine list, can you add two new context menu items:
    • "Open original folder" which will open Explorer at location where quarantined process came from
    • "Show file properties" to show properties dialog
    3. After fresh installation of ERP without reboot, I noticed two .dmp files in the temp folder (eg. 78398737.dmp was 32KB or 64KB and ~78398737.dmp was 0 bytes). Before rebooting, I tried to delete them and it said one of the ERP processes had a lock on them. After reboot I was able to delete them, but after every boot (with ERP auto-starting) a new 12345678.dmp 0 byte file re-appears (which can be deleted immediately - ie. no lock).
     
  22. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @novirusthanks

    I was having a look back at some of my posts and noticed that a few more of the usability suggestions haven't made it into ERP yet (eg. Date/Time column on all rule lists). Are these on your TODO list or were they just overlooked ?
     
  23. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @novirusthanks
    The same is happening with WhiteList Process - it doesn't get added to the list. WhiteList Command Line works fine though.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Cool, this will make EXE Radar a lot easier to use, thanks a lot. :thumb:

    I think I also had this problem the last time I checked on Win 8.
     
  25. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Glad I'm not the only one :) I'm on Win 8.1.1 x64. The Last Modified timestamp for WhiteList.db under ProgramData does get updated when the button clicked, but the size does not change.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.