New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    A few more minor usability suggestions:

    - Ctrl+A in View/Edit Command Line window edit box (and any other edit boxes where it doesn't already work) to select all text
    - Export/Save Selected events to file. Allow multiple selection in events list and export only selected events. It would be handy if you could add a mini toolbar to the top-left of the list with buttons for "Export All", "Export Selected", "Clear All", and "Clear Selected"
     
  2. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    676
    I have a continued problem with ERP preventing me from reaching my desktop. I have the screensaver to come on after 8 minutes and power management turn of the display after 15 minutes. When I leave the computer and come back I see the screen as shown in my image. The mouse cursor still moves and ctrl-alt-delete does nothing. I have to hard reset to get back in. Without ERP installed, this never happens.

    Windows 8.1 x64
     

    Attached Files:

  3. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @Charyb I've had similar things and it's usually caused by an unanswered ERP alert when the system is activating the screensaver or going to sleep. Under Settings > General, have you unchecked any of the three "Allow..." checkbox options ? If so, try enabling all of them to see if that solves the hang problem.

    You could try enabling logging and saving to a file, and then looking through the log after a hard reset to see what ERP events occurred before. A better option may be to watch the screen for just over 8 minutes until the screensaver kicks in, then move the mouse to see if an alert is visible. If not, leave it for just over 15 minutes until it goes to sleep and then move the mouse to wake up, to see if you can see any alert, or whether you just get the result.

    @novirusthanks

    For this sort of issue, it would be useful if there was an extended logging option to include alert events in the log, since this would allow you to see if there was an alert before any system "hangs". I prefer to disable the auto-allow options (eg. for signed processes, MS processes etc.), and this would help with debugging to see what alert was waiting to be answered.
     
  4. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @novirusthanks

    - When adding a new command line via context menu Add new..., it should activate the editbox automatically so you can just start typing/pasting
    -- Can you make the Enter key add the new cmdline and close the Add new... dialog
    - Can you add a new context menu item, "Add Command Line to WhiteList", to the Events list
    - Enable Copy to clipboard when multiple items are selected (eg. whitelist command lines)
     
    Last edited: Sep 25, 2014
  5. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    676
    @Defenestration
    I tried what you suggested and still couldn't view any alerts. I then tried manually adding C:\WINDOWS\system32\Mystify.scr to the process white list which I could not do. Then, I ran ERP in learning mode which automatically added Mystify.scr to the white list. Why was I not able to manually add it? It seems you can only manually add .exe files. After doing so, I have not been locked out of my desktop. Needs more testing and I will post back whether or not this fixed my problem.
     
  6. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @Charyb Glad you got it sorted.

    Learning mode was the other thing I was going to suggest and should've been the first thing I suggested TBH. :D

    The file dialog needs to be changed to allow all files to be viewed instead of just .exe, along with any other logic that might dis-allow non .exe files from being added to the list.

    You can actually add non .exe paths by using the Command-Line list, although you will need to add a * to allow all command lines (which is the equivalent of a whitelisted process)
     
  7. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @novirusthanks

    There appears to be a bug with whitelist command-line processing with wildcards, as I continue to get alerted even though a wildcard command-line matches it.

    For example, I have the following wildcard command-line

    Code:
    "openvpn\bin\openssl" rsautl -verify -certin -in ssl\*.sig
    and I am still getting alerted when the following command-line is executed:

    Code:
    "openvpn\bin\openssl" rsautl -verify -certin -in ssl\1a2b3c456788ef3d.sig
    The bug might be related to the quotes in the first part of the command-line, as I have noticed this with other command-lines (all quote the opening part of the command).
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
  9. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @novirusthanks While looking through the events, I noticed some oddities whereby the parent process was shown as what looked like Asian unicode text. I have included the surrounding events for each occurrence, but there were a load of similar events. They were all related to .NET.

    Could it be that there is a bug whereby the unicode parent path is somehow corrupted, resulting in it being shown as Asian text rather than English ?

    ERP_Parent_Process_Bug.png
    Code:
    [Date/Time: 01/10/2014 14:52:47] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [13412]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent eac -InterruptEvent 0 -NGENProcess 45c -Pipe 480 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:47] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [13332]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]???????????????????????????] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 45c -InterruptEvent 0 -NGENProcess 394 -Pipe 510 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:47] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [13308]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent f6c -InterruptEvent 0 -NGENProcess 628 -Pipe ea4 -Comment "NGen Worker Process"]
    
    [Date/Time: 01/10/2014 14:52:37] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [12920]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent efc -InterruptEvent 0 -NGENProcess 428 -Pipe f14 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:37] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [12304]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]???????????????????????????] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 4a8 -InterruptEvent 0 -NGENProcess f94 -Pipe 41c -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:37] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [12360]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 428 -InterruptEvent 0 -NGENProcess f14 -Pipe f18 -Comment "NGen Worker Process"]
    
    [Date/Time: 01/10/2014 14:52:35] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [13212]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent fa4 -InterruptEvent 0 -NGENProcess ffc -Pipe 794 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:35] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [13160]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]{325B9] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent f4c -InterruptEvent 0 -NGENProcess fbc -Pipe ff0 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:35] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [13068]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent f8c -InterruptEvent 0 -NGENProcess f9c -Pipe f58 -Comment "NGen Worker Process"]
    
    [Date/Time: 01/10/2014 14:52:26] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [11508]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c84 -InterruptEvent 0 -NGENProcess c78 -Pipe c24 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:26] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [11484]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]???'??????W(??????W)??????W*???????+??????W,??????W-???R] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c90 -InterruptEvent 0 -NGENProcess c78 -Pipe cd8 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:26] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [11312]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c18 -InterruptEvent 0 -NGENProcess c78 -Pipe cbc -Comment "NGen Worker Process"]
    
    [Date/Time: 01/10/2014 14:52:22] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [11740]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 0 -NGENProcess bb8 -Pipe 500 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:22] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [11752]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]??ç] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 0 -NGENProcess b94 -Pipe 584 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:22] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [11708]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 0 -NGENProcess 240 -Pipe 19c -Comment "NGen Worker Process"]
    
    [Date/Time: 01/10/2014 14:52:19] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [11704]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 0 -NGENProcess 240 -Pipe 144 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:19] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [11692]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]???f] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 144 -InterruptEvent 0 -NGENProcess 22c -Pipe 374 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:52:19] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [11664]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 0 -NGENProcess 22c -Pipe 1ac -Comment "NGen Worker Process"]
    
    [Date/Time: 01/10/2014 14:50:28] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [10044]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 83c -InterruptEvent 0 -NGENProcess 874 -Pipe 880 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:50:28] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [9600]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]{325B9] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 888 -Pipe 414 -Comment "NGen Worker Process"]
    [Date/Time: 01/10/2014 14:50:27] [PC User: ] [Action: Allowed [Whitelist]] [Bitness: 32] [Process: [9080]C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe] [MD5 Hash: 2F59E01571184098075B7AFA4B88D86E] [Publisher: Microsoft Corporation] [Parent: [8636]C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe] [Command-Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 880 -InterruptEvent 0 -NGENProcess 888 -Pipe 864 -Comment "NGen Worker Process"]
     
  10. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @novirusthanks - Another suggestion - allow columns to be re-ordered and remember the order and width of each.
     
  11. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @novirusthanks - If a whitelist rule already exists and an app is updated, can you make it clear on the alert dialog that the hash has changed, instead of showing the same "Unknown application detected" alert for both new and updated apps. Ideally the red background should be a different colour to indicate the different type of alert.
     
    Last edited: Oct 2, 2014
  12. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,113
    Location:
    South Texas, USA
    Was NVT ERP 3.1.0.0 Build1 v13 Beta the last build listed?

    dja2k
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I believe it was.
     
  14. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Is he on vacation or creating the perfect AE?
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    Maybe he's taking a well deserved break.
     
  16. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    But shouldn't he take it AFTER the release of a final version?
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That would be true if indeed it is the reason
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    That is right! The last build he released was a beta. It worked perfect on my machines so I totally forgot he did not release the stable build yet. Did you have any problems with the last beta build? The only problems I remember users reporting was password protecting applications with ERP. I don't have time to go back through the thread right now, but I do remember the problem reported with password protecting applications with ERP.
     
  19. Antimalware18

    Antimalware18 Registered Member

    Joined:
    Dec 12, 2008
    Posts:
    417
    I have been using this program for awhile and i love it. only question I have is dies this program protect against .vbs and .scr files or just .exe files?
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    Good question, I forgot to check this, would be cool if EXE Radar could also control these type of files, just like Software Restriction Policies.
     
  21. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Yes and Yes. For .vbs it will alert on WScript.exe, and for .scr it will alert the .scr file itself.

    @novirusthanks - An Game mode option for the alerts would be useful, so that alerts won't be displayed when an app is in full-screen (eg. gaming or watching a movie).
     
  22. Antimalware18

    Antimalware18 Registered Member

    Joined:
    Dec 12, 2008
    Posts:
    417
    what if Exe radar pro is set to lockdown mode basic?
     
  23. Askanag

    Askanag Registered Member

    Joined:
    Oct 17, 2014
    Posts:
    2
    Hi.
    I started to use the program in 2012. Until recently, no problems arose. The problem came when I bought a new computer with the installed Windows 8.1 x64. On my old computer was set to version EXERadar_Pro_x86_x64_v2.7.5_19042013_BUILD29. After remove the program from the old computer I installed on the new computer version EXERadar_Pro_x86_x64_v3.0_09092013_BUILD2_V14. Appeared the problem described in one of the posts on this topic New Antiexecutable: NoVirusThanks EXE Radar Pro
    I reinstalled the program and put the latest version EXERadar_Pro_x86_x64_v3.1_20042014_BUILD1_11082014_v13.
    The problem remained. Settings NoVirusThanks EXE RAdar Pro I left as default.
    Best regards.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,193
    Location:
    The Netherlands
    @ Askanag

    You are now the third person (including me) that has reported this bug. Perhaps it's related to versions running on Windows 8.1? I'm sure this will be fixed, the developer is probably on vacation or busy with other things. :)
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Guy's be patient. I've had contact with NVT, and he said he had to work on something else for a period, but he will be back.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.