New Antiexecutable: NoVirusThanks EXE Radar Pro

Resolved by changing SBoxie and VS to Automatic (no delay) Must have observed partial loading. Thanks as always.

1) ERP Alert Mode ~ Whitelist Process or Whitelist Command Line. Whitelist Process is listed first in drop down. Does that infer best option. When may I want to select one over the other ?

2) Block processes signed with invalid or revoked certificate. Default is not checked. Why would I want to allow processes signed with invalid or revoked certificate.

3) Signed Processes has three options. No | Allow with valid certificate | Allow only by trusted vendor. Trusted vendor is default. Why?
Wouldn't a valid certificate be safer or does that option have to presume certificate is not forged / stolen.
Is it safer to globally trust a vendor over a valid certificate ?

 

WOW ! Great reply. So, signatures and certificates may not be worth the paper. I've read about forged / stolen + malware with good cert. Just figured it was still worth checking. But, I do see truth in your setup. I think I'll go back to Default > Whitelist Running Processes and proceed from there with new knowledge re Process v Command Line. I want to familiarize myself before I go Lockdown.

Haven't found explanation of Stealth feature / function ?

Thanks so much ~ As always

 

Andrew, how is progress going with the latest build? Do you have an estimate of when the next build of ERP might be released?

 

BTW, on one of my machines I found something weird. It seems like ERP is blocking a nameless executable, I also can not blacklist it. And the parent is strangely enough "svchost.exe" (the legitimate one). But it's not detected as a virus, when I search for the hash on VT, I get this:

~ Removed VirusTotal Results as per Policy ~

 

Hello Wilders friends,

Does ERP protect against malware exploiting a whitelisted program’s process memory.

Does ERP protect the whitelisted program’s process (in memory) while the program is running.

For example > if Adobe Reader opens a PDF file containing Malware, this malware will poison the memory of Adobe Reader (not the file on the hard drive) and then attack other components of the system.

What say ye' ERP

 

So, upon further experience with your added help. I see simple exe's but, I also see exe's with simple and complex command line that run off the window.
What happens if I Allow a process when I really should have Allowed the command. Will I be prompted at some point again and have to remember how I handled the first prompt.
TIA as always

 

Well, "good to go" may be premature as I'm often in Shadow Mode

 

Yeah, .. but, .. um....where's the challenge

 

For the mod who removed the link:

To clarify, none of the AV's detected anything, so no one could start a discussion about some AV being crappy. I posted it, because I wanted to know if anyone has ever seen this highly weird stuff. I'm not sure if it's really a virus infection, or perhaps it's just spyware from Windows 8 itself? Let me know if I can repost the link.

 

@Cutting_Edgetech

We are finishing few fixes in the startup section, I'll update this thread very soon

@bjm_

No, ERP is an anti-executable / application whitelisting software, after that you allow a process, ERP does not monitor its memory.

You can use EMET 5.1 to protect vulnerable processes (IE, PDF readers, Email readers, Word/Excel, media players, etc) from memory-exploits.
http://www.microsoft.com/en-us/download/details.aspx?id=43714

If the malware is dropped to disk and then executed, ERP will block/detect it.

You can combine ERP with a process-memory-protector like EMET 5.1 and/or AppGuard (other users use this combination), or with MBAE or HMP, etc.

Best is to use different layers of protection

@Rasheed187

Are you using the latest beta or the v3.0 from our website ?

@bjm_

Personally, I have enabled the option "No" as I personally do not trust certificates, however this is for paranoid users.

It has happened only very few times that a malware was able to steal (for example) Adobe certificate to sign the malware files.

Even in the (rare) case it would happen, in few hours the certificate would be revoked/blacklisted and so blocked by almost any security software.

Beginner users should enable the option "Allow only processes signed by Trusted Vendors" to reduce the prompt dialogs.

@pablozi

Sure, ERP is still alive, just a little slower in the development recently due to some other works.

@Frank the Perv

If you add in the whitelist all the processes that your wife would run daily, and if you whitelist also all command-lines that require wildcards, and if you leave checked the option "Signed processes" -> "Allow only processes signed by Trusted Vendors", then I would say yes, she would receive almost no prompt dialogs at all. Only in case a program would auto-update and if it may require cmd.exe (a vulnerable process) to run some unknown command-line string, then you may need to take an action, but it should not be frequent.

 

No, I'm using an older version because of the bug on Win 8.1, but I'm glad to see you back! When will you release the new version with hopefully the "install mode" and fix for the "whitelisting" bug? Also, I will send you a PM about the strange nameless executable (launched by svchost.exe) that EXE Radar blocked.

 

@Rasheed187

I could not reproduce the issue in Windows 8.1 about not saving the whitelists, however I have improved the saving of lists that may fix that issue.

I'll wait your PM about the info of the strange nameless executable blocked by ERP.

@Peter2150

Thank you

 

Ok, thank you for the update.

 

OK, in that case I will install the latest version.

 

@novirusthanks
I am glad to hear that

 

Good to see you Andreas, I hope your holiday's were good. I can't wait for a new version of ERP!

 

Would this String work as well > C:\Windows\System32\cmd.exe /c rmdir /s /q "C:\Sandbox\bjms\__Delete_DefaultBox_*"

 

Aha ! didn't realize that was an example. So, just the * for the numbers will satisfy. I added the string to VS because I was going nuts as you say. #4002