New Antiexecutable: NoVirusThanks EXE Radar Pro

If I remember correctly, Software Restriction Policies can potentially slow your system down as well if the user enables .dll and .sys filtering. The only one that I know of that doesn't slow your system down with .dll and .sys filtering at the moment is Bouncer. Although I would assume that NVT ERP would have the potential to do that efficiently as well but my guess is that they don't include it because it would cause much more confusion for the end users because it would require more of a learning curve and potentially cause significant issues if the users doesn't configure it properly.

 

Hello Andreas,

The last beta build is running with no issues here on a Windows 8.1.1 Pro 64 bit system...

 

Yes, my mistake, forgot to use that tool. But why did you choose this method? It's very unusual, most security tool install their drivers. And I also wonder if the drivers are loaded quickly enough. In theory it might be a security risk. Or is your method actually better?

 

I don't know exactly how Bouncer and Faronics handle this, but instead of whitelisting Dll and SYS files, you could add an option to monitor for code-injection and driver loading, which are two of the most used techniques by malware. The reason why I bring this up, is because you already offer tools who can do this, so why not combine them.

http://www.novirusthanks.org/products/driver-radar-pro/
http://www.novirusthanks.org/products/writeprocessmemory-monitor/

 

That's true, but it could also be made optional, with an on/off switch.

 

Running beta 19012015_BUILD1 on Win7 x64 SP1 and no issues so far.

 

Nope, it should be implemented in only one driver. It would make ERP more advanced and would have been able to generate more sales, but since it's now freeware, I can understand if Andreas doesn't feel like spending time on implementing this.

 

Not with an on/off switch, and default disabled.

 

Loading the drivers with a service would be loading slightly later then it would if it were loading right after kernel init. But it probably wouldn't be too much of a security risk though. My assumption is that loading it with the service gives the ERP executables more control over the ERP drivers that way.

 

Only one issue ~ Lockdown Mode -- Ask user. I'm prompted okay ...but, for plugin-container prompt. I had to drop to Alert Mode.

Firefox was freezing in Lockdown. Didn't understand what was causal. After repeated freeze / unfreeze. I dropped to Alert and was immediately prompted with plugin-container. Upon whitelist > Firefox playing nice.
v3.1.0.0 BUILD1-17012015

 

@siketa @Antarctica @puff-m-d @busy

Thanks for the info

@WildByDesign @Rasheed187

We have no intention to monitor for DLLs and SYS files because this would [1] require a lot of work and maintenance [2] create incompatibilities with other software [3] make the tool most probably unusable for most PC users. If you blacklist or block an important DLL or SYS file you may get a BSOD or the program that tried to load the DLL / SYS file may crash and the user may, for example, lose the work he/she was doing, etc. DLL and SYS monitoring is not for general users. Our main focus is to maintain ERP a true anti-executable / application whitelisting program that can be easy to use and understand for all users.

@Rasheed187

Absolutely it is perfectly secure, fast and safe to load the driver from the service. It is better in case there is a BSOD, for example, you just need to stop/disable the service and the driver will not be loaded at boot. If you install the driver, it will be installed everytime the PC is booted with almost no real control in case of errors/BSODs.

@bjm_

Yes, plugin-container.exe has to be whitelisted before switch to Lockdown Mode else the web browse will freeze when flash videos are loaded.

I will write this to the help file very soon, thanks for the reminder.

@Peter2150

I have few questions:

1) What is the OS where ERP is running ?
2) What is the process path and name displayed in the alert window (that was previously whitelisted) ?
3) Does this happen only when you whitelist folders or also when you manually whitelist one or more files ?
4) After a reboot, can you see the processes you previously whitelisted, in the Whitelists->Applications tab ?

 

Had my first "Invalid or Revoked" ~ wondering what's the appropriate action. Were there a right click context menu option "Notify Publisher". I would. Absent that...do I simply "whitelist" or "blacklist" the affected exe's. The "Invalid or Revoked" is for Secunia PSI.

Is NVT ERP just being it's usual dutiful efficient defender of the realm. And let the King decide ay or nay.

Do publishers care one way or the other regarding ERP prompts ? What say ye friends ?

 

I respect that. Adding .dll/.sys filtering would be chaos for casual internet users. It would be more security enthusiasts and security/malware researchers. And I understand that NVT ERP is designed to be easier to use for users of any level of experience. So that makes sense and I respect your answer.

 

To clarify, I was not talking about white-listing SYS and DLL files, this means that ERP wouldn't have to make a database of what's allowed to run or not. That would be complex indeed. I was talking about a HIPS like feature where you can allow or block code injection and driver loading.

 

Well, it is very unusual, almost all other security tools that run in real-time, install a driver. If there is a BSOD you can always run Windows in Safe-Mode.

 

I have checked it with the NVT Kernel Mode Drivers Manager tool, and ERP's driver is on number 121, while SpyShelter is on number 51. So this means that if SS was malware (a rootkit) it would have been able to execute apps before ERP starts to monitor. Of course, this is only theory, and I'm not worried that much about it, but it's still interesting to point out.

 

I think certificates get stolen, more than forged. What do you think? I wonder how hard it is to forge a certificate.