New Antiexecutable: NoVirusThanks EXE Radar Pro

Thanks a lot for implementing this! I wanted to test it, but I can't uninstall an older version, I get some error message, do you have any idea what this might be, and is there a workaround or fix for this?

 

I will make a video for you the next time it happens.

 

Install mode doesn't work with EmEditor 14.9.1 x64 installer. It alerts for emed64_14.9.1.exe but after clicking Install mode it prompts again later for the msiexec.exe process, which is a child of the emed64_14.9.1.exe.

EDIT: SpyShelter also has this problem and alerts twice with install mode.

 

Gotta' hate it when SS interferes in things...

 

@novirusthanks - Thank you for the latest beta build, it's running great so far.

Keep up the great work

 

Hello,

I may have a bug. With the new service start of ERP, it is often giving alerts sometimes before I reach my desktop on a boot. I was installing a program that I knew would need a reboot, and since install mode does not work across a reboot, I disabled ERP permanently via the tray icon. I installed the program in question, rebooted my system, and ERP was popping up alerts as I reached my desktop. ERP's tray icon said it was disabled but ERP was still giving alerts. I tried this with a few other reboots of my system and it was reproducible. It seems if you disable ERP protection permanently via the tray icon, reboot your system, the tray icon will show on the reboot that ERP is disabled as it should be, but ERP is actually active and still giving alerts. FYI, on a Windows 8.1.3 Pro 64 bit...

 

Here is the download link for the new beta build:
http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_09032015_BUILD1.exe

To update:

1) Close ERP from trayicon->exit
2) Uninstall ERP completely
3) Reboot the PC (very important)
4) Install ERP

Please let me know if you find any issues.

If you browse to Settings->External Devices now you should see these two options:

1) Block autorun.inf executions of USBs (enabled by default)
2) Block autorun.inf executions of CD-ROMs

Here is a screenshot:
http://postimg.org/image/8m3c2dpxd/

@Rasheed187 @puff-m-d @Defenestration

The reported issues should be fixed in this new build.

@TyRizian

Thank you

@Cutting_Edgetech

That would be perfect.

 

Hello Andreas,

New version installed and seemed to work fine until a reboot. On reboot I got an invalid handle error and my system locked up. I did a forced reboot and received the same error again but no system lock up this time.

 

@puff-m-d

I could reproduce your "invalid handle" issue, should be fixed in the next hours.

 

Hello Andreas,

Thank you for the quick reply , as always ...

 

Here is the download link for the new beta build:
http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_09032015_BUILD2.exe

To update:

1) Close ERP from trayicon->exit
2) Uninstall ERP completely
3) Reboot the PC (very important)
4) Install ERP

Fixed an "Invalid window handle" error encountered after a system reboot on Win8+ OS.

@puff-m-d

It should be fixed in this new build, let me know

 

Hello Andreas,

New beta build working great here, including after reboot. Thanks !!!

 

I can confirm. Also working great on my PC. Thanks Andrea

 

Working fine on Win 7 x64.

 

I was unable to make you a video of the repeated alerts because ERP still does no support allowing the user to launch another application when prompted by ERP. ERP will not allow me to launch my screen recording software, or even take more than 1 screen shot due to receiving multiple prompts in a row. I have recommended in the past that you give this functionality because the user can not even launch their web browser to investigate an unknown executable attempting to execute.

 

Andrea, here are few of the strings invoked by vulnerable process rundll32.exe. I keep getting prompted for these strings over, and over again. What wildcard do I need to use to safely allow anymore command line strings associated with WSA based on the strings below?
"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc 3208
"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc 2192
"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc 2200

Edit: The strings I was receiving before had to do with the programdata, and the appdata folders. I don't think these are the same strings that I was prompted about before. I tried capturing them in a video, but was unable to because I could not launch my screen recording software due to the reason described in my previous post.

 

"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc*

You can replace the changing part by "*" sign.

 

Hello Cutting_Edgetech,

Use the following:
"C:\Windows\sysnative\rundll32.exe" "C:\Windows\system32\WRusr.dll",SynProc *
HTH...

 

Ok, thank you guys! That should cut down on some of the strings I'm being prompted for.

 

I think this is described in online manual/help file too.

 

I could not uninstall ERP because I disabled the WMI service. I'm now running the new version, but have not tested install mode yet.

 

@ novirusthanks

Can you please implement these features:

1 ERP should remember window and column-size, also after reboot.
2 Give an option to make ERP go into "alert-mode" with double click on the tray-icon.
3 ERP should have a separate entry (without sub-menu) for the "Lockdown - Enable Permanently" mode.

 

#1 for sure... #2 and #3 is gonna turn this app into featureware... which will take it down the same path as Windows Firewall Control... more fixes with each release due to unnecessary tinkering.
If #2 is provided, how are you going to maximise the app if a double click engages Alert Mode? Aren't you effectively swapping the HOW TO's around? Instead of right clicking to enter or leave Alert Mode, you are right clicking to maximise...
In relation to #3, there is no need to clog the menu's and sub menu's. There are enough things being displayed already...
(no offence...)

 

#1 - I agree, #2 & #3 - I like it the way it is now, sorry but I have to disagree.

 

Hello,

I was messing around with the "Vulnerable Processes" tab making a few additions and accidentally deleted a few processes that I did not mean to. So to fix it, I tried to restore that list to default. However the default list was not the same as a new install. I think this also happens with some other "default lists". It seems some processes are missing when you restore to default... Perhaps a bug?