New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    Is this program the only one showing this issue?
    No path issue here.
     
  2. hjlbx

    hjlbx Guest

    Only one I can see... appears to be innocuous quirk. :doubt:
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    It would be nice to add a infotip when hovering the mouse pointer:

    infotip.png
     
  4. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,134
    Location:
    Italy
    @paulderdash

    I will check the date format when sorting the column.

    @hjlbx

    "Vulnerable Processes" are meant to handle only executable files, .dlls are not supported and should not be added.

    Tested on Win 10 64-bit and it works fine, no path issues here.

    WIll test tomorrow on Win 8 VM to see if it is the same but should work fine.

    Have you checked that the files are effectively on C:\Program Files\ ?
     
  5. hjlbx

    hjlbx Guest

    @novirusthanks

    Thanks for *.dll infos.

    Yes. Files installed at C:\Program Files (x86) but ERP shows C:\Program Files.

    I figured it out - this is quirk that reflects mistake made by user (me). Let me explain...

    Because prior install was to C:\Program Files; re-install was to C:\Program Files (x86).

    ERP just doesn't update file-path if application installed to different directory from prior install.

    It is quirk... discovered by mistake... LOL.
     
  6. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    I hope one of the features implemented is the settings choices applying per user... so they stick for account with Admin privileges, and they stick for accounts with Standard User privileges...

    Without this, it's almost as useless as running SpyShelter in Standard User mode, since it has the same weakness.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Good to know, so will you now fix the problem with "Install mode"? It should not alert about vulnerable processes when installing a trusted tool.
     
  8. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    961
    Hi All Can anyone tell me if NVRT is compatible with Windows 10

    Thanks

    Terry
     
  9. PaleDark

    PaleDark Registered Member

    Joined:
    Nov 30, 2015
    Posts:
    55
    I myself is running NVT on all 5 pc and laptops in Wiindows 10. So yeah, it is compatible.
     
  10. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    460
    Hi, running ERP 3.1.00.1.15052015 on Win 7 x64.
    It has always worked flawlessly but now for some reason it is not registering my choice of whitelisting an updated application (Tresorit). I have tried every which way, whitelisting the updated app, the command line, running processes but no go.
    I have a sense it maybe be connected to a wider problem https://www.wilderssecurity.com/threads/mixed-software-events-maybe-a-hardware-problem.383574/ and I would dearly appreciate any suggestions on how to debug
    Thanks!
     
  11. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    961
    Hi Everyone

    What is the latest Beta of NoVirusThanks and where can I download it? I notice that the developer makes reference to a recent update but he does not say where to download it.

    Thanks

    Terry
     
  12. hjlbx

    hjlbx Guest

    @novirusthanks

    BSOD

    nvterp.sys

    Forwarded link to MEMORY.dmp via support email address
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Can you perhaps add a parent-child process execution feature, where only explorer.exe is allowed to launch the browser for example? I'm getting a bit fed up with apps that launch the browser after installation.
     
  14. hjlbx

    hjlbx Guest

    @novirusthanks

    Purported NVT ERP bypass: http://bbs.kafan.cn/thread-1936040-1-1.html

    Towards bottom of long web-page.

    I used Internet Explorer to translate, but NVT ERP images did not load; they load in Cyberfox\Firefox.
     
    Last edited by a moderator: Feb 14, 2016
  15. hjlbx

    hjlbx Guest

    VS - failed to block malware

    NVT ERP - failed to block malware

    AppGuard - blocked malware

    But AppGuard and VS\NVT ERP are two different animals... AppGuard is Software Restriction Policy soft whereas VS\NVT ERP are anti-executables.

    It appears the malware publisher used a technique to bypass white-listing - which is the basis of anti-executable.

    So it is understandable that if this is indeed the case, then it is no surprise bypass VS\NVT ERP and not AppGuard.

    Besides, even with one (not yet verified with actual sample), VS and NVT ERP are still good softs.
     
  16. hjlbx

    hjlbx Guest

    I don't think they read Chinese either, but at least they will get some idea from images of Process Hacker... LOL.
     
  17. hjlbx

    hjlbx Guest

    There is link to VT: ~ Removed VirusTotal Results as per Policy - PM Developer ~

    It is located on linked page in bypass report.
     
    Last edited by a moderator: Feb 14, 2016
  18. guest

    guest Guest

    i guess NVT wasn't on lockdown mode ?
     
  19. hjlbx

    hjlbx Guest

    Alert mode was used.

    Tester selected Block in the alert(s).

    It appears to be one of the known white-listing bypass techniques using msiexec.exe or PresentationHost.exe. I sent infos to Andreas a while back.

    I am not too sure - I have trouble deciphering Chinese.

    Trying to find sample to forward to him.
     
  20. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    @hjlbx - do you whitelist, or whitelist command line only?
     
  21. hjlbx

    hjlbx Guest

    Both
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    The reason for using both: A lot of programs are either run or not, so whitelisting is fine. But for some programs like rundll32.exe it isn't. So you whitelist the command lines the system needs, but if something try's to use it for bad purposes, it is challenged. Very powerfull feature.
     
  23. hjlbx

    hjlbx Guest

    I agree 100 %.

    LOL... I "copied" @Peter2150's security config for the most part.
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    Does this line actually exists?
    HKEY_LOCAL_MACHINE\Software\NoVirusThanks\EXERadarPro

    I can't find it either on Win8.1 x64 or Win7 x86
     
  25. hjlbx

    hjlbx Guest

    @Mister X - it does not. Might on XP, Vista.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.