New Antiexecutable: NoVirusThanks EXE Radar Pro

Spyshelter,VoodooShield,Comodo,ESET…

In a word, they can block *.exe, but can not stop dll injection.

 

I see your point, so Exe Radar Pro could fail too, most likely.

If you did that test could you please test AppGuard?

 

I did not had the test, just share the video with you.
The most important is that most of them could't dectect pic 1 just like ESET, then
C:\Windows\explorer.exe could do something bad just like pic2 and 3.

Some people think they black *.exes are enough, but the fact is that it's useless while facing with that site attacks.

 

Trying to add to Vulnerable Processes:

Code:

"C:\Windows\WinSxS\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.3.9600.17415_none_ef8e5a9de3f6db8e\regedit.exe"

and

Code:

"C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.3.9600.17415_none_e539b04baf961993\regedit.exe"

But ERP says "Warning, the file is already present in the list!
I guess it is due to md5 which is the same among files but different path.

Isn't important for an AE the path as well?

 

Trying to find a filename among a myriad of lines in the lists is a real nightmare

Isn't a search feature handy or needed?

 

If you put a specific file on the blacklist/whitelist, no matter where the file is, it's blacklisted/whitelisted based on the checksum.
Blacklist a file and try to execute it. ERP blocks it, and blocks it too if it's executed from a different path/filename.
It's hash-based, so to speak.

If the path is checked too, then the amount of "unknown executables"-dialog from ERP would be very high.
Just a simple renaming of a file means you have to whitelist it again (But the file itself doesn't changed)
If you want it path-based, you can add a path to "Whitelist - File Locations" (without checking of hashes)

One soluton is to navigate to:
c:\ProgramData\NoVirusThanks\EXE Radar Pro\Data\
and search these files manually with a texteditor. Not very comfortable.
Yes, a search feature and maybe a drag&drop-feature of files to ERP would be nice.
Or adding of files via contextmenu - Rightclick a file + "Add to whitelist" or something like that.
But this is unlikely to happen.

 

@mood
Thanks for replying. I started a few hours ago to do it with a text editor.

 

On Win8.1 x64:

AlertWhiteList.DB is completely lost/reset on some machine restarts. This happens randomly and its related to using ERP alongside Shadow Defender. But strongly I believe is on ERP side, I mean the way it handles lists databases.

This is serious bug. I need to check on every reboot or cold start whether some database file is reset to zero.

 

ERP failed against dll ; it is why NVT started SOB.

Appguard , on the other hand, theoretically won't fail.

 

So as I understand it, there are "vulnerable" system items EXE Radar keeps...I don't know, maybe "tightly monitored" is the word.

If I were to add all Program Files & Windows folder items to the whitelist (in a clean environment, of course)...would it affect this monitoring of vulnerable system items?

 

As soon as a Process is added to the list of Vulnerable Processes, ERP asks before starting it every time: "Vulnerable Application detected" (Allow/Block)
Even if it's whitelisted.

 

that is the word

no, they are still "vulnerable" and will generate an alert.

 

Eset has exploit protection. It injects eOPPMonitor.dll into web applications, and vulnerable System processes. I don't have an exact list of processes it injects into. It also uses a System Driver to assist eOPPMonitor.dll. It should be able to stop .dll injection if it is detected as malicious, or potentially malicious. I would be really surprised if it can't.

 

Has there been any word about ERP development? I thought Andrea said he was starting development on ERP again a couple months ago. Has anyone emailed him lately?

 

Even if a 'vulnerable process' is called in a whitelisted cmd line? I'm trialing Webroot SA along with ERP - Webroot is launching 'rundll32.exe' on every boot which triggers an alert even with whitelisting the cmd line. How do I allow Webroot to launch rundll32.exe automatically?

 

Please post the command line so we can recommend how to allow it by using wildcards.

 

Webroot synproc XXXX command line. Whitelist command line then edit it. Use * wildcard at end of command line in place of digits. Delete any duplicate command lines.

 

@Cutting_Edgetech and @hjlbx - thanks for the replies. The * wildcard did the trick. However, while i was playing around with the cmd-lines i managed to delete them all & had to reset them to default - I was surprised to see that a cmd-line with the * wildcard needed for WSA to launch rundll32.exe was already in the list. So I'm not sure why the cmd-line list I got with the ERP install didn't include it...

I noticed as an alternative to the whitelisted cmd-line - it also works to add WRSA.exe to the 'safe parent process' list. I assume the cmd-line option is the preferred option.

Also wouldn't it be a lot safer to link the whitelisted cmd-line strings to a specific parent process or group of parent processes that are allowed to use it?

 

No problem.

 

Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)

http://subt0x10.blogspot.mx/2016/04/bypass-application-whitelisting-script.html

I already added regsvr32.exe, from both x64 and x86 folders, to vulnerable processes.

 

It should have already been listed on the vulnerable process list by default.

 

I think Andrea may want to consider adding read/write protection to ERP. He could make it to where the user could choose a folder, or an entire drive for that matter.

 

To me, ERP needs improvements and some fixes but... I don't want to repeat myself, I already said in previous posts.
As a side note, I think it's Andreas his name, iirc.

 

The only problem I have ever had with ERP is the tray icon keeps hiding itself. It runs great. It has the least number of bugs out of all the whitelisting solutions available on my machines. I would definitely welcome any security enhancements that don't break usability. Any additional security features could always be made optional. I don't want to ask for much though because I don't want to look ungrateful, and cause undue stress for Andreas. I hope he understands there only suggestions. If other users are experiencing bugs then I think bug fixes should be a priority over additional features. I wonder if the bugs are specific to an OS. Do you know what OS they are using?
(made quick edit to post)