New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. rpsgc

    rpsgc Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    311
    Location:
    Portugal
    Product version ≠ build version

    sshot-2016-09-05_153545.png
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,692
    Location:
    Mexico
    Is it me or this latest v3.1.0.0 BUILD1-24062015 features found in the changelog (blue) were already present in v3.1.0.0 BUILD1-15052015
    Can't tell for the rest of them as I never checked them out...

     
  3. guest

    guest Guest

    i can tell with 100% accuracy that the changelogs of the 24062015 is :

    :D
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,692
    Location:
    Mexico
    :argh::eek::cautious:
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,449
    Location:
    .
    where was 24062015 published...who knew.
    Thanks....clean install w Export / Import was fun.
     
    Last edited: Sep 5, 2016
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,449
    Location:
    .
     
  7. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,887
    Location:
    Poland - Cracow
    I wondered why this new build from 24-06-2015 is published now after more then year from the last "May's" beta...it's great news but a bit confusing.
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,282
    I got the information from the developer himself.
    Why now?
    = Two posts before i mentioned this newer build, i saw: "It's in the dev signature called v3.1_15052015_BUILD1."
    But since i'm running a newer build i decided to mention it.
    The only change should be: "better detection" of files within directories where only the administrator have access to (mentioned in my post: #5421)
    I can get into more detail later but i think you'll notice the change.
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    does ERP protection start with Windows services, or with login to user account?
     
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,887
    Location:
    Poland - Cracow
    OK...thanks for reply and if this new build is capable do its job better it's only big profit for us...users :)
     
  11. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    354
    Location:
    Canada
    Thanks for posts on "new" beta
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,282
    Background story:
    ERP (v3.1_15052015_BUILD1) and DRP shared the same problem, where both applications don't showed correct information about files.

    In the case of DRP it was showing a wrong MD5 of "00000000000000000000000000000000" for:
    C:\Users\Administrator\AppData\Local\Temp\cpuz138\cpuz138_x64.sys
    C:\Users\Administrator\AppData\Local\Temp\GPU-Z.sys
    ...and all other drivers in C:\Users\Administrator or C:\Windows\Temp

    In the case of ERP it was showing a wrong MD5 too and it was showing signed files as unsigned:
    C:\Users\Public\Downloads\autoruns.exe
    = Signed + MD5 A217A4233D83CFA84055CCD285A508D0 (correct Hash)
    C:\Users\Administrator\Downloads\autoruns.exe (it's the same file as above)
    = Execution => Alert-dialog: unsigned + MD5 D41D8CD98F00B204E9800998ECF8427E (wrong Hash)
    C:\Users\Administrator\Downloads\whatishang-x64\WhatIsHang.exe (signed from Nirsoft)
    Alert-dialog = unsigned + MD5 D41D8CD98F00B204E9800998ECF8427E (wrong Hash)
    Do you see it above? ERP is showing the same hash for two different files, and this is not correct.

    Summary:
    All executed files (signed and unsigned) in the administrator directory (or C:\Windows\Temp) = "unknown application detected" + unsigned + the same hash

    Shortly after sending my bugreports for both programs i received this:
    Only 2 days later he fixed it in both ERP and DRP. (Some vendors need months/forever for a bugfix, so i think 2 days is pretty fast)

    Sidenote:
    After he released SOB (July 2015) there were no newer ERP-betas released.
    I think SOB had more priority for him :D
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,692
    Location:
    Mexico
    Okay, thanks for clarification.
    If you like, anyway I'm fine with your current comment.
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,692
    Location:
    Mexico
    Amazing infos, thanks a lot for these lines... Hope someday Andreas comes back to us.
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,449
    Location:
    .
    +1
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,524
    Location:
    U.S.A. (South)
    +2
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,282
    Yes, 1x-2x each month i got this "Open Candy"-alert after installing some specific apps (CCleaner,CrystalDiskInfo, etc.). (But they stopped bundling their installer with OpenCandy several months ago)
    Rundll32.exe is used to execute OCSetupHlp.dll (OpenCandy):
    Another alternative is Applocker for blocking DLL's, but there's a "small" :D performance loss. But the loss shouldn't be so big as it is with Faronics, i think :cautious:
    Yeah... :(
     
  18. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    an example of a current dll attack: cerber ransomware hijacks certain windows processes and forces them to load a rogue dll.
    I am guessing that the new dll protection in hitmanpro.alert is meant to counteract that.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yeah, but how did the cerber ransomware get to run in the first place??
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    I saw a post today from a guy who downloaded ammyy remote control software from the official site, but the site was hacked, and the download contained cerber. He got his files encrypted. That's a situation where a lot of users would rely on the download from the official site, and allow the installer to run.
     
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,692
    Location:
    Mexico
    What about digital signatures to check before running any exe installer?
    What about having a driver like FIDES/Pumpernickel to protect your valuable files?
     
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    There are a lot of legit downloads that the dev doesn't bother with a digital signature. In this case, the legit file is in fact signed, and the infected one was not. But not everyone will know that.
     
    Last edited: Sep 14, 2016
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,692
    Location:
    Mexico
    Agreed. Malware digitally signed, an horror I'd admit...
    But having a mini-driver filtering as I said in my previous post will suffice.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Was he running ERP. Or did he just allow it to run not knowing.
     
  25. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    I don't think he was running ERP or anything too sophisticated,
    he just let it run, not knowing. He says that he tells his clients to download it all the time, and the company is lucky that he got encrypted, not one of the clients...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.