New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,500
    Location:
    Under a bushel ...
    But I am interested if what issues others here have experienced with ERP since the latest Win 10 Cumulative Update (to Build 14393.693)? How widespread is the problem?

    Apart from the one incident, also experienced by @iammike, which I cannot conclusively say was due to ERP, I have not had issues, so I am leaving it on for now.
    If it does bork my machine at some point, I may just need to do an image restore.
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    12,005
    Location:
    UK
    Off topic posts removed.
     
  3. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,027
    Location:
    Italy
    @ Everyone

    ERP is not dead, we're back at developing a new ERP from scratch, here is why:

    - We will use SQLite to handle rules with search\edit\filter\sort\pagination\etc
    - We will save more info about a rule, such as when it was added and when it was last modified
    - You will be able to enable or disable a rule
    - We are discussing a new way to match processes with rules, a possibility we are evaluating now is like this (we're open to ideas of course):
    Code:
    [proc.parent = “C:\Windows\Explore.exe”] and  [proc.name = “abc.exe”] and [proc.signer = “Microsoft Corporation”] [action = “allow”]
    [proc.name = “explorer.exe”] and [proc.signer <> “Microsoft Corporation”] [action = “deny”]
    
    - We will add support for categorization of rules, i.e "Windows Updates", "Firefox Updates", "Windows Processes", etc
    - We have improved the method to gather information about a process
    - All will be focused in a super easy way to manage rules
    - New UI

    When we'll have the first beta build ready I will update here so anyone can test it.
     
  4. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    +1 !! Welcome Back Andreas.

    Can't wait to test the new and enhanced ERP :thumb:
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,707
    Very good. The waiting time is over :thumb:
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,500
    Location:
    Under a bushel ...
    Andreas - so good to have you back! :)
    Two questions/requests in advance:
    1. Would it be at all possible to somehow import settings and black/whitelists from the existing version?
    2. Also would it be possible to make it so that Vulnerable Processes whitelist is not hash dependent, as these system32/sysWOW64 .exe hashes change with each major Windows 10 upgrade, meaning they need to be re-added. Some of us have a lot of these defined, over and above the default.
     
  7. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,717
    Location:
    Zagreb, Croatia
    Great news! Welcome back! :)
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,279
    Hurray!!!! Best news of the New Years.
     
  9. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,838
    Location:
    Poland - Cracow
    Excellent :)
    @Peter2150...+1:thumb:
     
  10. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    Finally:thumb::thumb::thumb:
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,500
    Location:
    Under a bushel ...
    Now I am suddenly getting crashes on every reboot, sometimes many NVT ERP alerts before it fails. Had to restore an image.

    WhoCrashed reports as follows:
    On Thu 2017/01/19 3:05:09 PM GMT your computer crashed
    crash dump file: C:\windows\Minidump\011917-6937-01.dmp
    This was probably caused by the following module: ntoskrnl.exe (nt+0x14A6F0)
    Bugcheck code: 0xC2 (0x7, 0x0, 0x0, 0xFFFF9E8FDCE9D97:cool:
    Error: BAD_POOL_CALLER
    file path: C:\windows\system32\ntoskrnl.exe
    product: Microsoft® Windows® Operating System
    company: Microsoft Corporation
    description: NT Kernel & System
    Bug check description: This indicates that the current thread is making a bad pool request.
    This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
    The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time. (My bolding).


    Still can't be sure it's ERP, though it would seem suspect. I have disabled it to see if that helps for now.
    But maybe I'll need to uninstall it - and wait for the new beta :)
     
  12. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    682
    Location:
    Wembley, London
    New version/s = paid product or donationware :doubt:
     
  13. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    The newly released HMP.A (beta) with updated drivers is much more likely to cause that BSOD - if you are using it.
     
  14. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    @novirusthanks I am glad to see you back!
    One question: do you plan to change the licensing of ERP and what with users who already have a PRO license?
     
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,749
    Location:
    Europe then Asia
    @novirusthanks Sometimes bashing the sleeping giant will make it wake up :p
     
  16. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,749
    Location:
    Europe then Asia
    it comes from HMPA latest beta, not from ERP. ; i got this Bad Pool Caller stopcode too. had to revert to stable build 573
     
    Last edited: Jan 19, 2017
  17. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,027
    Location:
    Italy
    _Everyone

    Thanks for the welcome back :)

    @paulderdash

    1. Not initially, but we may workaround something for that.
    2. Yes, the new version will allow to specify vulnerable processes by process + hash or by process or by hash etc

    @NSG001

    Can't say much for now about that, but if it will be paid all actual ERP users that have purchased a license will get the new version for free.

    @Lockdown @Umbra

    Thanks for the information!
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,707
    Nice, then a file stays a vulnerable process even if it was updated ("specify vulnerable process by process")
    Useful improvement, especially for users with more than 100 Vulnerable processes:
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,535
    Location:
    Mexico
    :eek: :eek: :eek: :cool: :'( :geek: *puppy* :thumb: :) :cool: :D
     
  20. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,602
    +1
     
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,535
    Location:
    Mexico
    No really. Thank you for coming back where the mortals... lol
     
  22. Cool,

    What would really be great when the GUI would include a rule builder (like ThreatFire or AppLocker), e.g.
    • First select action : allow or deny
    • Next select parent process with windows file open dialogue (or skip)
    • Next select rule type (signer, folder, name or hash) followed by windows file open dialogue
    • Next select exception (same as syntax, guidance as with rule type above)

    GUI assisted rule builder facilitates simple rules. Free format rules following logic as described would allow more flexibility to the power user as described in the code above ([metadata object = value] and/or [metadata object = value] > [action =allow/block[)


    P.S.

    Andreas, good to see you are back :thumb:

    Kees
     
    Last edited by a moderator: Jan 21, 2017
  23. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    664
    I purchased a license almost 3 years ago without a single update. What's the ETA? 3 months? 6 months? 3 more years? I have my doubts.
     
    Last edited: Jan 19, 2017
  24. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    Great news!Welcome back!
     
  25. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    I knew he'd be back!
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.