New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,330
    Location:
    U.S.A. (South)
    Check That.

    Playing with the Portable Version of that. Yeah, it might just suit better then what's been. Thanks for the tip and URL share.
     
  2. paulescobar

    paulescobar Registered Member

    Joined:
    Sep 22, 2008
    Posts:
    197
    Andreas! I paid for Exe Radar some years back, and still use it to this day on unsupported Windows 10!
    There have been some hiccups, but we found workarounds thanks to the ingenuity of this community & thread.
    We have been like the Cubans who keep vintage cars running lol!

    Now you have returned like some demi-God with the best news possible. I am so happy you did not lose faith in your beautiful program. We never did!
     
  3. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    682
    Location:
    Wembley, London
    Now you see him! Now you don't!
    Look forward to this journey continuing :doubt:
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,507
    Location:
    Under a bushel ...
    At the risk of being annoying, @Lockdown, or anyone, please can you post the settings required to avoid rebuilding the vulnerable process list with new Win 10 versions that change the file hashes?
    I know I am not the only one that has encountered this issue.
    See this post: https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-272#post-2653941

    Edit: I am trying again. IIRC: 'Allow Microsoft Windows system protected proesses' unchecked, 'Do not allow signed processes' (or 'Do not check if a process is signed') checked.
    @mood In your opinion, would this work? Not sure we haven't had a discussion around this before ...
     
    Last edited: Feb 19, 2017
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,346
    I think the final consensus of this discussion was that if you uncheck all the trust settings, you will get a prompt when one of those vulnerable processes updates -- but it won't be exactly the prompt you were expecting. Instead of the vulnerable processes prompt, you will see a prompt for a changed file.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,784
    Location:
    The Netherlands
    I hope NVT can post some screenshots of the new GUI.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,330
    Location:
    U.S.A. (South)
    Likewise, plus let's pull for this release to become really soon as opposed to much of a lull so we don't have to read all the "so when is it"? headlines. LoL
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,296
    Geesh. Give the guy a break. Not like ERP isn't working
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,866
    @paulderdash
    Sadly a "File has changed"-prompt is not implemented for Vulnerable Processes.

    To see a "File has changed"-prompt for "c:\Windows\System32\cmd.exe"
    * There must be an already whitelisted file with the "same path" in the whitelist
    * Further requirement: the checkums must differ
    = If both applies, the user will see a "File has changed"-prompt, else the "Unknown Application"-prompt is displayed on the screen.
    (ERP compares the path and checksum of the executable which is about to be executed with an (if available) already whitelisted file)
    Important: to be able to display a "File has changed"-prompt ERP must consider the path in addition.

    Execution of: "C:\Windows\System32\cmd.exe - Hash: ABC"
    Whitelist: "D:\Windows\System32\cmd.exe - Hash: XYZ"
    = "Unknown Application"-prompt

    Execution of: "C:\Windows\System32\cmd.exe - Hash: ABC"
    Whitelist: "C:\Windows\System32\cmd.exe - Hash: XYZ"
    = "File has changed"-prompt

    And to see the prompt for file-changes in the "Windows"- and "Program Files"-folder:
    * untick "Allow all software from Program Files folder"
    * untick "Allow Microsoft Windows system protected processes"
    * do not select one of the last two options at: "Settings - Signed Processes"

    Edit
    : to get fewer prompts, Files in the folders C:\Windows\ and C:\Program Files + C:\Program Files (x86) need to be whitelisted first (preferrable on a virus-free system, we don't want to whitelist malware :eek:)

    The way "Vulnerable Processes" works at the moment, and to see a "Vulnerable Application detected"-prompt for each execution of a specific file, new Hashes of updated files must be added to the "Vulnerable Processes"-list.
    * "cmd.exe" has been added to the whitelist
    * after it has been added to Vulnerable Processes:
    = "Vulnerable Application detected"-prompt for each execution of "cmd.exe" (except for whitelisted command-lines) (and only as long as the hash stays the same)

    But soon things will change, a vulnerable process can be specified by process. No matter what the hash is, the user will get an alert:
     
    Last edited: Feb 20, 2017
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,478
    Location:
    Hawaii
    What he said!
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,507
    Location:
    Under a bushel ...
    Thanks @mood for taking the time to explain.
    I do recall Andreas posting the change in the new version, so looking forward to that.
    I did try unticking those trust settings, but got so many prompts I quickly reverted :)
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,346
    on a totally clean system, you can add the entire Windows folder, and also the programs folders, to whitelisted processes (include the subfolders when you do it), that cuts down a lot of prompts.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,507
    Location:
    Under a bushel ...
    Thanks. Makes sense.
     
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,346
    if you do that kind of bulk whitelisting, you should get the "changed" prompt for updated vulnerable processes, instead of the "new process" prompt.

    I actually tried this plan out last night, but I ran into problems. Certain processes wouldn't load, and also did not produce prompts or log entries. When I exited ERP, those processes started popping up.

    Not sure, but I think it is because I was in a standard user account. I have noticed before that if I try to totally max out ERP protection while in a standard user account, I get glitches.
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,346
    yes, it was the standard user account to blame.
    I switched it to admin, turned off trust settings in ERP, whitelisted my folders, trained ERP quickly, and then switched it back to standard user account. And all's well.
     
  16. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    @novirusthanks The current beta version of NVT has a bug whic causes all custom rules to be lost when a hard/unexpected shutdown of the computer happens (eg. power loss).

    Also, hoping for some of my previous GUI suggestions to make it into the new version.
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,542
    Location:
    Mexico
    It also happens under other circumstances too. Most annoying one for me is when I exit from shadow mode (Shadow Defender) by restarting or cold boot.
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,214
    Location:
    .
    have you tried Exit > NoVirusThanks, before Exit > ShadowMode.
    FWIW ~ I'll Exit NVT ERP, before Enter & Exit ShadowMode. YMMV
     
    Last edited: Feb 21, 2017
  19. :D wondering what will happen also
     
    Last edited by a moderator: Feb 20, 2017
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,346
    actually, I am not so happy with ERP at no-trust settings when run in a standard user account. I hope the SUA bug will be fixed.

    I also hope that new version will be "smart" enough to identify similar command line strings, so they don't have to be edited with wildcards.
     
  21. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,478
    Location:
    Hawaii
    I'm sure that you already know this, but for anyone who DOESN'T know: You can readily back-up NVT's entire rule-set by using File > Export/Import on NVT's GUI. I export to a flash drive, so a hard drive problem (including a full-on metal failure) doesn't cause lost files.

    Of course, the bug SHOULD be fixed but -- beta means beta.
     
  22. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Thanks for the tip bellgamin. I've already been using the export/import feature, but it's an annoyance when it happens.
     
  23. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,027
    Location:
    Italy
    @Defenestration

    Yes we are aware of that issue, the new version will save rules in a better way so that kind of issue should not happen.

    @Rasheed187

    Not yet ready for a screenshot, but should have one asap.

    @shmu26

    Not that easy, but we can think about something.
     
  24. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    @novirusthanks

    I think you mentioned it, but these guys need hashless rules for Vulnerable Processes

    Microsoft is giving everybody a boomerang with their constant updates of interpreters and such on W10

    So for those that haven't been able to figure it out, they are having to re-craft their Vulnerable Process lists after the file hashes have changed

    They want a "File has changed..." alert when any process on the Vulnerable Process list is modified
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,027
    Location:
    Italy
    @Lockdown

    Yes, the new rules allows to check file path, hash, parent, signer, etc

    A possible solution to avoid using hashes may be a rule like this:

    proc.Name = "cmd.exe" AND proc.signer = "Microsoft Corporation"

    We may also provide an alert dialog if a vulnerable process changes.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.