New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,527
    Location:
    U.S.A. (South)
    @Umbra-Have you every thought to image your current system to another drive and throw everything at your settings
    Same here knock on wood. But on every boot I get a "can't reach/load service control something" message but i'm thinking it's another app causing it like AppGuard or Comodo.

    No matter. Manually starting from the folder does bring it into full working order again. I do hear it on boot up doing a Prompt but can't reach it because Windows start up spinning dot screen takes too long to clear in time. By then the service error is showing a box and says it's closing.

    Start it manually and it's back on and in business again.
     
  2. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    494
    You could try rebooting in training mode, and also put the various Comodo modules in training mode. Sometimes at system startup, Comodo is active enough to block a process from starting, but not yet active enough to give you a prompt.
     
  3. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,995
    Location:
    Europe then Asia
    i did already, nothing (yet) was able to bypass my setup.

    1- the malware have to reach my system by either bypassing ReHIPS and Sandboxie (each protect one of my 2 browsers, Sandboxie forcing isolation of internet facing folder and USBs) --- Not easy thing.
    2- then once in my system, malware had to bypass Smartscreen (set on block) and WD. --- which is very possible of course.
    3- then it must be able to bypass my OS tweaks and optimization (means having a signed certificate, not using Powershell or cmd, not being embedded into office macros, etc...).
    4- then it must bypass Appguard and ReHIPS' Application Control; both set on Lockdown Mode.
    5- then they have to bypass SUA with UAC set on Max.
    6- then maybe i may get infected and even it happen , im used to revert to my Rollback RX clean snapshot every time i boot my computer so persistent malware won't linger.

    The only attack vector i can see is myself being social engineered and allowing this particularly very well crafted malware.
    Now can i be compromised by a hacker penetrating my network ? maybe but very improbable.

    i have to say that my system is static, so i'm used to its behavior; i won't say i can pinpoint a malware just by looking at my screen but I always have a eye on my CPU/RAM/network usage and when i see something unusual, i open right away Process Hacker/explorer and check.
     
  4. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,487
    Location:
    Sweden
    Did anyone add the Powershell exectuables to "Vulnerable processes" in NVT?
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,524
    Location:
    The etherlands
    Yes.
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    494
    The 4 powershell exes are on the "Vulnerable processes" list by default. If you don't see them, reset the list, and they will appear.
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,524
    Location:
    The etherlands
    OK, I think I may have removed them because I had added them to User Space in AG.

    I manually re-added them so they have the correct hash. I have a ton of manually added vulnerable processes in there, albeit mostly with hashes belonging to older Windows versions, so would rather not reset.

    As far as I know, the new ERP will solve the changing hash issue.
     
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,995
    Location:
    Europe then Asia
    yes, it is a "must-do/have/be"
     
  9. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
    Yes, and with the new version we get an alert if one of the vulnerable applications has been changed.
    I think my first action with the new version would be to deny my vulnerable applications (browser, pdf-reader, ...) the execution of files from the Windows-directory.
    :thumb:
     
  10. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,487
    Location:
    Sweden
    They weren't. I reset the list anyway and they're still not there. I'll have to do add them manually I guess.
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    494
    That really puzzles me. Maybe you deleted them, renamed them, or moved them?
    If not, then maybe someone else here has an explanation. Or maybe Andreas @novirusthanks knows what's up with that.
     
  12. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,487
    Location:
    Sweden
    It was a fresh install. I've never installed NVT Exe before; I'm on a trial. While I was looking through vulnerable processes I didn't find Powershell exes there so it really got me wondering. I'm an avid AppGuard user so my eyes instantly searched for Powershell.exe but with zero result. :)
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    494
    Maybe you and me are on different versions. I am on version EXERadar_Pro_x86_x64_v3.1_24062015_BUILD1
    Try it. This is the latest version presently available.
    After installation, untick "check for new version", because it will try to update you to an older version. This version is free, by the way, because it is considered "beta".
    Here's the link:
    http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_24062015_BUILD1.exe
     
  14. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,487
    Location:
    Sweden
    Thanks! That build did the trick! I had the official build from their website.

    The "beta" you offered is from 2015. Has it really been that long since the devs last updated NVT ERP?

    Another thing; this "beta" seems to be freeware (only ask for donations). Did NVT ERP become freeware and does this "beta" offer all features of a paid version?
     
    Last edited: Jun 4, 2017
  15. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    Yes. Almost 2 years gone.
     
  16. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,487
    Location:
    Sweden
    Another thing; this "beta" seems to be freeware (only ask for donations). Did NVT ERP become freeware and does this "beta" offer all features of a paid version?
     
  17. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,884
    Location:
    Mexico
    Yes it offers so. It's free and you can always donate if you wish.
     
  18. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,487
    Location:
    Sweden
    Ok! One more question! DEP and ASLR is not activated on the NVT ERP processes, is it supposed to be like that?
     
  19. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,487
    Location:
    Sweden
    Any other "must do" to add to vulnerable apps? I don't want to add applications that breaks full functionality in Windows so that I manually have to disable the "rule" everytime I do something common on my computer (like disable Windows Update-exes etc).
     
  20. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,995
    Location:
    Europe then Asia
    you have more than 50 processes that should be added. i know we have a list hidden somewhere in the forum...maybe in the Bouncer thread
     
    Last edited: Jun 4, 2017
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    494
    The real "must do"s are there by default. After that, it is each according to his own level of paranoia.
    For instance, some would add mshta, bitsadmin, and other various script interpreters, like perl, if you have it on your system.
    Others go for the big, exhaustive list.

    The dev took a long break, to work on another project, that's why the "current" build is from 2015. But a new and greatly improved beta is expected to come out very soon.
     
  22. TheMalwareMaster

    TheMalwareMaster Registered Member

    Joined:
    Jan 11, 2017
    Posts:
    25
    Location:
    Italy
    @novirusthanks Good morning. I see you are from Italy (I am too). Some time ago I downloaded EXE radar pro, but I found no italian language. Is it only in English?
     
  23. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,878
    ERP is only available in English
     
  24. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,684
    I am a n00b to this program. I have it installed with default settings. I assume that these are "ok" but could be locked down further. What would you guys recommend?

    Keep in mind this is a shared home PC, and I am the only one capable of dealing with prompts and what to do when something happens. Cheers!
     
  25. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296
    If you like something set and forget it, VoodooShield might be more what you're looking for. But with NVT ERP, learning curve is short
    and you can basically whitelist a process by adding to the whitelist processes list.

    If you suspect a process is questionable, add it to the vulnerable processes list. That's a great deal of flexibility.

    With VS you can't really set up custom list unless you get the paid Pro version. Noobs would rather have it do for them.
     
Loading...