New Antiexecutable: NoVirusThanks EXE Radar Pro

Yea and I like it, but afaik they stopped development

 

I could use a little help here...Emby is really bugging me. It wants permission for things even after I granted it with exclusions; everything from running to auto-importing multimedia. That just tells me that I'm creating the exclusions incorrectly. Emby itself runs in the %appdata%local directory. I know, I can disable the option to protect that directory but I'd rather enable everything and exclude when needed then to give blanket permissions.

The log entry is below, and represents Emby auto-importing

I tried to create a less restrictive rule, as seen below. But I still get OSA blocked notifications

The odd thing is that embyserver.exe is signed, at least that's what the properties say, so why is it being blocked? Anyone else have this issue? How would I correctly create the * rule?

 

It does have a valid certificate but not a valid one (vaild until January 15, 2018)

 

My rules are here for OSArmor build 26 Software!

Thread: https://www.wilderssecurity.com/thr...an-additional-layer-of-defense.398859/page-27

Code:

// Try making a basic rule?
[%PROCESS%: *ffprobe.exe] [%PROCESSFILEPATH%: C:\Users\natha\AppData\Roaming\Emby-Server\system\] [%PARENTFILEPATH%: C:\Users\natha\AppData\Roaming\Emby-Server\system\]
[%PROCESS%: *ffprobe.exe]
// Basic rule!
[%PROCESS%: *ffprobe.exe]
// Maybe?
[%PROCESSCMDLINE%: *ffprobe.exe*]
// This also might work?
[%PROCESS%: *ffprobe.exe] [%PROCESSFILEPATH%: C:\Users\natha\AppData\Roaming\Emby-Server\system\]
// Try testing this ...
[%PROCESS%: *ffprobe.exe] [%PROCESSCMDLINE%: *ffprobe.exe*] [%PROCESSFILEPATH%: C:\Users\natha\AppData\Roaming\Emby-Server\system\]
// Filesigner rule
[%FILESIGNER%: ????] [%PROCESS%: *ffprobe.exe] [%PROCESSCMDLINE%: *ffprobe.exe*] [%PROCESSFILEPATH%: C:\Users\natha\AppData\Roaming\Emby-Server\system\]

I too found it very hard making these rules!

 

It should still work with UAC I mean, I also have tested outdated certificates! Please don't ask why I was doing this in the first place?

 

Regarding ERP and non valid signatures:
It depends on the setting.
If you have added "Emby LLC" to Trusted Vendors and have selected "Allow processes signed only by Trusted Vendors" (but don't have added Embyserver.exe to the whitelist), Embyserver.exe will be not allowed to run because it doesn't have a valid signature.
In this case the executable must be added to the whitelist, now it can be executed.

 

@n8chavez

I believe you wanted to post the question on OSArmor thread.

However, this rule should work for you (on OSArmor exclusions):

Code:

[%PROCESS%: C:\Users\natha\AppData\Roaming\Emby-Server\system\ffprobe.exe] [%PARENTPROCESS%: C:\Users\natha\AppData\Roaming\Emby-Server\system\EmbyServer.exe]

 

Nice simple rule!

 

I did. I'm sorry about that. That's what I get for posting so late...

 

Is there any way to export lists and view it as a text file?

 

with EXE Radar Pro 3.x ?



3.x used to have an Online Help File

 

Yes. And you open those db files that bjm showed above using Notepad.

 

I have already tried this and it is unreadable.

 

works for me so, IDK. Sorry

maybe, you're looking at an Export file

 

In the case of ERP v3.x:
a) C:\ProgramData\NoVirusThanks\EXE Radar Pro\Data\ - all files can be viewed with a simple text editor
b) ERP is exporting Rules/Settings to a .erp-file and it can be extracted with a simple Zip-extractor (Winrar, Winzip,etc.) and the extracted files are in a human readable format.

In the case of ERP v4.x:
a) c:\ProgramData\NoVirusThanks\EXE Radar Pro\Databases\Rules.db - sadly rules cannot be viewed with a text editor

b) but rules can be exported via "Export Rules" to a .csv-file and the file is in a readable format:

 

That old online help page seems to have vanished. Looong ago I saved the webpage as .mht file.
PM me if you need it.

 

Extracting files was the step I was missing. Thanks everyone.

@act8192 - I sent you a pm.

 

When we get v4, I wonder if the dates in the log could be changed to yyyymmdd... to make it more universal.
Could someone with access to Andreas or v4 beta-testers mention it , please.

@Charyb - done.

 

Thanks a bunch. The help file has answered several of my questions.

 

Charyb, You're welcome. I like that help page and refer to it often.

 

Lately I have noticed that EXERadar.exe doesn't always start up after a reboot, and the result is that protection is not active. Usually it starts, but not all the time.
I tried adding it to the Windows startup folder, but then the whole GUI window opens on the screen.
ERP 3
Windows 10 x64 RS3

 

I believe it's some kind of bug, it sometimes happens on my Win 8 system also. That's why I hope Sandboxie will implement an "auto-sandbox" feature, because if ERP doesn't start on a noob-user's system, they might be toast when downloading malicious apps.

 

I am finally convinced that ERP 4 must appear, and soon. ERP 3 is no longer perfect.

 

Yes, that's why I'm a bit frustrated that NVT started working on OSA. But OSA is supposed to be a set and forget tool also meant for non-experts, so I can understand why they wanted to make such a tool. Now that I think about it, would be cool if some of OSA's features were integrated into ERP.