New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,149
    Location:
    Italy
    Here is a new v4.0 (pre-release) test2:
    http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test2.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed writing of rules (matching of fields)
    + Fixed matching of wildcard characters (Like to) on rules
    + Fixed matching of parent process on rules
    + Fixed showing of main window on multi-monitors
    + Fixed showing of "Hide Main Window" on Tray Icon
    + Added option "Do not auto-close notification dialog" (when a process is blocked)

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    There were some issues on rules, please retry with this new build (should work fine now).

    To use wildcards (? and * characters) just select "Like to" instead of "Equal to".

    @mood

    Will read all your suggestions on these days and discuss them, thanks for posting them!

    @Peter2150

    Will take a look at your issue, it looks like definitely strange.

    @askmark

    Yes, it will be fixed\handled-better in next build.

    Sure.

    @Charyb

    We've added the option "Do not auto-close notification dialog" on Settings tab.

    We'll also set pagination to 50 or 100 rules per page.

    @shmu26

    This rule on Command Line:

    Code:
    C:\WINDOWS\system32\Rundll32.exe Prnntfy.dll,AsyncUILoaderEntry Local\{*}_ASYNCUI
    
    Should now work fine.

    @Pliskin

    It is fixed now.
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,625
    Location:
    North Carolina, USA
    Hello,

    I am still having problems with vulnerable processes as I outlined in post # 6505 above. I am fairly sure it has nothing to do with the wildcards as I cannot get the VPL to work using the entire command line string. I am also fairly sure I am using the wildcards correctly because I have no issue with regular processes and using wildcards. I am at a loss... (and yes, I do change the command line to "Like to")

    Am I the only one having issues using the VPL and then creating rules for the vulnerable processes?
    Has anyone gotten it to work correctly?

    On a side note, I lost all of my created rules after updating to the new version and the list that I had exported would not import so I had to start from scratch.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Arg. No your not. Actually to be very candid I could care less about all this rule stuff. Especially when the actual AE part is still very shakey at beast.
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,625
    Location:
    North Carolina, USA
    Hello,

    The frustrating part to me is not knowing whether it is me doing something wrong or a bug/issue with version 4. I have gone over all that I am doing and can only assume that I am doing things correctly as I can edit and add rules (with and without wildcards) for regular processes fine with no issues. It is only with vulnerable processes that I have an issue. With no feedback from @novirusthanks, I can only assume that it is a bug/issue with version 4 and vulnerable processes.
    One of the great things about version 3 (at least for me) was its simplicity). Version 4 is more complex, especially concerning vulnerable processes and adding the rules needed for the VPL with command lines...
     
  5. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,149
    Location:
    Italy
    @puff-m-d

    I checked your rules on post 6505 and they are correct.

    With build 2 they should be handled correctly, on build 1 the wildcard on Command Line field was not working fine.

    Can you try this rule (basically, removing checking for hashes):

    Code:
    [Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.CmdLine LIKE "cmd.exe" /c ipconfig*] [Parent.Name = C:\Program Files\AirVPN\AirVPN.exe] [Parent.Signer = AIR DI PAOLO BRINI] [Action = Allow]
    
    If doesn't work, can you show a screenshot of the expanded alert dialog?

    We've found an issue on ERPv4 when it tries to import specific command-line strings, will be fixed asap.
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,625
    Location:
    North Carolina, USA
    Hello @novirusthanks,

    I tried your rule as outlined above. The changed rule did not work. Here is the requested screenshot:
    2018.03.07_10h46m23s_00006_001.png
     
  7. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    431
    Still doesn't work. Here is my new "Parent can launch any exe" rule with explorer.exe, so you can test it yourself:

    sshot-1.png
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,149
    Location:
    Italy
    @puff-m-d

    Strange, will install AirVPN and try it.

    @Pliskin

    The field "Name" in "Parent Process" matches both path + name, i.e:

    C:\Windows\explorer.exe -> correct

    explorer.exe -> not correct
     
  9. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    That screenshot has a "customise rule" link which means it's triggered by an existing rule. Would be interesting to see a screenshot of the rule behind that link.
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,625
    Location:
    North Carolina, USA
  11. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    431
    Thank you. That means I have found a bug, because if you use "Read Data from file" for the Parent Process you will only get the name (explorer.exe) which is incorrect, as you say.
     
  12. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,625
    Location:
    North Carolina, USA
    Hello @askmark,

    Yes, that is correct.
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    I also have that field show up when selecting Read Data From File, however I run into a different matter where set an expression to ASK on powershell.exe w/PARENT field of course is explorer.exe (as it shows Read Data From File) and it launches powershell anyway. No alerts, no nothing.

    I'll tinker with the settings some more and see what's amiss.
     
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,149
    Location:
    Italy
    We've just finished to implement the option 1 discussed on #6472:

    erp2.png

    New build will be uploaded soon.

    @Pliskin

    Yes, will be fixed asap, thanks for the details.

    @EASTER @puff-m-d

    Build 2 should correctly allow command-lines supporting wildcards (it has only an issue on parent process name reported by Pliskin).

    We'll double check it asap.
     
  16. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,969
    How the heck did I miss this, thanks!
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    Thanks. It's incredible the pure numbers of vulnerable processes/command-line strings that windows leaves wide open for tamper.
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,104
    Location:
    .
    Does v4 have a Utilities tab?
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    Build 2 is yet to been released yet.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    Any idea of a time expectancy for the next test build ERP 4?
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    I've noticed that it doesn't remember window and column-sizes. Also, is it possible to make ERP monitor suspended processes? So if a process starts up a child processes in a suspended state, it should be blocked. This way you can block process hollowing attacks.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    Awesome. So happy that mention is been made.

    Malwares will go to any lengths and that's a goodie two shoes angle for those buzzards.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    ERP v4 is very unfinished at this point. Be patient
     
  25. guest

    guest Guest

    yes it is what we call it a beta :argh:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.