New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    For those using OSA, what is the recommended way to configure ERP 4?
    I assume that "Block Suspicious Process Behaviors" should be unticked.
    The bigger question is about VulnerableProcesses_Rules.
    I assume that most of it is not needed, because OSA covers it, and there will be double prompts.
    But rundll32 and regsvr32 are still needed, I think.
    Anything else?
     
  2. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    The trusted vendor list is part of the rules list. You have to add your trusted vendors manually, except for Microsoft.
    You simply make a rule, and leave all fields blank except for the vendor, and that's your trusted vendor "rule".
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    Bug - ERP v4 beta test3: the Protection Mode is changing after options in "Settings" has been ticked/unticked
    a) Select a protection mode, for example "Alert Mode"
    b) Open the GUI, tick or untick some options in "Settings"
    c) close the GUI
    d) the Alert mode has been changed and the Protection is now disabled
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,871
    Location:
    U.S.A. (South)
    To speed up testings is there an XML template someone might put together to share for import?

    Or is that not so preferable since each user's machine would calculate an individual ID/Hash per file.

    Just curious about if that's doable or not.
     
  5. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Latest build works perfectly!
     
  6. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Seeing similar on my system, except mine changes from "Alert Mode" to "Learning Mode"
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    Just open the old csv in Excel or another similar program, and convert the file to xml.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,871
    Location:
    U.S.A. (South)
    Thanks @shmu26.

    Haven't dealt with csv files for quite awhile. Will try the conversion then.
     
  9. guest

    guest Guest

    Not here. something on your system is probably messing with ERP.
     
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    I was able to save it as xml, and ERP was willing to import the list, but I didn't take it any further than that. I didn't actually import.
    I am using OSA, so I don't want double prompts. Almost everything is on OSA at max settings, as far as I can tell.
     
  11. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    407
    Location:
    router
    in my case i set "protection disabled" then exit from ui
    rerun EXE Radar Pro set in lockdown mode
    test it it can block
    now tick or untick some options cause i can run any program

    alert mode fine for me
     
  12. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    676
    I am looking for the precompiled trusted vendor list that is built into ERP.
     
  13. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    Confirmed on my machine:
    Hover mouse over tray icon - shows alert mode
    Right click icon > protection mode > select any other mode (say training mode)
    Hover mouse over icon - shows training mode
    Open GUI > go to settings tab and change a setting
    Close GUI
    Hover mouse over tray icon - still showing training mode
    Right click icon > protection modes > will show alert even though hovering will show training mode.

    This is most inconsistent. I've just tried it again and it didn't change and on a third try the icon showed alert but the protection mode showed training :confused:
     
  14. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,678
    Location:
    North Carolina, USA
    Hello,

    Since test 3 seems to have changed the format of imported/exported files in NVTERP from csv to xml, obviously the old vulnerable process list will no longer be able to be imported. I have tried to convert the list to xml format using LibreOffice but the created file will not import properly, so currently I am not able to import the list. It may be something that I am doing wrong as I have never done this before, so I was wondering...
    Has anyone converted the list of vulnerable processes found in @novirusthanks post # 6454
    from a csv file to a xml file and successfully imported it into NVTERP?
    I am hoping that maybe @novirusthanks or someone that has done this successfully can post a new list in the correct xml format.
     
  15. AEG

    AEG Registered Member

    Joined:
    Mar 12, 2018
    Posts:
    29
    Location:
    Middlesbrough
    Open the csv file in Writer then save it as Docbook xml format. It will then import in to ERP but you will have to edit each rule as the category and permissions are not set correctly. Check the CSV file in writer to set the permissions correctly.
     
  16. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Copy and paste the text below into Notepad (or similar) and save with name Rules.xml. Then import into ERP 4.
    Code:
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]</> <enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Proc.Path = C:\Windows\System32\WindowsPowerShell\v1.0] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Proc.Path = C:\Windows\SysWOW64\WindowsPowerShell\v1.0] [Action = Ask]<enabled>1</> 
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rundll32.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rundll32.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = vssadmin.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = vssadmin.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = mshta.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = mshta.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = reg.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = reg.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = regini.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = regini.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = takeown.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = takeown.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = cacls.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = cacls.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = icacls.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = icacls.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wscript.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cscript.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = wbadmin.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wscript.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cscript.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = wevtutil.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
    <category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = wevtutil.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
     
  17. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,678
    Location:
    North Carolina, USA
    Hello,

    @AEG, soon after you posted and before I tried your method, @askmark posted a simpler solution that worked perfectly. Thank you both for your help :thumb: !
     
  18. AEG

    AEG Registered Member

    Joined:
    Mar 12, 2018
    Posts:
    29
    Location:
    Middlesbrough
    Same here. Dangerous from a protection point of view.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,871
    Location:
    U.S.A. (South)
    Many thanks!!
    Tested this several tries before leaving this morning (bug) and again upon return just a bit ago, no such jumping off the Protection Alert Mode to 0ff or anything else happening (yet). After all the attempts I don't suspect it will on my machines, however, will keep a close watch for that nonetheless.

    Good catch though for those affected so it can be determined why.
     
    Last edited: Mar 23, 2018
  20. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    676
    Well, I tried exporting rules so I can have a copy of my rules as well as the vulnerable process rules, but it's not working correctly or I have no idea what I'm doing.
     
    Last edited: Mar 23, 2018
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,871
    Location:
    U.S.A. (South)
    In this release the FILE TYPE should show XML when you EXPORT.

    When I first installed and filled some rules in order to EXPORT (save), the FILE TYPE menu setting offered no other extension except XML so it's hard coded to operate with that syntax/extension or I assume as much.
     
    Last edited: Mar 23, 2018
  22. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    You're welcome.
    Only does it on my Win 8.1 PC, my Win 10 PC is not affected. Very strange!
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,871
    Location:
    U.S.A. (South)
    Not at all strange. Seen issues with security softs before that will affect one platform while performing to expectations on another.

    The developer can isolate such issues when it's confined to single O/S type and usually pretty easy fine tune it (a fix) for compatibility again.
     
  24. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,678
    Location:
    North Carolina, USA
    Hello,

    First off, it seems that with test 3, the issues that I was having concerning the vulnerable process list and exclusions seems to be fixed. So far, I am not seeing any issues at the moment, but of course I will continue testing and verifying that all of my issues with this are fixed. So far, great work @novirusthanks :thumb: ...

    I do have a question and possible issue with one of the new options:
    Out of these three, the only one that I have selected is "Block Suspicious Process Behaviors". I am getting a block alert when using a particular software. On the alert, there is an "ignore" option but I am not sure what this does. If it is like previous versions of NVTERP, it does not actually set an exclusion for this action but only "ignores" or silences that particular alert. This is the reason that I did not try this option. I have tried to set an exclusion for this blocked event by creating an appropriate "allow" rule for this but it has no effect. It seems that the only way to exclude a block event from the "Block Suspicious Process Behaviors" option is to turn this option off. Am I missing something or is there no way to make an exclusion from this option? If there is not, can a way be added? For the time being I will have to turn this option off unless there is a way to exclude a particular action.

    Edited to add:
    I assume from the following:
    If I am also using OSArmor, then there is really no need for me to check this option within NVTERP as it would be duplicating rules from OSArmor. The easiest solution for my possible issue above then in this scenario would be just to let OSArmor handle it and uncheck "Block Suspicious Process Behaviors" in NVTERP. However, if using NVTERP alone and checking this option, the issue would remain if trying to exclude a block from this option in NVTERP.
    @novirusthanks - Could you elaborate a bit on these two new options "Allow Known Safe Process Behaviors" and "Block Suspicious Process Behaviors", both as individual options and also their interaction when used together. Is "Block Suspicious Process Behaviors" like a list of block rules from OSArmor and then "Allow Known Safe Process Behaviors" like a list of exceptions and exclusions from OSArmor? Have you considered importing the full functionality of OSArmor into NVTERP along with the full settings and the ability to exclude specific blocks? Thanks ;) !
     
    Last edited: Mar 24, 2018
  25. AEG

    AEG Registered Member

    Joined:
    Mar 12, 2018
    Posts:
    29
    Location:
    Middlesbrough
    ERP is an excellent program, but I'm wondering why it's taken priority over Smart Object Blocker. In many ways Smart Object Blocker has superior functionality like the ability to block specific programs from running other processes and control of dll's. It's very similar to Bouncer in that regard. Also why is ERP so much faster than Smart Object Blocker. Programs can take ages to start with it enabled
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.