New Antiexecutable: NoVirusThanks EXE Radar Pro

The tricky part will be how to avoid double protection for the vulnerable processes, if a user installs both products.

 

Just don't install both. As simple as that.

 

The Pandora windows app appears to run under the following rule. I was blocking all window's apps except for the apps I allow. This is with, 'Allow System Files' checked. I do not have, 'Allow Microsoft Windows apps' checked.

I am certain that changing this rule to ask would create problems, so how do I create an ask rule only for Pandora?

Date/Time: 2018-03-27 11:04:40.244
Action: Allow/System File
PID: 8924
Process Path: C:\Windows\System32\WWAHost.exe
SHA1: 9272C67539D7263FE0FEF6743EA959A9F4424305
Signer: Microsoft Windows
Command Line: "C:\WINDOWS\system32\wwahost.exe" -ServerName:App.wwa
Parent: C:\Windows\System32\svchost.exe
Parent SHA1: B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
Parent Signer: Microsoft Windows Publisher
Expression: -
Category: -
User/Domain: user/DESKTOP------
Integrity Level: Low
System File: True

EDIT: It's the same for the LinkedIn app.

 

The tooltip appears behind the GUI making it unreadable. Please see attached.

Also, the GUI stays on top while trying to view a different window. It stays on top of everything.

 

Andreas, could you give an option to do a scan to whitelist all applications in Program Files by hash so it will be much easier to enable Protection for Program Files? I like to protect Program Files also, but in ERP 3 you have to Whitelist the applications one by one as you use them. It's tedious having to respond to all the prompts.

 

Right, he probably meant to say ERP4

 

I don't know if you missed my posts, but will you fix the window and column-size problem? They are both not remembered after resizing. And what about my idea to make ERP auto-block processes that get launched in suspended mode? This will block process hollowing attacks. So basically ERP should check if the CREATE_SUSPENDED flag is being used upon process creation.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684863(v=vs.85).aspx

 

It's an intriguing idea.
I suspect that it is not as simple as you make it sound, though. If CREATE_SUSPENDED always means process hollowing, then every AV would be able to easily block process hollowing. It must be that there are legit cases of suspended process.
If you or some else can clarify this topic, please do.

 

To novirusthanks
a/ Is it possible in these places to make a display in two lines, and does not it fit?

b/ Also, when the program is restarted, the custom window size is not saved.
c/ And system beep is a bad variant, please make the option to select a custom sound for events.
d/ Open Process Folder need to rename the File Location, as in Windows, and the cursor should become on this file automatically, because in System32 thousand files

 

Spotted another sharp matter I really like a lot.

As in my siggy I frequently make windows registry backups with RegBak.

ERP 4 latest build prevents (w/o any alert) (built in rule) of the app making a backup. Simply disable a second and presto! completed successfully. I can check where and what ERP 4 prohibits for learning purposes (when i feel adventurous) BUT not bothered to add it to EXCLUSIONS yet although that would be the ticket.

There are some programs (not many) I've become routinely acquainted running just once like that with the old ERP 3 INSTALL button control.

I like it AS IS per regarding current PROTECTION. Tight!

 

I'm also not really sure about it, but I have never seen child processes being launched in suspended state in Process Explorer, or perhaps it's done so quickly that you can't notice it with a process monitor. But you should also be able to make exceptions to avoid problems.

 

Here is a new v4.0 (pre-release) test4:
http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test4.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

So far this is what's new compared to the previous pre-release:

+ Added option to "Password Protect Power Options"
+ Password protect also "Allow" and "Custom Rule" button on Alert Dialog
+ Added button to set/change password
+ Fixed "Allow Known Safe Process Behaviors"
+ Added more rules on "Allow Known Safe Process Behaviors"
+ Support wildcard on "Exclude from Notification" rules
+ Added "Close" button on "Event Details" window
+ Fixed counting of stats on main window
+ The issue with "black screen" or "desktop is not loaded" should be fixed
+ Fixed "the Protection Mode is changing after options in Settings has been ticked/unticked"
+ On "Export Rules" ask to overwrite the file if it already exists
+ On "Export Rules" show a warning message if the Rules.xml is not selected
+ Order of fields on "Expression Builder" is same as on "Alert Dialog"
+ Option "Allow Microsoft Windows Apps" is checked by default
+ Option "Allow All Software from Program Files Folder" is checked by default
+ Option "Allow All Microsoft-Signed Processes" is checked by default
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Uploaded a new list of vulnerable processes (XML):
http://downloads.novirusthanks.org/files/VulnerableProcesses.xml

@co22

Done the two suggestions.

@mood @Dark Star 72

The issues you reported should be fixed, please confirm.

@Rasheed187

Will have to check about it.

It is in the todo list, but not a priority for now. Will be added soon.

@shadek @EASTER @AEG

Issue with "black screen" or "desktop not loading" should be fixed, please confirm.

@Charyb

Will have to check about that Windows apps, will post about it asap.

@Cutting_Edgetech

The option to scan a folder is on the todo list, will be added soon.

@aldist

Added your 4 suggestions in the todo list.

 

@novirusthanks thank you very much its better now
just to check ignore for me changed to exclude from
its should be exclude from notification or exclude from notify.right?
and now every time i change protection modes to any modes after exit gui and re run gui it will back to alert mode
edit:
tick untick checkbox(Enabled) in rules window bring rule editor
can it is just disabled directly by clicking on it? or with keyboard? with space button

 

Man, this couldn't have come out at any better time. Pinpoint accuracy. Must be a lucky day.

Finished new O/S install with fresh new SSD, updated the whole works, and now this.

CONFIRMED: Issue clearly resolved on this end.

Also would like to make compliment on outstanding work with the revised Import/Export Feature as well as Event Log Details. So much more. What can one say but magnificent! Prompt/Alerts screens that pop up-overall general use is incredibly light as a feather and yet with all that and more, super effective.

 

Confirmed

Btw.: I noticed a "one second delay" while opening simple applications. Not only the first launch is delayed but also subsequent executions of the same process.
Exiting of the GUI = still delays.
After deinstalling of ERP beta (ERPSvc.exe is now now exited too), the delays are gone and applications are launching promptly.

 

@novirusthanks
Many thanks for the latest update.

Re: + Password protect also "Allow" and "Custom Rule" button on Alert Dialog

I like the idea of protecting the main program with a password but can you please make the dialogue protection optional? It gets tedious very quickly having to enter the password for every prompt.

 

@co22

Option to enable or disable a rule by clicking the checkbox icon on the "Rules" listview is already in the todo list, will be done soon.

The "Ignore" changed to "Exclude from Notification, see this screenshot:



@EASTER

Thanks for confirming

@mood

Will take a look at it, does the delay happens also after a reboot?

@askmark

We can add another option "Password protect allow-actions in Alert Dialog"

However, I believe that if you want to password-protect power-user options, it should be important to also protect alert dialog allow-actions by default.

We'll discuss about it.

 

please check my attachment i tested from another folder
and only 1 time i got "Exclude from Notification" after that its just like bellow
thanks for info about checkbox



and what about this "every time i change protection modes to any modes after exit gui and re run gui it will back to alert mode"

 

@co22

Both will be fixed on next build, thanks for the details.

 

It also happens after a reboot.
The weird thing is, after i have deinstalled it and installed it again (i haven't rebooted yet) there was no delay anymore but after some minutes the delay appeared again
I had a look at ERP with Processhacker and noted the CPU-Usage of some threads:

Code:

No delay:
ERPSvc.exe: With each execution of a process one thread jumps from 0.25% to 0.80% CPU-Usage
RadarPro.exe: one thread jumps from 0% to 0.50%

Noticeable delay while launching of processes:
ERPSvc.exe: With each execution of a file one thread jumps from 0.25% to >2.00% CPU-Usage
RadarPro.exe: one thread jumps from 0% to 1.4%-2.00%

 

OK thanks. But I do hope you will quickly fix the resizing problems, because this is my biggest annoyance in any app.

I'm not sure what you mean with this, EASTER has never said anything about this issue, and to prevent launching of a suspended process is very much related to ERP, but perhaps I'm missing your point.

 

You're right. Leave it as it is.

 

I can confirm I no longer have the "desktop not loading"-problem!