New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,526
    You appreciate the facts more, if first you guessed. It indicates that you thought about it.
     
  2. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    675
    It is a fact that it was a guess. I hope you weren't confused by this.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    I admit i was but agree and am confident most all those surely are fact but he can confirm it for certain.

    Some things are under the hood which is developer prerogative :)
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    Not all files located in C:\Windows\* or in subdirectories are automatically System files.
    A Windows API is used to find out if a file is a System file:
     
  5. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    @novirusthanks
    Just a minor issue with test8. I like seeing the rule category on the alert dialog, but if an unknown application triggers the alert, it shows a random category (maybe the last used one, i'm not sure) instead of none or blank.

    One question: Is there any way i can import my log files into Excel? They don't appear to be in a known file format, like csv or tab delimited.
     
    Last edited: Apr 15, 2018
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,526
    Thanks. Not sure what the API does, do you think it accesses a .cat file for the list of Windows components?
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    I can only speculate :cautious:
    Perhaps the developer can shed a light on this.
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,526
    Yeah, the truth is that it's not really my business, anyways. Andreas need not tell us his secret recipe.
    We already cleared up the main question: whether it whitelists entire locations or not. That's the most important thing to know.

    I was asking about the Microsoft .cat file, because I recently found out that Comodo uses it. Comodo considers every file listed in the catalog as digitally signed by Microsoft, because the catalog itself is signed. Interesting approach.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Can you give me some more info about this, which cat file is it? I would like to know which files are digitally signed, and perhaps ERP also uses this one.

    Freaking hate this! Can't believe that no-one is bothered by it, and surely it can't be hard to fix?
     
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,526
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    Hang in there @Rasheed187. If it's that too much to take it surely is doable.
     
  12. guest

    guest Guest

    @Rasheed187 ERP is still a beta, cosmetic fixes come the last.
     
  13. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    @novirusthanks
    A couple of issues to report

    Firstly, If I add the rule below for Chrome to ERP it's existence prevents any processes not classified as "System File" or not included in the "Vulnerable Processes" category from executing on my PC. Only when I exit ERP's gui do these 'suspended' processes actually start.
    Code:
    <category>Chrome</> <action>Allow</> <expression>[Proc.Name = chrome.exe] [Proc.Signer = Google Inc] [Proc.Path = C:\Program Files (x86)\Google\Chrome\Application] [Proc.Hash = CE811AA58E2D1715F2B76BC8683EB6D735F4C5D2] [Proc.CmdLine LIKE "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=* --service-pipe-token=* --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-compositor-image-animations --service-request-channel-token=* --renderer-client-id=* --mojo-platform-channel-handle=* /prefetch:1] [Parent.Name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe] [Parent.Signer = Google Inc] [Parent.Hash = CE811AA58E2D1715F2B76BC8683EB6D735F4C5D2] [Action = Allow]</> <enabled>1</> <comment></>
    There is clearly something wrong with the rule, because If I try to edit it, all the fields are shown as empty and if I try to disable the rule, i receive the error: "You must enter a valid expression". Only deleting the rule will return everything back to normal, which I can only do if I restart the gui first.

    Secondly, the "Edit rule from event" feature does not appear to work. If I right-click on an rule in the Events tab and select "Edit rule from event" nothing happens. No window appears. However, if I edit the relevant rule in the Rules tab first, and then select "Edit rule from event" it opens the rule as normal.

    Finally, a change request : Can you please make the "Expression Builder" window re-sizable to enable more of the field values to be visible, especially "Command Line" which can get very long?
     
    Last edited: Apr 20, 2018
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    @novirusthanks- If at all possible, and as/when OSA wraps up to final release, an earlier feature request still stands, which I believe might have enough support from users that share where if you would, it seems another useful staple within the capability of ERP 4 (just as ERP 3 does, where upon a changed file (via the hash matching) previously already whitelisted, if it can display that yellow stripe on the alert dialog indicating clearly a whitelisted file is found to been changed (updated or otherwise tampered) like ERP 3 so effectively detects.

    On one of another unit which still runs ERP 3 Beta, that feature is tremendous IMO and hopefully other users will pick up on support of it's addition into ERP 4 as it progresses through it's own development pre-release stages as you guys finely tune it to it's highest potential.

    Regards, EASTER
     
    Last edited: Apr 22, 2018
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    I understand this, but in current state it's unusable for me. This should be basic functionality if you ask me.
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,149
    Location:
    Italy
    @Rasheed187

    We've already added saving/loading of window size and column width for Rules and Events listviews.

    Should release the new build tomorrow or the next days.

    @EASTER

    Will discuss about it asap.

    @askmark

    We're taking a look at that issue, thank you for including the rule.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    Waiting on ready Andreas.

    Your team and you are on a pace even I not seen before and rolling out some really outstanding work. Thanks Again.
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,149
    Location:
    Italy
    Here is a new v4.0 (pre-release) test9:
    http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test9.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + Added possibility to add/edit/delete/disable/enable Trusted Vendors List
    + Play Beep Sound (for Alert and Blocked Notify dialogs) are renamed to "Play a custom sound ..." and will play the loon WAV sound
    + Auto-check the field "Command-Line" in the Alert Dialog if category is "Vulnerable Processes"
    + If in the Alert Dialog the category is "Vulnerable Processes", when we click button "Allow" and the checkbox "Remember this action" is checked, the Action of the rule should be "Exclude" (not "Allow")
    + Save/load column size of Rules/Events listviews
    + Save/load window size of main window
    + Make the "Expression Builder" window re-sizable to enable more of the field values to be visible
    + Fixed the "Edit rule from event" feature does not appear to always work
    + Restored pagination (50 items per page)
    + Do not show "Category:" on Alert Dialog if the category is not applicable
    + Improved "Allow Known Safe Process Behaviors"
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    Screenshot of the View/Edit Vendors:

    erpnew.png

    @askmark

    According to post #6643 you should:

    * Note: Old Rules.DB file in \ProgramData\NoVirusThanks\EXE Radar Pro\Databases MUST be deleted before running the new build
    * Or you can export any current rules you have and import after the new rules.db is created

    I tested your rule on a clean ERPv4 test9 installation and it worked:

    erp2.png
     
    Last edited: Apr 25, 2018
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    At Last!!

    Thank You! :)
     
    Last edited: Apr 25, 2018
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    This "feature" has been added now :)
     
  21. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    675
    The loon WAV sound makes me laugh. I had to turn it off. All is running good so far. Unchecking vendors in the trusted vendors list is working and resizing the expression builder makes things much easier.

    To switch sounds do I just remove the loon WAV sound file from the EXERadarPro folder and drop a new WAV sound file in its place? Then, restart program? I can't get it to work.
     
    Last edited: Apr 25, 2018
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    Newcomers and seasoned experts can pick up some fairly decent notify tones from this safe sight (creative commons license) for add to ERP 4 + OSA's new audio alert feature.

    Simply replace loon.wav in ERP 4 folder and you're good to go.

    https://notificationsounds.com/
     
    Last edited: Apr 25, 2018
  23. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    675
    I don't see any WAV files at this website. I have already tried a different file and it did not work.

    I have got it figured out. The new file that replaces loon.wav needs to be renamed to loon.wav
     
    Last edited: Apr 25, 2018
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,810
    Location:
    U.S.A. (South)
    :thumb: Excellent.

    Yes you can easily convert the mp3 versions to wav. Tons of ways.

    Free Audacity is just one of so many others that have been personally helpful on this end.
     
  25. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    675
    I have, "Allow Microsoft Windows apps" selected and am receiving an alert.

    Code:
    Date/Time      : 2018-04-25 21:28:21.130
    Action         : Ask/Allow
    Expression     : -
    Category       : Alert Dialog
    PID            : 3008
    Process        : C:\Program Files\WindowsApps\Microsoft.BingWeather_4.23.10923.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe
    Integrity Level: Low
    User/Domain    : chris/DESKTOP-5G7FJTA
    System File    : False
    SHA1           : 85F57A68F89311F8F94F24761903D594BB900DD4
    Signer         :
    Command        : "C:\Program Files\WindowsApps\Microsoft.BingWeather_4.23.10923.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe" -ServerName:App.AppX2m6wj6jceb8yq7ppx1b3drf7yy51ha6f.mca
    Parent         : C:\Windows\System32\svchost.exe
    Parent SHA1    : B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
    Parent Signer  : Microsoft Windows Publisher
    
    Date/Time      : 2018-04-25 21:28:38.876
    Action         : Ask/Allow
    Expression     : -
    Category       : Alert Dialog
    PID            : 7252
    Process        : C:\Program Files\WindowsApps\Microsoft.People_10.3.3472.1000_x64__8wekyb3d8bbwe\PeopleApp.exe
    Integrity Level: Low
    User/Domain    : chris/DESKTOP-5G7FJTA
    System File    : False
    SHA1           : 82108E8F2967FB1853D49FCB1525C7B595ED6F9C
    Signer         :
    Command        : "C:\Program Files\WindowsApps\Microsoft.People_10.3.3472.1000_x64__8wekyb3d8bbwe\PeopleApp.exe" -ServerName:x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x.AppXp4q8q2jfk5x248b0h39ew5k7wz3xvc5b.mca
    Parent         : C:\Windows\System32\svchost.exe
    Parent SHA1    : B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
    Parent Signer  : Microsoft Windows Publisher
    
    Date/Time      : 2018-04-25 21:38:32.918
    Action         : Ask/Allow
    Expression     : -
    Category       : Alert Dialog
    PID            : 1120
    Process        : C:\Program Files\WindowsApps\Microsoft.WindowsStore_11803.1001.9.0_x64__8wekyb3d8bbwe\WinStore.App.exe
    Integrity Level: Low
    User/Domain    : chris/DESKTOP-5G7FJTA
    System File    : False
    SHA1           : 2F04A5878D5C16FEC0ACE3814309E52016200877
    Signer         : 
    Command        : "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11803.1001.9.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
    Parent         : C:\Windows\System32\svchost.exe
    Parent SHA1    : B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
    Parent Signer  : Microsoft Windows Publisher
    
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.