New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    892
    Location:
    Lunar module
    Many other software have their own .wav files, I collected them from a whole collection.
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    Yes, it doesn't work (assuming that "Allow Microsoft Windows apps" is supposed to allow files in the folder "c:\Program Files\WindowsApps\*") and i can see the alert too.
     
  3. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Yes, all working now. Thank you.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,894
    Location:
    The Netherlands
    Awesome stuff. :thumb:

    I have checked it out but it seems to forget about resized columns, but the window size is remembered. Is it perhaps possible to give an option to select which columns should be visible, in both Events and Rules?
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    Resizing of columns in the Events listview should work.
    The size of each column is saved into the file:
    c:\Users\XXX\AppData\Roaming\NoVirusThanks\RadarPro.conf (="eventColumnX")
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    Issue: Rule is not shown completely in the Rules listview
    a) After adding of a rule ("Alert Dialog") part of the rule is not correctly displayed.
    ERP_rule.png
    b) Then: "Edit selected rule" + "Save" (without actually doing a modification of the rule) = The rule is now correctly displayed.
    ERP_rule_correctly_displayed.png
    c) Closing of the GUI, opening it again = Rule looks broken again (see a) :cautious:
     
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,622
    Location:
    North Carolina, USA
    Hello,
    The way I understand it, this setting allows all Microsoft Windows apps but only if the app is signed. The apps that you showed the alerts for are not signed. I may be wrong about this but I am sure @novirusthanks will correct me if I am wrong.
     
  8. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Sorry if I simplify too much, but I'd like to be sure I understand correctly.
    • Exe Radar Pro is an anti-exe, everything not whitelisted will be blocked
    • OSArmor is a behavior-blocker, only stuffs that show a bad behavior will be blocked
    So, ERP should be more bulletproof, but also more prone to FP compared with OSA.
    Am I correct?
     
  9. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    226
    Location:
    UK
    Odd problem with Opera 52. With ERP v4.0 running Opera takes around 10 seconds to open as opposed to almost instantly without ERP running. No other software seems to be affected.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    What kind of FPs?
     
  11. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Well, with ERP, if you don't allow an exe to run, it will be blocked even if it's not malicious
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    @novirusthanks
    Possible Rules conflict:
    a) After adding of a deny rule for WMIC.exe to Vulnerable Processes:
    Code:
    [Proc.Name = WMIC.exe] [Parent.Name = C:\example\parent.exe] [Action = Deny]
    
    = WMIC.exe is correctly blocked if the Parent Process is C:\example\parent.exe
    b) After adding of an additional rule for WMIC.exe:
    Code:
    [Proc.Name = wmic.exe] [Action = Ask]
    Expected Behavior:
    * wmic.exe (if Parent Process = C:\example\parent.exe) = Blocked
    * in all other cases an alert dialog for wmic.exe should appear

    What is really happening:
    Launching of wmic.exe with a parent process of C:\example\parent.exe = Alert Dialog appears (according to the rule in [a] it should be blocked)
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    ERP is strictly obeying the rules: Whitelisted files will be allowed, Blacklisted files will be blocked, for unknown files an Alert dialog will be displayed and in Locked Down unknown files will be strictly blocked.
    ERP doesn't check for malicious behaviour.
    If c:\Windows\explorer.exe has been added to the whitelist (with a hash) and the user is doing a windows update and "forgot to update the hash" of the rule, c:\Windows\explorer.exe will be blocked (or the alert dialog appears, whatever...).
    Maybe from the users view it will be a FP, but ERP is only looking at its rules and is blocking the "legitimate file" correctly (ERP doesn't do anything wrong)

    And regarding OS Armor: For example "Block execution of suspicious processes"
    If this option leads to a block of a "not suspicious process", this would be a FP.
     
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,522
    I also have seen that with certain apps, although I don't use Opera. And I found another post here https://www.wilderssecurity.com/thr...ks-exe-radar-pro.300552/page-266#post-2748091
    where a similar issue was reported.
     
  15. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Both ERP and OSA obey to rules, just the principle is different.
    To me, FP means a non-malicious action is blocked.
    OSA doesn't give almost any FP, while I assume ERP will, if you don't correctly set up exclusion rules.
    Rephrasing, OSA can be easily used out of the box, while ERP needs some more work, even if you can achieve an higher protection with ERP than with OSA
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,522
    If you are installing new software, and you have not enabled the setting for trust all digital sigs, then ERP will probably block it. If that is an FP, then you will get a real lot of them.
    On the other hand, after your initial whitelisting, ERP should not give you FPs at default settings, unless you install new software.

    EDIT: Ah, I think I understand what you are getting at. You are talking about alerts from items that you add to the vulnerable processes list, such as rundll32 and cmd.exe.
    Yeah, they will produce a good amount of prompts. Call them FPs if you wish. Whatever you call them, yes, you can expect to see them
     
    Last edited: Apr 27, 2018
  17. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Yeah, this is exactly the point :)
    With ERP, you need to add rules to whitelist some stuff, while with OSA you don't need to do that (or at least, not as much as with ERP)
     
  18. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,522
    And please see my edit to my previous post, where I mentioned something else relevant. Maybe it is not exactly what you meant, but it is relevant.
     
  19. guest

    guest Guest

    There is no such things as FPs with anti-exe or SRPs. FPs applies to products comparing an item to a set of criterias to check its legitimacy.
    Anti-exe/SRP doesn't care of the legitimacy of the item, they prompt/block those not whitelisted, that is it.
    This granting far more potency than AV if in the hand of a knowledgeable user.
     
    Last edited by a moderator: Apr 27, 2018
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    :thumb:
    OS Armor is focused on suspicious behavior, suspicious processes, etc.
    If OS Armor is blocking non malicious actions, then this is of course a FP.

    Not in the case of ERP. ERP doesn't know anything about malicious behavior (and isn't even checking for it) and it is simply displaying a prompt if unknown files are being launched or a vulnerable process is being launched (in these cases it is supposed to show the Alert Dialog)
    As guest said, an AE isn't prone to FPs. But ERP is prone to Alert Dialogs :)
    (if it is still a FP for you, then ok...)

    ----
    But nevertheless OS Armor and ERP are "different beasts" and comparing them (something like the amount of prompts, etc.) is like comparing Oranges with Apples.
    OS Armor might detect suspicious behavior (which ERP doesn't detect) whereas ERP is noticing updated files (hash has been changed).
    Or, try to install 10 Programs and OS Armor won't give a single peep (=no suspicious behavior detected). Do the same with ERP and you will have definitely more than "a few" prompts :)

    @novirusthanks
    Is it possible to implement something like a "Copy Rule"-feature or something similar?
    Now, instead of creating rules "from the beginning" an existing rule is simply selected, it is "copied" and the newly created rule can be modified.
    This can save time if a lot of rules must be created (which are very similar to already existing ones)
     
  21. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    +1 :thumb:
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,148
    Location:
    Italy
    Should be fixed in next build.

    We'll discuss about it, I have saved it on the "todo" list for now.

    I can move Deny action checking to be before Ask action.

    Sure, can be added on the next build.

    @faircot

    That is strange, it may delay the first execution because ERPv4 needs to verify the digital signature, but on next executions it should run fine.

    Is possible the issue is somehow another program or (just guessing) Opera was updating itself or similar?
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,281
    :thumb:
     
  24. guest

    guest Guest

    This sum it all. :thumb:
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,806
    Location:
    U.S.A. (South)
    :thumb:

    True!! Incredible combo in tandem together. (adjective: having two things arranged in front of the other)

    Also and where it "might" be easy to lose contact of certain action files in the safety and silence OSA (excellent preprogrammed anyway), ERP taps into whatever actions are not in compliance with IT'S rules and holds them there for you to SET TO PREFERENCE. That RULE EDITOR coupled with Expressions Editor field/screen is a well made grid to date.:thumb:

     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.