New Antiexecutable: NoVirusThanks EXE Radar Pro

Many other software have their own .wav files, I collected them from a whole collection.

 

Yes, it doesn't work (assuming that "Allow Microsoft Windows apps" is supposed to allow files in the folder "c:\Program Files\WindowsApps\*") and i can see the alert too.

 

Yes, all working now. Thank you.

 

Awesome stuff.

I have checked it out but it seems to forget about resized columns, but the window size is remembered. Is it perhaps possible to give an option to select which columns should be visible, in both Events and Rules?

 

Resizing of columns in the Events listview should work.
The size of each column is saved into the file:
c:\Users\XXX\AppData\Roaming\NoVirusThanks\RadarPro.conf (="eventColumnX")

 

Issue: Rule is not shown completely in the Rules listview
a) After adding of a rule ("Alert Dialog") part of the rule is not correctly displayed.

b) Then: "Edit selected rule" + "Save" (without actually doing a modification of the rule) = The rule is now correctly displayed.

c) Closing of the GUI, opening it again = Rule looks broken again (see a)

 

Hello,

The way I understand it, this setting allows all Microsoft Windows apps but only if the app is signed. The apps that you showed the alerts for are not signed. I may be wrong about this but I am sure @novirusthanks will correct me if I am wrong.

 

Sorry if I simplify too much, but I'd like to be sure I understand correctly.

• Exe Radar Pro is an anti-exe, everything not whitelisted will be blocked
• OSArmor is a behavior-blocker, only stuffs that show a bad behavior will be blocked

So, ERP should be more bulletproof, but also more prone to FP compared with OSA.
Am I correct?

 

Odd problem with Opera 52. With ERP v4.0 running Opera takes around 10 seconds to open as opposed to almost instantly without ERP running. No other software seems to be affected.

 

What kind of FPs?

 

Well, with ERP, if you don't allow an exe to run, it will be blocked even if it's not malicious

 

@novirusthanks
Possible Rules conflict:
a) After adding of a deny rule for WMIC.exe to Vulnerable Processes:

Code:

[Proc.Name = WMIC.exe] [Parent.Name = C:\example\parent.exe] [Action = Deny]

= WMIC.exe is correctly blocked if the Parent Process is C:\example\parent.exe
b) After adding of an additional rule for WMIC.exe:

Code:

[Proc.Name = wmic.exe] [Action = Ask]

Expected Behavior:
* wmic.exe (if Parent Process = C:\example\parent.exe) = Blocked
* in all other cases an alert dialog for wmic.exe should appear

What is really happening:
Launching of wmic.exe with a parent process of C:\example\parent.exe = Alert Dialog appears (according to the rule in [a] it should be blocked)

 

ERP is strictly obeying the rules: Whitelisted files will be allowed, Blacklisted files will be blocked, for unknown files an Alert dialog will be displayed and in Locked Down unknown files will be strictly blocked.
ERP doesn't check for malicious behaviour.
If c:\Windows\explorer.exe has been added to the whitelist (with a hash) and the user is doing a windows update and "forgot to update the hash" of the rule, c:\Windows\explorer.exe will be blocked (or the alert dialog appears, whatever...).
Maybe from the users view it will be a FP, but ERP is only looking at its rules and is blocking the "legitimate file" correctly (ERP doesn't do anything wrong)

And regarding OS Armor: For example "Block execution of suspicious processes"
If this option leads to a block of a "not suspicious process", this would be a FP.

 

I also have seen that with certain apps, although I don't use Opera. And I found another post here https://www.wilderssecurity.com/thr...ks-exe-radar-pro.300552/page-266#post-2748091
where a similar issue was reported.

 

Both ERP and OSA obey to rules, just the principle is different.
To me, FP means a non-malicious action is blocked.
OSA doesn't give almost any FP, while I assume ERP will, if you don't correctly set up exclusion rules.
Rephrasing, OSA can be easily used out of the box, while ERP needs some more work, even if you can achieve an higher protection with ERP than with OSA

 

If you are installing new software, and you have not enabled the setting for trust all digital sigs, then ERP will probably block it. If that is an FP, then you will get a real lot of them.
On the other hand, after your initial whitelisting, ERP should not give you FPs at default settings, unless you install new software.

EDIT: Ah, I think I understand what you are getting at. You are talking about alerts from items that you add to the vulnerable processes list, such as rundll32 and cmd.exe.
Yeah, they will produce a good amount of prompts. Call them FPs if you wish. Whatever you call them, yes, you can expect to see them

 

Yeah, this is exactly the point
With ERP, you need to add rules to whitelist some stuff, while with OSA you don't need to do that (or at least, not as much as with ERP)

 

And please see my edit to my previous post, where I mentioned something else relevant. Maybe it is not exactly what you meant, but it is relevant.

 

There is no such things as FPs with anti-exe or SRPs. FPs applies to products comparing an item to a set of criterias to check its legitimacy.
Anti-exe/SRP doesn't care of the legitimacy of the item, they prompt/block those not whitelisted, that is it.
This granting far more potency than AV if in the hand of a knowledgeable user.

 

OS Armor is focused on suspicious behavior, suspicious processes, etc.
If OS Armor is blocking non malicious actions, then this is of course a FP.

Not in the case of ERP. ERP doesn't know anything about malicious behavior (and isn't even checking for it) and it is simply displaying a prompt if unknown files are being launched or a vulnerable process is being launched (in these cases it is supposed to show the Alert Dialog)
As guest said, an AE isn't prone to FPs. But ERP is prone to Alert Dialogs
(if it is still a FP for you, then ok...)

----
But nevertheless OS Armor and ERP are "different beasts" and comparing them (something like the amount of prompts, etc.) is like comparing Oranges with Apples.
OS Armor might detect suspicious behavior (which ERP doesn't detect) whereas ERP is noticing updated files (hash has been changed).
Or, try to install 10 Programs and OS Armor won't give a single peep (=no suspicious behavior detected). Do the same with ERP and you will have definitely more than "a few" prompts

@novirusthanks
Is it possible to implement something like a "Copy Rule"-feature or something similar?
Now, instead of creating rules "from the beginning" an existing rule is simply selected, it is "copied" and the newly created rule can be modified.
This can save time if a lot of rules must be created (which are very similar to already existing ones)

 

+1

 

Should be fixed in next build.

We'll discuss about it, I have saved it on the "todo" list for now.

I can move Deny action checking to be before Ask action.

Sure, can be added on the next build.

@faircot

That is strange, it may delay the first execution because ERPv4 needs to verify the digital signature, but on next executions it should run fine.

Is possible the issue is somehow another program or (just guessing) Opera was updating itself or similar?

 

This sum it all.

 

True!! Incredible combo in tandem together. (adjective: having two things arranged in front of the other)

Also and where it "might" be easy to lose contact of certain action files in the safety and silence OSA (excellent preprogrammed anyway), ERP taps into whatever actions are not in compliance with IT'S rules and holds them there for you to SET TO PREFERENCE. That RULE EDITOR coupled with Expressions Editor field/screen is a well made grid to date.