New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,139
    Location:
    Under a bushel ...
    :thumb:
     
  2. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    657
    What is the purpose of "Read data from file" located in the expression builder? How is this used?
     
  3. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    988
    Location:
    Italy
    Here is a new v4.0 (pre-release) test8:
    http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test8.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + Deny action is checked before Allow* actions on Settings tab
    + Fixed showing of Alert Dialog on dual monitors
    + Show the category of the triggered Ask rule in the Alert Dialog
    + Improved "Allow Known Safe Process Behaviors"
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @Charyb

    It extracts the fields (i.e name, path, signer) from the selected exe file.

    Will read and reply the other posts asap.
     
  4. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    657
    I understand now.

    Version 3 was good, but I think I'm going to like version 4 much better. It's much simpler and cleaner.

    I still would like to be able to view and edit the trusted vendor list. Coming soon?

    Thanks
     
    Last edited: Apr 13, 2018
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,274
    Nice, deny-rules are working now as expected :thumb:
    RadarPro_Deny-rule.png
    RadarPro_Deny-rule.png
    RadarPro_wscript-rule.png
    =
    RadarPro_Deny-rule_log.png
    RadarPro_wscript-rule_log.png

    Issue - "Events":
    After resizing of some columns to the smallest size, closing and re-opening of the GUI (and enlarging of the columns), chars looks scrambled:
    RadarPro_Column_resized.png
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,773
    Location:
    The Netherlands
    Does ERP now remember both window and columnsize? I haven't even downloaded the latest versions because of this annoyance.
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,274
    No :)
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    937
    What does "allow system files" mean, exactly?
    Does it mean all files in certain locations, or does it mean all files on the digitally signed microsoft security catalog (.cat)?
     
  9. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    657
    Here is my guess.
    Any executable located in the system32, sysWOW64, and systemapps folders.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,625
    Location:
    U.S.A. (South)
    @novirusthanks can spell that out exactly for us when back online again. No guessing. Just the facts. :)
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    937
    You appreciate the facts more, if first you guessed. It indicates that you thought about it.
     
  12. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    657
    It is a fact that it was a guess. I hope you weren't confused by this.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,625
    Location:
    U.S.A. (South)
    I admit i was but agree and am confident most all those surely are fact but he can confirm it for certain.

    Some things are under the hood which is developer prerogative :)
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,274
    Not all files located in C:\Windows\* or in subdirectories are automatically System files.
    A Windows API is used to find out if a file is a System file:
     
  15. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    348
    Location:
    united kingdom
    @novirusthanks
    Just a minor issue with test8. I like seeing the rule category on the alert dialog, but if an unknown application triggers the alert, it shows a random category (maybe the last used one, i'm not sure) instead of none or blank.

    One question: Is there any way i can import my log files into Excel? They don't appear to be in a known file format, like csv or tab delimited.
     
    Last edited: Apr 15, 2018
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    937
    Thanks. Not sure what the API does, do you think it accesses a .cat file for the list of Windows components?
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,274
    I can only speculate :cautious:
    Perhaps the developer can shed a light on this.
     
  18. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    937
    Yeah, the truth is that it's not really my business, anyways. Andreas need not tell us his secret recipe.
    We already cleared up the main question: whether it whitelists entire locations or not. That's the most important thing to know.

    I was asking about the Microsoft .cat file, because I recently found out that Comodo uses it. Comodo considers every file listed in the catalog as digitally signed by Microsoft, because the catalog itself is signed. Interesting approach.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,773
    Location:
    The Netherlands
    Can you give me some more info about this, which cat file is it? I would like to know which files are digitally signed, and perhaps ERP also uses this one.

    Freaking hate this! Can't believe that no-one is bothered by it, and surely it can't be hard to fix?
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    937
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,625
    Location:
    U.S.A. (South)
    Hang in there @Rasheed187. If it's that too much to take it surely is doable.
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,750
    Location:
    Europe then Asia
    @Rasheed187 ERP is still a beta, cosmetic fixes come the last.
     
  23. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    348
    Location:
    united kingdom
    @novirusthanks
    A couple of issues to report

    Firstly, If I add the rule below for Chrome to ERP it's existence prevents any processes not classified as "System File" or not included in the "Vulnerable Processes" category from executing on my PC. Only when I exit ERP's gui do these 'suspended' processes actually start.
    Code:
    <category>Chrome</> <action>Allow</> <expression>[Proc.Name = chrome.exe] [Proc.Signer = Google Inc] [Proc.Path = C:\Program Files (x86)\Google\Chrome\Application] [Proc.Hash = CE811AA58E2D1715F2B76BC8683EB6D735F4C5D2] [Proc.CmdLine LIKE "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=* --service-pipe-token=* --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-compositor-image-animations --service-request-channel-token=* --renderer-client-id=* --mojo-platform-channel-handle=* /prefetch:1] [Parent.Name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe] [Parent.Signer = Google Inc] [Parent.Hash = CE811AA58E2D1715F2B76BC8683EB6D735F4C5D2] [Action = Allow]</> <enabled>1</> <comment></>
    There is clearly something wrong with the rule, because If I try to edit it, all the fields are shown as empty and if I try to disable the rule, i receive the error: "You must enter a valid expression". Only deleting the rule will return everything back to normal, which I can only do if I restart the gui first.

    Secondly, the "Edit rule from event" feature does not appear to work. If I right-click on an rule in the Events tab and select "Edit rule from event" nothing happens. No window appears. However, if I edit the relevant rule in the Rules tab first, and then select "Edit rule from event" it opens the rule as normal.

    Finally, a change request : Can you please make the "Expression Builder" window re-sizable to enable more of the field values to be visible, especially "Command Line" which can get very long?
     
    Last edited: Apr 20, 2018
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,625
    Location:
    U.S.A. (South)
    @novirusthanks- If at all possible, and as/when OSA wraps up to final release, an earlier feature request still stands, which I believe might have enough support from users that share where if you would, it seems another useful staple within the capability of ERP 4 (just as ERP 3 does, where upon a changed file (via the hash matching) previously already whitelisted, if it can display that yellow stripe on the alert dialog indicating clearly a whitelisted file is found to been changed (updated or otherwise tampered) like ERP 3 so effectively detects.

    On one of another unit which still runs ERP 3 Beta, that feature is tremendous IMO and hopefully other users will pick up on support of it's addition into ERP 4 as it progresses through it's own development pre-release stages as you guys finely tune it to it's highest potential.

    Regards, EASTER
     
    Last edited: Apr 22, 2018
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,773
    Location:
    The Netherlands
    I understand this, but in current state it's unusable for me. This should be basic functionality if you ask me.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.