New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Yeah, thanks @mood :thumb:
     
  2. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    226
    Location:
    UK
    This is consistent behaviour. I've tried disabling everything security related and if Opera is updating, ERP flags up the updater process which I allow. As I say everything else here runs normally.
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    Issue (test 9): Wrong categories/Categories which are not applicable are being shown in the Alert Dialog.
    (probably related to this: [test 9 changelog: "+ Do not show "Category:" on Alert Dialog if the category is not applicable"])
    This rule has been created:
    Code:
    "Category: Nirsoft"
    [Proc.Signer = Nir Sofer] [Proc.Path LIKE C:\files2] [Action = Allow]
    
    After launching of a digitally signed "Nir Sofer" file: c:\files\serviwin.exe
    the category "Nirsoft" is shown in the Alert Dialog:
    ERP_Nirsoft.png
    After disabling of the rule and launching of the file again a different category "Allow Rule" is now shown:
    ERP_Allow Rule.png
    All Rules in the category are also unrelated to the file and are not applicable (=Category "Allow Rule" or "Nirsoft" shouldn't be shown)

    -----
    cosmetic issue (Logfile related): Normally a "-" is shown in the logfile if the Expression or Category is empty.
    Example:
    Code:
    Action         : Allow/MS-Signed File
    Expression     : -
    Category       : -
    
    But not in if the Protection is disabled ("-" is missing):
    Code:
    Action         : Allow/Protection Disabled
    Expression     : 
    Category       : 
    
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Did you test it? I have installed ERP in the sandbox, so it's not actually functional on my machine.

    Thanks, and would be cool if it remembered these settings even after restart of ERP and reboot of Windows. This is currently not the case with the old ERP.
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    I have changed the size of columns (Events) and after a restart of the GUI the size of columns is retained.
    Changing of the column size in the Rules listview seems to have no effect ("ruleColumnX:")
    (but Events seems to work ["eventColumnX:"])
     
  6. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Can confirm test9 has not fixed the "wrong category displayed" issue which I previously reported in test8
     
    Last edited: Apr 28, 2018
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,811
    Location:
    U.S.A. (South)
    mm.png @novirusthanks - Super big compliments you and soft lab team for fashioning the spectacular (IMHO) the very large BLOCKED PROCESS alert box in the corner of screen. This sort of isolated & magnified NOTICE should long been standard for most security softs (maybe it is?) but definitely fits the concept conceived and produced that you guys have done with ERP this version.:thumb:
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,811
    Location:
    U.S.A. (South)
    @novirusthanks- Can we talk about this now and although realize it's non-issue in one respect since as pointed out, ERP simply reads and determines of a HASH change it will simply reissue Unknown Application Detected
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,811
    Location:
    U.S.A. (South)
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    OK, so thanks for confirming that it doesn't work.
     
  11. guest

    guest Guest

    confirmed

    work for me
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    But only as long as the category isn't switched.
    After switching to a different category, the desired size of columns is lost.
     
  13. guest

    guest Guest

    indeed.
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,150
    Location:
    Italy
    Here is a new v4.0 (pre-release) test10:
    http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test10.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed the link to lookup file sha1 on Virustotal on Events tab popup-menu
    + Fixed When clicking "Edit Expression" on "Rule Editor" it shows a warning message "You must enter a valid expression"
    + Fixed Wrong categories/Categories which are not applicable are being shown in the Alert Dialog
    + Fixed Cosmetic issue (Logfile related): Normally a "-" is shown in the logfile if the Expression or Category is empty
    + Fixed Changing of the column size in the Rules listview seems to have no effect ("ruleColumnX:") (but Events seems to work ["eventColumnX:"])
    + Fixed Windows Apps weren't allowed by the option "Allow Microsoft Windows Apps" in Settings tab
    + Fixed Possible Rules conflict -> moved Deny action checking to be before Ask action
    + Fixed The warning message "You must enter a valid expression" is present also on the Alert Dialog -> Custom Rule
    + Fixed Command-line string is empty for very long command-line strings
    + Improved allowing of safe process behaviors
    + "Vulnerable Processes" are now pre-loaded on the Rules tab when the program is first installed
    + Smarter way to handle signed processes not found in Trusted Vendors list while on "Learning Mode" -> if a signer is not present in Trusted Vendors list (when in Learning Mode), it is auto-added and enabled/checked
    + Added more signers on Trusted Vendors list
    + Added new option "Copy Selected Rule" -> The selected rule is "copied" on the newly created rule with same parameters
    + Added new option "Copy Selected Rule to Clipboard" -> It copies the selected rule to clipboard in XML format so can be easily pasted/shared on forums
    + Added new option "Locate Process File in Explorer" on Events tab
    + Added new option "Locate Parent Process File in Explorer" on Events tab
    + Added new option on Settings tab When on Lockdown Mode auto-block "Ask"-action processes (unchecked by default)
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @EASTER

    We will make some tests and probably reintroduce the "Whitelisted Application Changed".

    The "problem" is that ERPv4 utilizes various aspects of a process to create a rule (e.g. process, sha1 hash, command-line, parent, signer, etc). So we should show that "Whitelisted Application Changed" only for processes that match the rule "Proc.Path AND Proc.Name AND Proc.Hash" if the Proc.Hash is different (but Proc.Path AND Proc.Name are same).
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,811
    Location:
    U.S.A. (South)
    You guys are so super considerate and we all are really grateful for such amazing efforts that are put into this project, added and updated to this incredible helpful software. :thumb:
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,654
    Location:
    USA
    Nice, can't wait to test this build!
     
  17. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,626
    Location:
    North Carolina, USA
    Hello,

    I may have found a possible issue with:
    I like to set all of my "Vulnerable Processes" rules to "Ask" as I do not care for auto-block (deny). With this new build I can change the "Deny" rules to "Ask" rules but the "Deny" rules eventually come back. There are 40 rules in this list of which 10 are set to "Deny". I change this 10 "Deny" rules to "Ask" and save them. At this point there are still 40 rules on this list. I come back and check later and now have 50 rules in this list. The 10 "Deny" rules have reappeared and the 10 "Ask" rules that I saved are still there also. I have done this three times but the 10 "Deny" rules always come back.

    I am also still seeing this issue:
    This is random and not with every alert. Sometimes the "beep" happens as the same time as the alert and sometimes the "beep" does not happen until after you click on some action to close the alert.
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    First things first:
    • 1) If an application wants to play a mp3-file/sound, the process audiodg.exe (c:\Windows\System32\audiodg.exe) needs to be running (audiodg.exe is not running "all the time" and will be terminated if no sound was generated for a specific time [~5-15 minutes])
      • a) if audiodg.exe is not running (while the application wants to play a sound), audiodg.exe must be started by the service AudioSrv (Windows-Audio). After it has been started, sound can be played.
      • b) if the process is already running there is no need to launch this process and sound can be played.
    • 2) If ERP is displaying the alert-dialog, all other processes are blocked from launching.
    If you don't hear a sound it is a combination of 2) (=alert-dialog is displayed + other processes are blocked from launching) and 1a) (=the system need to launch audiog.exe, [but it isn't able to launch it yet because of the alert-dialog])
    After the alert dialog has been closed, audiodg.exe is able to launch and you can finally hear a sound.

    To reproduce:
    Try to monitor all running process (especially audiodg.exe) with Process Hacker or another Task manager and wait until audiodg.exe is terminated.
    Now, if you try to launch a file you will always hear the sound after the alert dialog has been closed.
    (Audiodg.exe has been started now) Now try to launch the file again and you will always hear the sound while the alert dialog appears on the screen (=1b)

    Perhaps the developer comes with a solution for this.
    Thoughts:
    Maybe something like a "pass-through" for audiodg.exe. The alert dialog is displayed, other processes are blocked from launching but audiodg.exe is allowed to launch = sound can be heard if the alert dialog is displayed [in both cases 1a) + 1b)]

    @novirusthanks
    Btw.: Process Logger Service is showing the Process Creation of audiodg.exe but ERP isn't showing it in "Events" or in the log-file.
    In addition entries for C:\Windows\System32\svchost.exe are also "missing"... and LogonUI.exe...
     
  19. guest

    guest Guest

    @novirusthanks I highly suggest a "clear the Trusted Vendor List" button, it is a pain to remove all of them one by one...
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,811
    Location:
    U.S.A. (South)
    :argh: That is one big list alright.

    This ERP 4 is getting away from even me. And thought was decent enough to probe all the workings.

    Good catch-request @guest
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,654
    Location:
    USA
    I just installed ERP test 10 on Windows 10 Educational Edition Version 1703 in Virtual Box and I don't see msra.exe (Windows Remote Assistance), mstsc.exe (Remote Desktop Connection), and PresentationHost.exe on the vulnerable process list. I would recommend putting them on the list.

    I'm also trying to decide whether I recommend putting raserver.exe on the vulnerable process list. It's Windows Remote Assistance COM Server.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,811
    Location:
    U.S.A. (South)
    :thumb:
    awesome catch!

    Appreciate you guys digging thru and turning things up. They keeping things swamped over here.
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,654
    Location:
    USA
    No problem!
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,654
    Location:
    USA
    When ever I open the Publisher's List all the Publishers are already checked. I just installed ERP on this image for the first time. They're all checked each time I open the List though. It may be because I have not edited the list at all yet.
     

    Attached Files:

  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,150
    Location:
    Italy
    @puff-m-d

    Will be fixed in next build.

    @Cutting_Edgetech

    We'll check and probably add the new suggested vulnerable processes.

    @mood

    To prevent the "black screen on startup" or "desktop is black and not displayed" issues, ERPv4 auto-allows specific processes like LogonUI.exe, audiodg.exe, and a few others (very important and safe system processes), so they don't generate an alert in a situation where the user can't answer (i.e at PC startup and similar). Since they are auto-allowed from the service, they are not logged in the GUI or in the log file.

    I will see if we can handle this differently soon.

    @guest

    If you right-click on the list of Trusted Vendors you have the option to "Disable All" and "Remove All":

    erp1.png

    I may add a text like "* Right-click the list for more options" or similar.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.