New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I like ERP 4 more than version 3 because it provides much more functionality. The expression builder is such a powerful tool.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    How are you using it?
     
  3. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,379
    Location:
    Hawaii
    OH my doG, l may be dyslexic! :eek:
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    :thumb:

    Exactly my own sentiments and experience. Expression builder, yes takes a lil extra effort but absolutely confines most if not all runnings locked to a user's choice select RULES and obeys those preferences to a "T"
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,418
    Location:
    Under a bushel ...
    Don't worry, everything will be KO :D.
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    One of the things I do is define exactly what executables vulnerable applications are allowed to spawn. If my browser tried to launch anything other than plugin-container.exe, maintenanceservice.exe, updater.exe, and pingsender.exe it would not be able to because those are the only executables I have allowed firefox.exe (parent process) to spawn. I can whitelist by hash, sigital signature, path, etc. so that a malicious executable with the same name can't slip by.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I think if users take a little bit of time to master expression builder they will really have a great appreciation for version 4.
     
  8. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I hope they are working hard on ERP. I thought there would be another beta release by now. I can't wait to upgrade my machines to ERP 4.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Can you perhaps explain how to configure ERP v4, to block all processes from running explorer.exe and svchost.exe except for certain system processes?
     
  10. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    have a rule where you set it to "Ask" when something gets ran from Parent process svchost.exe or explorer.exe
    then whenever something you want to allow pops up, tick every field in and tick the "remember" box, aka it creates a rule for that certain thing to allow

    tho i'm not sure why you want this cause ERP v4 has a vulnerable processes list that covers most problems and everything that doesn't belong to a wider rule gets asked if you want to allow it to run.

    also settings has an "Allow system files" option that will probably be handy for your case.
     
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,828
    Create a deny-rule which is blocking all processes (Parent Process) from launching explorer.exe (Child Process), then create exception-rules for (Parent-)processes (for example userinit.exe need to launch explorer.exe, ...) which are allowed to launch explorer.exe
    Do the same for svchost.exe (for example services.exe need to launch svchost.exe)
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,828
    @novirusthanks
    RadarPro_(1)_create rule from event.png RadarPro_(2)_edit rule from event.png
    If a rule is created ("Create Rule from Event") all information from "Events" are inserted into the Expression Builder.
    The user selects Name, Path and the rule is saved.
    Now the user wants to add more information to the previously created rule and is using "Edit Rule from Event".
    Of course information isn't available anymore in the dialog (it looks like in the second picture) and the user need to use Copy&Paste or "Read Data from file" to fill in these fields.
    Enhancement: If "Create Rule from Event" is able to "transfer" all information to the Expression Builder, can it be done with "Edit Rule from Event" too?
    It shouldn't override already filled in fields of the rule, it should only fill information into empty (and not enabled) fields.
    In this case editing of the existing rule via "Edit Rule from Event" would look like as in the first picture instead of the second picture.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    :thumb:
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    Oh geez!! I love the new wildcard support... Awesome!
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    I read something here about how to deal with new file versions/new hash, to stop pop ups treating the exe as if it was a fully new unknown file.
     
  16. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    @novirusthanks

    Please add it to internal rules(Allow known safe peocess behaviors).

    Date/Time: 2018-07-04 14:08:28.363
    Action: Ask/Deny Once
    PID: 4156
    Process Path: C:\Windows\System32\schtasks.exe
    SHA1: 815A050FC4BD12C6CA0B62D38D0FB6F8A95F70A8
    Signer:
    Command Line: schtasks.exe /change /tn "Microsoft\Office\Office ClickToRun Service Monitor" /enable
    Parent: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
    Parent SHA1: D8EA4922DAC9EE7E64891EC8F47475033852355B
    Parent Signer: Microsoft Corporation
    Expression: -
    Category: Alert Dialog
    User/Domain: SYSTEM/NT AUTHORITY
    Integrity Level: System
    System File: True
     
  17. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    961
    Hi @ Wilders

    Just changed to latest version of EXE Radar Pro 4.0 from v 3.1.

    Is there any way to import into v4.0 the rules that were set up and saved in version v3.1?

    Thanks

    Terry
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,828
    ERP 4.0 doesn't "understand" exported rules of ERP 3.1. You need to begin from scratch.
     
  19. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    961
    Hi Mood

    Thanks for your reply.

    Can EXE Radar Pro v 4.0 be used straight from its installed state without creating rules. At the moment I have it in Lockdown mode, but as yet I have not received any pop ups. Is this what you would expect?

    Thanks

    Terry
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,828
    Yes, normally ERP is very quiet and none or only a few alerts are to be expected.
    But of course is not completely alert-free. The alerts will begin if vulnerable processes, unsigned installers or digitally signed files from "unknown" Vendors are launched.
     
  21. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    961
    Hi Mood

    Thanks again for your help.

    I opened up powershell.exe which I understand is a vulnerable process there was no alert or blocking.

    Is this expected behaviour?

    Thanks

    Terry
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,828
    If powershell is a vulnerable process there should be an alert if powershell.exe is launched:
    ERP4_powershell_vulnerable.png
    ERP4_powershell_vulnerable_blocked.png
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I want this because malware will often perform process hollowing on explorer.exe and svchost.exe, but if they can't be launched they can not attack it. The problem is that you can not add explorer.exe and svchost.exe to the vulnerable process list.

    I have just checked it out, and I feel like ERP v4 is too complex. I don't have a clue how to do it.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    That is exactly what is bothering me. Adding something to user space in appguard, or using OSArmor is much easier and just as effective
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    ERP's v4 additional functionality as myself and some others might like to call it, "adds" some graspable complexity, if one looks at it that way, which greatly enhances a user's system-and interactions-more or less confining internal interactions into a controlled flow of sorts.

    Just takes, (like anything else security software related), becoming acquainted with it. It's truly become so far a formidable-fully functional traffic control system as concerns Anti-Exe/Process Controller program and so much more.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.