New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,062
    Hi Bellgamin

    Simple solution! Just make sure you have the v3 installers well backed up. Then you are good to go
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,062
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,062
    Progress means an improvement that enhances usage. V3 certainly still does the job it was designed to do. But for me(and Bellgamiin) the expression builder adds nothing I need and requires a learning curve so I wouldn't call that progress for me.
     
  4. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,904
    Location:
    Europe then Asia
    You surely have some internal improvements. the new expression builder is what give ERP all is efficiency, granular control gives better security.
    Also there is SUA full implementation, but of course, for those who don't use SUA, it is useless.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,959
    Location:
    U.S.A. (South)
    Agree. Keep yer v3 installers well preserved. EASTER does this as well with other old softwares and it's really a confidence boost to know v3 is still relevant, useful and likely will be even with the crazy evolution of Microsoft's Windows 10 parade of updates-upgrades and what have ya. Even in spite of the awesome v4's most formidable advancements-enhancements.
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,157
    Location:
    Hawaii
    Tu true Pete. I have done as you suggest.

    As to the greater complexity of v4 versus v3 --- I well remember the hey-days of HIPS, such as Malware Defender, SSM, etc -- those were the darlings of Wilders folks at that time. If someone remarked that those powerful security programs were too complex, he or she was quickly shot-down as being inept or behind the times or simply too stupid to use really advanced security apps.

    Today, those pure HIPS apps are all dead & gone. IMO, at least part of the reason those apps died was because their developers put a bit too much emphasis on satisfying the urgings of the denizens of Wilders. The problem with that approach is that many of the most vocal folks at this forum are not very representative of users in general.

    It is somewhat axiomatic that increased power often generates increased complexity. It used to be that the brunt of that complexity fell on users, who had to learn to tweak dozens upon dozens of settings. Over time, the trend changed. Nowadays, the financially successful security apps are keeping more & more of that steadily increasing complexity "under the hood". They put the burden of tweaking that complexity on their programmers and AI, more so than on their users. Complex security apps that continue to rely heavily on user intervention are likely to remain as niche apps at best (the darlings of security forums), or they may disappear altogether at worst.

    I cannot help but wonder -- how many "average users," with money to spend on security apps, will spend it to gain access to user-intensive options such as expression builders & their ilk? :rolleyes:
     
    Last edited: Jul 12, 2018
  7. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,904
    Location:
    Europe then Asia
    You don't need the expression builder for classic usage of ERP, unlike HIPS, ERP v4 allow you to click few options and it is almost set & forget.
    When an unsigned application popup an alert, if you just ran it manually, you dont have to do more than allow + remember.
    If that is already too much for some people, OSA is a better alternative, it was especially made for beginners, no prompts at all.

    ERP v4 was intentionally made for advanced users, it was promoted as such, hence why OSA exist (made for beginners).
    I like the new ERP because i can lockdown the system even more than v3.
    I will even dare to say, ERP (and its new expression builder) is more adequate for very small business deployment than average home users.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,959
    Location:
    U.S.A. (South)
    ERP v4 = A form of HIPS on super steroids. Lockdown after selective tweaking indeed channels and keeps interactions into a finite pattern. Freaking awesome piece of exceptional security!
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,157
    Location:
    Hawaii
    Now THIS I can agree with. As to whether or not such a narrow market will prosper ERP 4 -- I truly hope that it does.

    Rick/Bogart said (classic line): "We'll always have Paris." {"Casablanca" -- 1942}
    In the same spirit I say, "We'll always have v.3." :'( {"Casawilders" -- 2018}
     
    Last edited: Jul 12, 2018
  10. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    471
    Location:
    Hungary
    i also remember the days when a phone only meant a little box with buttons on it, look where we're now
    technology is evolving, thankfully cyber-technology/security as well
    the big guys aren't making their products simpler, they just set up a default state where a casual user can leave it alone and it will protect you, meanwhile for advanced users, you can go deep into the settings and find the advanced options to configure it to your liking

    I'm pretty sure as @Umbra mentioned, OSArmor was made for people like you(dont take this the wrong way, not insulting) that don't want to "evolve/advance" and get to know v4, just wants to leave it alone and let it do its job.
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,254
    Location:
    Under a bushel ...
    Is a default vulnerable processes list included / embedded in ERP 4 in the latest builds, or does this have to be added / imported?

    And is Andreas' list minimal, or go quite a way towards e.g Excubits' blacklist?
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,813
    It is included and with "Re-Create Vulnerable Process Rules" the Vulnerable Processes List will "appear".
    ERP_Vulnerable_Processes.png
     
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,215
    Location:
    North Carolina, USA
    Hello @novirusthanks,

    I would like to suggest a small tweak to the "Rules" tab > "Expression" column in NVTERP. It seems a lot of times if you view/edit a rule and save it, the order of the information in the "Expression" column changes. This makes it harder to compare rules in the "Rules" tab, especially "Exclude" rules that you edit for wildcards. It would be nice and more user friendly if the order of the different fields in the "Expression" column could follow some preset order. I realize that not all fields are necessarily in each rule which may make it harder to do. If there is any way that this can be done, it would be greatly appreciated.
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,002
    Location:
    Italy
    Here is a new v4.0 (pre-release) test19:
    https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test19.exe

    *** Please do not share the download link, we will delete it when we'll release the official v4 ***

    So far this is what's new compared to the previous pre-release:

    + Added "Install Mode" (on the "Alert Dialog") -> It will allow the execution and all child processes will be auto-allowed until the main PID is active
    + Edit Rule from Event now automatically populates the expression builder fields with the appropriate fields from the event
    + Improved "Allow Known Safe Process Behaviors"
    + Improved "Learning Mode" auto-created rules
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    * Before installing this new version, you should delete these files:

    C:\Users\<User>\AppData\Roaming\NoVirusThanks\RadarPro.conf
    C:\ProgramData\NoVirusThanks\EXE Radar Pro\*

    * This will be done automatically on next build from the installer file.

    @bellgamin

    I understand your point about ERPv4. With the new ERPv4's Expression Builder it allows you to fully control processes executed in the system and create much better/powerful rules but it is not as easy as ERPv3. It is for more advanced users and that's why we have created OSA. After all bugs have been fixed on ERPv4, we'll work on usability trying to make it more usable.

    Additionally, we'll develop a few more anti-exe-like simple programs that will be suited also for beginner users, here is one:

    A simple and smart process alerter that will show a prompt only for unsigned (or signed by unknown vendors) processes executed in user space.

    It will support alerting for vuln apps on system folders (to block exploit payloads and such), auto-allow trusted vendors, etc but will be extremely simple.

    @puff-m-d

    We'll discuss about that.
     
    Last edited: Jul 13, 2018
  15. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    471
    Location:
    Hungary
    isn't deleting the Programdata folder deletes all rules as well? that's no bueno :D
     
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,409
    Location:
    Mexico
    Seconding @mekelek question:

    Inside Databases folder, there are Rules.db and Rules.db-journal files.
    Deleteing them isn't a bit too much?
    I assume my rules would be erased, wouldn't be?


    Or how about exporting them then importing them prior installing this new version?
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,959
    Location:
    U.S.A. (South)
    Great to see the INSTALL mode addition. I really didn't want to make a sniff over missing that enough to make suggestion but looks like it came back around anyway.

    Thank You @novirusthanks
     
  18. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,215
    Location:
    North Carolina, USA
    Hello @novirusthanks,

    Thanks :thumb: !

    Did this...
    Fix this?
    Thanks as always ;) ...
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,157
    Location:
    Hawaii
    @ NVT -- thank you for the kind words. I suppose I could learn to become reasonably proficient in using v4. It would be easier, I suppose, than teaching diffential & integral, or writing linear programming apps in Forth, all of which I did back in the good old days.

    As someone who images very often, I no longer find that learning to tweak a complex IDPS (Intrusion Detection & Prevention System) is where I want to put my limited time. With imaging, all one truly needs is IDS -- detection more so than prevention.

    Several years ago, I did take the time to become reasonably proficient with some relatively complex IDPS. I was able to make System Safety Monitor jump through hoops. Same for Prevx. Same for Malware Defender. I paid for all of these. All of them were very very popular here at Wilders. And all of them have been abandoned by their programmers, not because they fell behind technology but because they did not generate a viable income stream.

    Thank you for OSA. On those rare occasions when OSA has looned loudly at me, I have never yet chosen to override it. It's a bit like cross-breeding a lion with a parrot. I don't know what to call its child but I do know this -- when it talks, you better listen. So also with OSA. :p
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,027
    Location:
    The Netherlands
    I didn't even know that Install Mode was not implemented yet, good to see. What I don't understand about the new ERP v4 is: where are the Command Lines, Parent Process and File locations tabs?

    Well, you should be able to simply select a parent process and see exactly which child processes they are allowed or disallowed to run. Current Expression Builder seems to be too complex.

    ERP v4 is definitely on the right track, but it's not as good as ERP v3 yet when it comes to certain things. But I agree that v3 is a finished project, and we need to concentrate on making v4 better.
     
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,086
    I just want to reconfirm: if I run ERP 4.19 in learning mode, and some command lines get whitelisted, the vulnerable processes will still alert for new command lines, correct?

    Question: if I get a prompt and I click on "custom rule" and I whitelist a command line and click on "save", the next time it runs, I get prompted again. And if I try to whitelist it again, it says that the rule already exists.

    But if I set the same parameters straight from the prompt, and tick "remember the action", I don't get prompted again. Why is this?
    EDIT: I think I found the reason. When I clicked on "custom rule", I failed to make it an "exclude" rule. So it was in contradiction to the "alert" rule for that vulnerable process.
    But when I do it straight from the prompt, it automatically is made into an "exclude" rule.
     
    Last edited: Jul 16, 2018
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,959
    Location:
    U.S.A. (South)
    Thank You @schmu26 for your explanation on this.

    Never used learning mode before (always manually made rules on the fly) but I intend to allow v4 to run in that scan/record session for a day or two when I transition from the last v3 that's installed on my WIN 8.1 system.

    Since you ran into that learning curve and subsequent action-solution, that's useful-helpful detail to keep an eye out for. Appreciate the share on this.
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,813
    @novirusthanks
    1) (Alert Mode)
    If there is a Prompt for an Ask Rule (Category = Vulnerable Processes) and if it is allowed and "Remember Action" is ticked, ERP is correctly creating an Exclude Rule.
    But if the Ask Rule is not in the Vulnerable Processes Group, ERP is creating an Allow Rule which is not sufficient (lower priority).

    2) If a process is learned, an Expression not related to the process is shown in Events.
    The expression is one of my rules but i don't know why ERP is displaying it while a process is learned.
    Code:
    Action:  Allow/Learning Mode
    Process Path: C:\test\Homedale.exe
    Command Line: "C:\test\Homedale.exe"
    Parent: C:\Program Files\totalcmd\TOTALCMD64.EXE
    Parent Signer: Ghisler Software GmbH
    Expression: [Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Proc.CmdLine = /c w32tm.exe /stripchart /computer:* /dataonly /samples:1] [Parent.Name = C:\Windows\System32\WaaSMedic.exe] [Action = Allow]
    Category: Learning Mode
    
    3)
    I think to mitigate the following, it might help if ERP is selecting "Exclude" (instead of "Allow") in advance if an alert for a vulnerable Process is displayed and if the user tries to create a Custom Rule for it.
    4) If a Vulnerable Process is launched:
    Lockdown Mode: After a click on "Block" in the Alert dialog the Notification window does appear.
    Lockdown Mode (Auto-Block "Ask" Actions...) : the Notification window doesn't appear.
    Alert Mode: After a click on "Block" in the Alert dialog the Notification window doesn't appear.
    = Shouldn't the Notification Window appear in all three scenarios?
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,959
    Location:
    U.S.A. (South)
    Cool McCool @mood.

    I will wait for Andreas to have his code team sew up those finds before finally replacing my last holdout with their great v3 ERP.

    This security application is outstanding for the Power Users!! too.

    NVT did say after some fine tuning thru these runs that they intend to shrink or otherwise modify the way rules are set into a more streamlined pattern. Looking forward to all of this.
     
    Last edited: Jul 16, 2018
  25. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,086
    After trying out build 19, at first I was puzzled by the lack of prompts from rundll32.
    Then I remembered that Andreas said he improved the internal rules.
    Maybe he made an internal rule that allows whitelisted software, installed in program files folder, to load a dll by means of rundll32, without a prompt?
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.