New Antiexecutable: NoVirusThanks EXE Radar Pro

Good point, I forgot to check. But it was niche software. I would be surprised if Babylon desktop translator is hardcoded into ERP. Most people hate Babylon and avoid it like the plague. (I hate the company but love the product )

The other rundll32 command line that didn't pop up was from HP printer driver, in the action of "print to fax". Another one of those things that most human beings don't use and probably never heard of.

 

so it was expected, rundll32.exe is system file, and if the parent process is in Program Files, you normally won't have alerts.

 

@novirusthanks

small (resurrected) cosmetic suggestion coming back from v3

- can we have a small "lock" on tray icon when we are on Lockdown Mode?

 

Also a gray or any other color icon for "Protection Disabled" mode?
@novirusthanks

 

Yea! Finally a Install-mode. Now I no longer have to disable protection during installs. Really loving this!

But how does it work? Does it disable protection as long as the installer process runs? What if they never stop? I sometimes see msiexec.exe running a long while after an installation.

 

If you are for example launching c:\test\setup.exe and if this file is launching 10 other files (=c:\test\setup.exe is the parent process of these files) which are not whitelisted or on your Trusted Publisher List, etc. :
without Install Mode: 11 prompts
with Install Mode: 1 single prompt (but only as long as setup.exe is running else prompts will begin to appear)

 

Could this be a security issue? I believe it is possible for ERP to get stuck in install mode.

 

That's how I understand it and how it operates in v3 if memory serves. Great time saver.

OffTopic: Something familiar but unsimilar was making for interference/repeated prompts in OSA but "temporary disable" solves my issue.

 

Were you able to unstuck it? If so, how?

 

Huh? No, you misunderstood. It was a hypothesis. The hypothetical answer would be to stop the installer with task manager. afaik

 

Here is a new v4.0 (pre-release) test20:
https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test20.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

So far this is what's new compared to the previous pre-release:

+ While "Process Blocked" notification window is active, I cannot edit/do things on the main GUI
+ Added a button "Close All" on the left of "Close" button, in the "Process Blocked" notification window to close all active "Process Blocked" notifications
+ If I enable the option "Settings" -> "Password Protect Power Options" and then I right-click on the tray icon -> "Enable Passive Mode" I am not asked for the password
+ Support explicitly appended \ to process Path rule field, example:
C:\Program Files*\Internet Explorer
C:\Program Files*\Internet Explorer\
C:\Program Files*\Internet Explorer\*
C:\Program Files*\Internet Explorer*\*
+ Improved "Allow Known Safe Process Behaviors"
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@puff-m-d

Yes, Learning Mode will now auto-create Exclude rules including the command-line string for vulnerable processes.

@Rasheed187

ERPv3 has many tabs, e.g. Processes (Hash), Command-Line, Parent Process, File Locations, etc

ERPv4 has one tab "Rules" and "Expression Builder" allows you to create more granular rules by grouping and matching all process fields with just one rule.

@shmu26

Correct.

Correct.

@mood

We'll discuss your suggestions and should add them to ERPv4's next build.

@shmu26

Yes, we're improving a lot the "Allow Safe Process Behaviors" option.

In the Events tab you should see why the rundll32.exe or regsvr32.exe execution was allowed, check for "Action: Allow/Known Safe Process" events.

@EASTER

Yes @mood is correct here:

We will keep that rules internal and not editable by the user.

@guest @Mr.X

Sure, should be added on the next build (we should use same icon's color as of ERPv3, e.g. blue, red, grayed, etc).

@__Nikopol

Nopes, only child processes of the setup/installer will be allowed to run, for other processes you will still get alerts normally (protection is not disabled).

Of course you need to make sure to use "Install Mode" only on trusted (and digitally signed) installers/uninstallers.

 

What does that mean? It sounds like a bug report.

Nice

EDIT: The version 19 uninstalls alarmingly fast. Could you make it slower to instill trust in that-it-actually-does-something? XD XD (Or show details about it)
Can your remove or just untick the "Open NoVirusThanks webpage" option in the installer please? In OSArmor it actually starts automatically which really cracks me up.

EDIT2: Before installation I exported the settings I made with the "alert" thing. (The option called Alert in export) After de- and installation of test-version 20, I tried importing them: They were rejected because they are already there. YET it asked me again about every application I allowed with the Alert-dialog.
For example: I now have two rules regarding Chrome.exe that are totally identical. (Hash, path and everything.)

I assume that was a mistake? something is messed up here. I get double-questions about running processes.

"allow known safe behaviors" does not include windows defender updates.

 

Beware you should STILL do that. afaik
The files where still there after uninstalled 19.

 

That is, test 20 not 19.

 

Oh oops.
Don't know why I did miss that. xD

I reinstalled 20 without those left-over files and all is fine. (Except I deleted the exported settings already )

 

lol Lot of work awaiting for you...

 

Awesome Andreas. This is the build that will officially retire my last v3 holdout on the single most active system. Gonna miss it but can always revert back but again that needs not ever happen since v4 has the goods and the iron to cope with everything (nearly) conceivable and infinitely more granularity as well as advancements where a lot of thought (from developer-testers alike) have been poured into it.

Farewell v3, hello ERP 4 on all systems!

 

+1

 

Just peeled off (copy/saved) from Program Data a pile of ERP 3 logs that begin at 1-1-2018.

 

Hello @novirusthanks,

I am having the same issue. NVTERP will save the rules and they appear in the "Rules" tab of the GUI but it is like they are not even there. NVTERP will prompt for the same file every time and you can create the exact same rule each and every time in an endless loop. You can literally end up with dozens of the exact same rule for the same file. NVTERP is creating and remembering the rules but it is not honoring them once they are created. I even tried deleting all of my rules and rebooting but the issue still persists.

I even tried the above and started fresh with same results NVTERP is not usable in this state. For the time being, I am going to have to go back to the previous version.

 

@novirusthanks

this rule keeps popping up with the latest version, have to go back to test 19 due to it
http://any.ac/O76lSA.png

 

And I believe that's my problem, I don't have a clue how to do this with the Expression Builder, I really think this all should be more easy to figure out. Like I said, you should be able to select a process and select which child processes it's allowed or disallowed to run with only a few clicks. You should also be able to exclude folders in an easy way. For example, you can check out SpyShelter Firewall's "Application Execution Control' module.

https://www.spyshelter.com/spyshelter-firewall/

 

Thanks for your guys rapid bringing up that duplicate rules issue. Maybe I better hold off the install until developer can look at that and make necessary corrections first. Appreciate that, might be a big help.

 

Yes, existing rules seem to be "ignored" by ERP.
ERP is able to write (creation of rules) to the database (c:\ProgramData\NoVirusThanks\EXE Radar Pro\Databases\Rules.db) but it isn't able to read or notice existing rules.
It looks like a database error or something similar.

 

confirmed