New Antiexecutable: NoVirusThanks EXE Radar Pro

Here is a new v4.0 (pre-release) test24:
https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test24.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

So far this is what's new compared to the previous pre-release:

+ Allow to disable protection temporarily for 10 minutes, 30 minutes, 1 hour via Tray Icon right-click menu
+ Added check for damaged/corrupt settings conf file (in which case default settings are re-applied)
+ Fixed When turning on Learning Mode, after a reboot it's set to Alert Mode, I would expect it to stay on Learning Mode
+ Fixed Saving of settings to conf file in particular situations
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@iammike

Will take a look about the delay you reported.

@__Nikopol

Added.

@mood @EASTER

All reported issues should be fixed, e.g.:

 

k. Thanks. Am scrambling musical chairs after a major malfunction. Always has to happen when your ready for bed.

Popped this new one onto a Windows 10 (which i detest) but so far looks ok. Will review and report should any quirks turn up after sorting and getting 8.1 back up in service.

ERP v4 + OSA = Terrific!

 

Thx @novirusthanks

Test24

- Delay is still noticeable even when protection suspended
- When starting a CMD file as Admin (via CMD) there was a real delay before the Alert showed, but after subsequent testing it wasn't reproducible.
- Bug that Learning mode after a reboot switched to Alert Mode has been squashed

When I find out more, I will report back!

 

iammike,

For clarity with us testers/users, is that on Win 10 or other number like Win 7-8 64 bit. Thank You for helping us all with replying on issues.

 

Win 10x64 i7 8600 16Gb Ram 970 Evo Nvme SSD

Other security sw I am using,

Emsisoft AM (exclusions for NVT in place)
Binisoft Wfc
Sandboxie
Macrium Reflect

 

Thank You-Sometimes an issue will surface on one Windows platform but not another.

@novirusthanks- Installed and running as expected on Windows 8-You read that right-8 not 8.1 Fast as lightning!!

 

@EASTER

No Problem I should have mentioned that from the start.

Strangest thing.

At the moment the delay is completely gone.

The only 2 things I have done is that 1) I cleared all my Eventlogs, but "Log Events to Event log" has never been Enabled (Checked) in NVT ERP and 2) I exported my Rules (inclu the Vulnerable ones I have 75 Rules.)

I haven't done anything else, No Updates installed, No SW installed etc etc

Will have to test further if when I reboot that the delay still is gone, so will report back !

Update: I have rebooted the PC and unfortunately the delay is back again

 

Wow! If you're experiencing delays on seriously powerful hardware like that then something must be really wrong.

 

I have asked for other people who experience delays but only 1 or 2 have reported that they experiences them, so IMHO it’s not that major but maybe a combination of hardware / sw or .....

See here: https://www.wilderssecurity.com/thr...ks-exe-radar-pro.300552/page-282#post-2771579

As this is a brand new install, I could reinstall Windows again and see if it goes away. But it would be another couple of days before I have some time to do it as this is my current “work” system.

Will report back.

 

I'm feeling adventurous, so I think I'm now ready to install it on my machine and will soon report back. But what do you think about my ideas to make a more simple parent-child process control feature?

Basically, only system files that are inside C:\Windows are allowed to execute other system files. This would mean that if you don't execute from C:\Windows, you are not allowed to run explorer.exe and svchost.exe, but these system files can still execute vulnerable processes in order to avoid any problems.

If you allow all files in C:\Program Files, then any program can launch them, but you should be able to make exception rules. For example, this means that only explorer.exe, firefox.exe and start.exe can run the Firefox browser as a child process, all others are blocked from running it.

 

1- this is achievable via Lockdown Mode, non-whitelisted rules are blocked. With Lockdown Mode you have a pseudo-SRP.
2- or via the rules editor.

ERP v4 is way more potent than v3 , downside is that you have to "unlearn v3" and experimenting with v4 rule editor.

 

test24: 5000 entries are selected in the GUI & the value of 5000 can be seen in the file RadarPro.conf but ERP don't want to display more than 100 entries.
Restarting of the service and the GUI leads to the same result.

Idea:
Switching of modes is mentioned in Events and is saved into the logfile.
Now while reviewing Events or the logfile the user can find out in which mode ERP was switched to.
Examples:

Code:

2018-08-05 02:05 Switched automatically to Alert Mode <after 10 minutes>
[...]
2018-08-05 01:55 Protection is disabled <for 10 minutes>
[...]
2018-08-05 01:48 Protection switched to Alert Mode
[...]
2018-08-05 00:00 Service started

 

I must say that I'm impressed, it runs very smoothly, so great job! I like the simplified Settings tab and the Events tab is also very cool. But can you perhaps make the columns sortable? All of the Alert windows also look great.

I haven't tested it a lot yet, but I did notice a couple of things. It seems like Install Mode doesn't work correctly, it will still show you multiple alerts sometimes. For example, it happens with NVT Signer Extractor.

And shouldn't it be possible to block/unblock directly from the events tab? Also, rundll32 alerts will still popup when you launch certain things from the Control Panel, like Time and Date, I believe these should be added to known safe behaviors.

And that's the problem, I think this new Expression Builder stuff is too complex. Can you perhaps tell me how to exclude folders like C:\Sandbox? I don't want to receive any alerts about sandboxed processes, because Sandboxie takes care of security.

 

Personally i put sandboxie's container in another partition (like D:\sandbox) , by doing so it solve a lot of issues. there is no need for it to be in C: and i dont have any alert from ERP about it.

create an allow rule:
<category>UnCategorized</><action>Allow</><expression>[Proc.Path LIKE C:\Sandbox\*] [Action = Allow]</><enabled>1</>

 

Me too! lol I even put the container in a RAM disk dedicated just to hold it. I save lots of reads writes in my SSD!

 

Either the executable is not a child process or the main PID has already quit.

• ...\Program.exe (PID: 666) -> Install Mode = new Processes will be auto-allowed if the Parent Process is Program.exe (PID: 666)
  • Program.exe (PID: 666) spawns temp.exe = Allowed
    • temp.exe (PID: 667) spawns temp2.exe = Alert Dialog (PID of Parent Process != PID: 666)

You can create and edit rules via Events tab ("Create Rule from Event" / "Edit Rule from Event")

 

@novirusthanks It is me or we cannot select just folders when creating a rule?

I mean like creating D:\Downloads\* as deny rule to prevent all execution from the said folder.

I know with OSA i can but cannot find a way on ERP.


edit: nevermind, i had a glitch.

 

Great to see something like this raised. I been trying to use ERP v4 for some time to chase some common PID system files for measuring time/usage quota-duration. Of course it raises a few new alerts but is interesting to try to corner some triggering other processes!

 

What about:

<category>UnCategorized</><action>Deny</><expression>[Proc.Path LIKE d:\downloads\*] [Action = Deny]</><enabled>1</>

 

It is what i tried then i saw the rule is invalid.
I guess the rule editor requires an executable/process to be specifically named in the expression (i even tried *.exe).

so Lockdown Mode is required to do such action.

 

Nope, I have added that particular rule and then I exported it.



Edit: I only manually changed D:\Documents\Downloads to D:\Downloads because that is were my Downloads are stored

Edit 2: Here both Rules (D:\Downloads\* doesn't exists)

 

can you post a screen of the expression builder fields?

 

OK...i had a bug with the save button of the expression builder...the rules works now...

 

Here you go



Action is of course DENY

 

yes, thanks, working now , the save button didn't worked when i first tried it...