New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    6,587
    Either the executable is not a child process or the main PID has already quit.
    • ...\Program.exe (PID: 666) -> Install Mode = new Processes will be auto-allowed if the Parent Process is Program.exe (PID: 666)
      • Program.exe (PID: 666) spawns temp.exe = Allowed
        • temp.exe (PID: 667) spawns temp2.exe = Alert Dialog (PID of Parent Process != PID: 666)
    You can create and edit rules via Events tab ("Create Rule from Event" / "Edit Rule from Event")
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    @novirusthanks It is me or we cannot select just folders when creating a rule?

    I mean like creating D:\Downloads\* as deny rule to prevent all execution from the said folder.

    I know with OSA i can but cannot find a way on ERP.



    edit: nevermind, i had a glitch.
     
    Last edited: Aug 6, 2018
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,355
    Location:
    U.S.A. (South)
    Great to see something like this raised. I been trying to use ERP v4 for some time to chase some common PID system files for measuring time/usage quota-duration. Of course it raises a few new alerts but is interesting to try to corner some triggering other processes! :thumb:
     
  4. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    319
    Location:
    SE Asia
    What about:

    <category>UnCategorized</><action>Deny</><expression>[Proc.Path LIKE d:\downloads\*] [Action = Deny]</><enabled>1</>
     
  5. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    It is what i tried then i saw the rule is invalid.
    I guess the rule editor requires an executable/process to be specifically named in the expression (i even tried *.exe).

    so Lockdown Mode is required to do such action.
     
    Last edited: Aug 6, 2018
  6. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    319
    Location:
    SE Asia
    Nope, I have added that particular rule and then I exported it.

    test.jpg

    Edit: I only manually changed D:\Documents\Downloads to D:\Downloads because that is were my Downloads are stored ;)

    Edit 2: Here both Rules (D:\Downloads\* doesn't exists)

    Capture.JPG
     
  7. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    can you post a screen of the expression builder fields?
     
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    OK...i had a bug with the save button of the expression builder...the rules works now...
     
  9. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    319
    Location:
    SE Asia
    Here you go

    expression builder.JPG

    Action is of course DENY
     
  10. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    yes, thanks, working now , the save button didn't worked when i first tried it...
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,355
    Location:
    U.S.A. (South)
    Exactly the same I added, with success after reading your post reply. ERP Rules-Expression Builder is a very nice piece of work and shows some exotic potential of ERP v4 in being versatile and opens up some new possibilities on granular control over folder contents too in specialty ways.

    Useful finds and discussion.
     
  12. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    319
    Location:
    SE Asia
    What you also could have done is paste the rule into a blanco textfile, rename that text file to <what ever you want>.XML and import it from within the Rules tab

    Love the Expression Builder :thumb:
     
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    Yep, it is why i call ERP the king of Anti-exe. You can build very precise set of rules.
     
  14. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    Indeed, i didn't thought about it ^^
     
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    ok so i locked execution from all my non-system partitions, deny rules for path: (partition letter):\*
    Better safe than sorry LOL
     
  16. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    319
    Location:
    SE Asia
    Wow, that should work, good idea !
    And it would also be a good idea to do it with the other Drive Letters (USB sticks etc)

    I only tested it with 1 Dir with a couple of SubDirs with Subdirs
     
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    yep it works well,

    Not needed because in settings you can deny execution from USBs
     
  18. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    319
    Location:
    SE Asia
    Good one, but what about connected Network Drives ;)

    Edit: I just do a - z (Except C:\)
     
  19. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    yes, then in that case, you should add them too :)
     
  20. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    319
    Location:
    SE Asia
    @novirusthanks

    A whole lot of testing (ACϞDC :)) today to find out why I have that delay when starting apps.

    What I have found out, that when I start my PC and for about 1-2 hours afterwards that delay is still present. but after that IT'S GONE ! All the apps start immediately !

    So IMHO it's has something to do with my PC BUT FFS WHAT !! as all drivers are up to date, OS is up to date and no MINOR/MAJOR changes !!!!!

    Again, if I find some time, I will re-install Windows hope that solves it !!
     
    Last edited: Aug 6, 2018
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    6,587
    Bug: "Copy/Duplicate Selected Rule" => "List index out of bounds" error dialog

    a) After selecting of the following rule (or any other rule with "LIKE" in it) and using of "Copy/Duplicate Selected Rule"...
    RadarPro_(1).png
    b) ...this error dialog appears:
    RadarPro_(2).png
    c) Now the Expression Builder appears and "Like to" is not there (but can be selected)
    RadarPro_(3).png
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,355
    Location:
    U.S.A. (South)
    Nice catch @mood
    Keep up the nice work
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,277
    Location:
    Mexico
    This in test24:
    1. Disable ERP protection
    2. Update already installed program with its latest installer downloaded from its website.
    3. Enable ERP protection to Alert Mode as usual.
    4. Run updated program.
    5. ERP prompts, I click > Allow | Remeber this action.
    6. On Rules tab the new rule shows under Action column: Exclude.
    Question: isn't supposed to be "Allow" in place of "Exclude"?
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    6,587
    This is a "consequence" of this fix:
    Perhaps the fix can be refined and clicking on "Allow" (+"Remember this action") will only create an Exclusion if the Alert Dialog was caused by an Ask Rule (in this case an Exclusion is needed).
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,277
    Location:
    Mexico
    So from now own if I update the program hence new executable/new hash, ERP will not prompt or ask anymore (me always on Alert mode)?

    Edit:
    I found the answer. It does keep prompting when new exe hash is detected.
     
    Last edited: Aug 10, 2018
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.