New Antiexecutable: NoVirusThanks EXE Radar Pro

@novirusthanks
a) If the user has preserved months of logfiles because "Delete .log files older than 15 days" is unticked and is now logging in into a newly created user account, months of logfiles will be deleted which might be not a desired outcome.
(After unticking of the option, "deleteOldLogFiles":false is saved into the file RadarPro.conf. But after logging in into a new user account there is no file RadarPro.conf yet, ERP is creating it and is setting "deleteOldLogFiles" to true [= files older than 15 days will be deleted])
This could be mitigated if the option would be not ticked by default.
b)

Would be nice if it can be done for the list of exported signers too (there might be Signers with Unicode characters and the exported file needs to be in Unicode else characters will be lost)

 

Have you experienced slowdowns with OSArmor? I'm curious cuz I haven't, not even the slightest, absolutely unnoticeable, and I can notice 15 ping difference in video games so even the slightest of performance eating program that delays my programs/browsing by even the slightest of delays is usually noticeable by me. My PC is quite high-end so idk, what computer were you using at the time?

Correct, I was just saying he can use OSArmor in the meantime

Yes, usually when I say "you" I may mean either you, or everyone reading this, or everyone reading this that matches a certain criteria, such as not having OSArmor AND having an issue about that USB thing, the best way for you to know which context I am using it in is to think which context it is best used in and then you might "hit" the right meaning, cuz the way I speak I say a lot of weird things so sometimes people may not pick up what I'm saying

Ofc I noticed your signature, I see EVERYTHING, my eyes are like an EAGLE'S! NO, they're like a MANTIS SHRIMP'S!! Interesting read: https://phys.org/news/2013-09-mantis-shrimp-world-eyesbut.html

@novirusthanks Also it would be nice if it's written which version of NVT ERP we are using, such as 4.27 instead of 4.0 Beta, just in case someone forgets or something, not sure if this has already been suggested

 

+1 on this.

 

Funny @mood that you would mention this. But is right up the same alley here. I run into that on an earlier beta however I been manually peeling off months of the logs of session days on occasion to preserve in a storage folder for review again later if needed for comparison or what have you in event that they get deleted and lost.

Sharp eye there once again

 

Hi @ Wilders

Two points:

Using latest Version 4 NVT EXE Test 27

1) I don't seem to be able to export the rules. I can create an xml file but when my browser opens it it just shows the heading Vulnerable Processes - Nothing Else.

Anyone else come across this or can explain what I am doing wrong.

2) When I use Privazer, NVT ERP throws up a lot of alerts related to a number of vulnerable processes. ie cmd.exe, xcopy.exe and more. At this level of alerts NVT is not user friendly. So the question I want to ask is how do I resolve this problem, is it by running in Allow mode or Learning mode or something else?

Thanks

Terry

 

Welcome, you've come to the right place!

Let's troubleshoot this, so you click Export, pick your destination, on both Actions and Categories "All" is selected, right? Have you tried opening the resulting .xml file with a text editor like notepad?

When you go settings, which of the "Allow x stuff" checkboxes have you checked? Can you be more specific about the alerts you're getting, like can you make a quick screenshot of the window alerts or something, it's hard to say just like that

 

I can address concern 2) as to my own procedure. PrivaZer is one of a routine set of programs I also use and yes it raises alerts in ERP as expected. My choice selection is Protection Modes->Protection Disabled->30 Minutes or you can go the indefinite route, either way ERP affords those options and more.

 

Hi Floyd 57 & Easter

Thank you to both of you for great help.

1) No I never thought of opening an XML file in an editor, I thought I needed to use a browser to open XML files. You learn something every day. Yes I checked with notepad and the rules are saved and in any of the combinations. So Thanks Floyd57.

2) To Easter your method says that I am on the right track and that there isn't a high flying way to put rules in place, so thank you again I shall follow your lead.

Thanks

Terry

 

I'd disagree, but I can't tell you more without knowing what kind of alerts you're getting. My NVT EXE Radar Pro config has all of the "Allow X stuff" unchecked in the settings and I've customized everything to my taste, I'm sure you can do the same if you want

 

Hi Floyd 57

First I am not an expert. Second I am not really knowledgeable. So my pace of learning will inevitably slow and tentative, Remember there is no manual for this product.

There were really a lot of alerts, but when I run Privazer again I will upload a few to show you. The settings were ticked as out of the box. In other words I have not touched the settings.

Thanks again.

Terry

 

Working great. Win7 64.

 

ERP v4 is so very configurable that you almost certainly can catch those alerts and make rules for them when they are too much.

I was simply sharing (as mentioned) my own local practice-preference when I use PrivaZer which is nearly every 2 days. The cleaning app is so thorough I allot it to run fully and complete without applying ERP Rules since it's a simple click 0ff-click back 0n that serves on this end.

 

Hi Easter

That's my thinking too. Unless the rule making becomes more intuitive.

Thanks

terry

 

These are vulnerable processes and you will see the alert dialog if such processes will be launched.
But these alerts will go away if there are appropiate Exclude rules.

One way is to switch to Learning Mode before your are launching PrivaZer. ERP is now creating Exclude rules if vulnerable processes are being launched.
After switching to Alert Mode you should now get fewer prompts.
If there are still no fewer prompts, working with Wildcards might be needed (especially in the Command Line field)

Or disable the protection temporarily before launching of PrivaZer.

 

I do same for CCleaner /

 

In that case I'd recommend to stick to what EASTER said, it'll be better for you

 

I metioned this many of times long ago. And got NO real answer, just search ERP and Privazer threads.
They a not compatible. Never will be. Have to turn OFF (disable) ERP, or remove Privazer. Only solution!
Learning mode does nothing!
Rather give up Privazer than ERP!

 

Well, if you WANT to do it, you have the AMBITION to do it, then NOTHING IS IMPOSSIBLE!!! This makes no exception! So if you TRULY want to do this, we can figure something out

 

This is why I suggest and always simply disable ERP temporarily and let PrivaZer run it's runs and done. Then flip the switch back on for ERP again. It's been awhile back but PrivaZer got stopped so often on Clean Up I decided to just put ERP in neutral every time it's PrivaZer time. Simple

 

That is a work-around, not a solution.
Don't like to disable ERP.

 

I'm coming straight from 3.1 and am testing the new version. Like it a lot so far. Here are a couple of issues I found though:

• inconsistent wording: the Alert Dialog says "Block", but the action is called "Deny"
• once I set "Exclude from Notification" in the Notification Dialog, there seems to be no way of undoing that > make setting in RuleEditor?
  
• "Exlude from Notification" persists even when I deleted the according rule and recreated it
• When creating a custom rule from the alert dialog it may be nice to have a button "Apply Rule(s)" next to Apply and Block - but this may clutter the UI a little
• When creating a custom rule from the alert dialog it would be nicer to have the "Rule Editor" and "Expression Builder" on the same page instead of two dialogs (saves a mouse-click)
• "Expression Builder" have an option for parent process to look up the whole hierarchy and not just the direct parent (e.g. "recursive mode")
  
• When I have a password set and use the "tray menu -> Protection Modes -> Protection Disabled" I get a password-prompt before seeing the options. After I entered the password, I still don't see the options. The dialog should only appear after I clicked one of the options and not hovered over the dropdown
• If I read the pages correctly the order of rules may be important (e.g. exclude before ask). Is there a way to change the order of the rules in the UI?

That's it for now. Great product, thanks a lot!

 

There is no one-click solution for this "issue".
But in general the user need to review Exclude rules and should place wildcards at the right places and the alerts will go away.

 

Exact.

 

@TerryWood

I will add internal rules on "Allow Safe Behaviors" to handle Privazer alerts.

Meanwhile I wrote a few rules that you can add to ERPv4 (copy them to a new .XML file using Notepad and import that XML file to ERP via Rules->Import):

* Rules below are for PrivaZer on x64 OS

Option 1: Allow all processes started from Parent.Signer = Goversoft LLC and handle remained alerts of vulnerable processes:

Code:

<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Parent.Signer = Goversoft LLC] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cacls.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = cacls  "C:\System Volume Information\Chkdsk" /E /G Dev:F] [Parent.Name = C:\Windows\SysWOW64\cmd.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cacls.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = cacls  "C:\System Volume Information\Chkdsk" /E /R Dev] [Parent.Name = C:\Windows\SysWOW64\cmd.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = WMIC.exe] [Proc.Path = C:\Windows\SysWOW64\wbem] [Proc.CmdLine LIKE wmic.exe   process where caption="*.exe" get Processid, commandline] [Parent.Name = C:\Windows\SysWOW64\cmd.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = ipconfig.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = ipconfig  /displayDNS] [Parent.Name = C:\Windows\SysWOW64\cmd.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = ipconfig.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = ipconfig  /flushdns] [Parent.Name = C:\Windows\SysWOW64\cmd.exe] [Action = Exclude]</> <enabled>1</> <comment></>

Option 2: Every execution has its own rule (higher number of rules needed):

* Note that I match parent process of PrivaZer with: Parent.Name LIKE *PrivaZer*.exe
* You could change it to match the signer (safer): Parent.Signer = Goversoft LLC

Code:

<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = "C:\Windows\System32\cmd.exe" /A /C cacls "C:\System Volume Information\Chkdsk" /E /G Dev:F] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cacls.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = cacls  "C:\System Volume Information\Chkdsk" /E /G Dev:F] [Parent.Name = C:\Windows\SysWOW64\cmd.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = "C:\Windows\System32\cmd.exe" /A /C cacls "C:\System Volume Information\Chkdsk" /E /R Dev] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cacls.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = cacls  "C:\System Volume Information\Chkdsk" /E /R Dev] [Parent.Name = C:\Windows\SysWOW64\cmd.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = "C:\Windows\System32\cmd.exe" /A /C ipconfig /displayDNS >"*\Temp\*"] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = WMIC.exe] [Proc.Path = C:\Windows\System32\wbem] [Proc.CmdLine = wmic /Output:stdout shadowstorage list FULL] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine LIKE "C:\Windows\System32\cmd.exe" /A /C wmic.exe  process where caption="*.exe" get Processid, commandline >"*\Temp\*"] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = "C:\Windows\System32\cmd.exe" /A /C ipconfig /flushdns] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = WMIC.exe] [Proc.Path = C:\Windows\SysWOW64\wbem] [Proc.CmdLine LIKE wmic.exe   process where caption="*.exe" get Processid, commandline] [Parent.Name = C:\Windows\SysWOW64\cmd.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = ipconfig.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = ipconfig  /displayDNS] [Parent.Name = C:\Windows\SysWOW64\cmd.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = ipconfig.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = ipconfig  /flushdns] [Parent.Name = C:\Windows\SysWOW64\cmd.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = "C:\Windows\System32\cmd.exe" /A /C powercfg -h off] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine = "C:\Windows\System32\cmd.exe" /A /C powercfg -h on] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine LIKE "C:\Windows\System32\cmd.exe" /c rmdir /q /s "*\Temp\*"] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = regedit.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine LIKE regedit.exe /s "*\Temp\*clean.reg"] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>
<category>PrivaZer (x64)</> <action>Exclude</> <expression>[Proc.Name = regedit.exe] [Proc.Path = C:\Windows\SysWOW64] [Proc.CmdLine LIKE regedit.exe /s "*\*clean.reg"] [Parent.Name LIKE *PrivaZer*.exe] [Action = Exclude]</> <enabled>1</> <comment></>

* I would personally recommend you to use Option 1

@Mr.X

You can share the alerts you get here so we can help with writing specific exclusion rules and I can add them to internal whitelist rules.

@mood

Reported issues will be fixed asap.

@Floyd 57

Thanks for the good feedbacks =)

Test build can be viewed in the Changelog.txt file, probably I'll add a main menu with like File->Open Changelog as is present in all our other apps.

But can see if we can add it to the GUI on each release.

@SHvFl

We'll discuss about it and probably add on the next build.

 

Are you sure? Perhaps other people can confirm that when you restart ERP, all hidden columns appear again. In the screenshots you can see which columns I like to keep visible.