New Antiexecutable: NoVirusThanks EXE Radar Pro

Hello @SHvFl,

Thanks for the confirmation. It is always nice that if you are experiencing issues, that you are not the only one and that others can confirm. There is nothing worse than trying to track down a system specific issue that can not be duplicated by others...

 

I lost my HDMI access which I posted in the Windows 10 update thread. Some members seem to think as I do it might just be a driver issue, but it worked all along until this newest update.

That said I missed discovering this issue with ERP 4 since I focus solely on security with ERP (and other apps) on Windows 8.1 mostly.

Nice find BTW.

 

Rule #1 - Never immediately install a new major update as soon as it's out, always wait at least a week or two when the devs release compatible versions of their software, something is GUARANTEED to break (likely)

 

@puff-m-d @SHvFl

Thanks for the information and testing.

We're working on fixing the issue with Windows 10 1809.

Will provide a new build and more details asap.

@Floyd 57 @Cutting_Edgetech

We'll discuss about what can be done regarding remembering the "Oldest Parent".

 

I wasn't ever able to get the parent child feature to work. I used the instructions (they were not complete though) you posted, but it still did not work for me. I will have to go back, and find the instruction in this thread that you posted for Firefox. It's pointless to test the feature if i'm not configuring it correctly. I would be wasting my time, and yours.

Edited: 10/4/18 @ 5:17
I want to use Parent Child Process Control for Firefox, and I only want Firefox to be allowed to spawn maintenanceservice.exe, plugin-container.exe, updater.exe, and plugin-hang-ui.exe.
Firefox is installed at C:\Program Files\Mozilla Firefox\firefox.exe, and the child processes are located in the same folder. Please give an example rule for how to do that. This one example will allow me to configure all other applications for Parent Child Control Feature.

Please be advised that I reformatted my machine this week, and i'm waiting for the next build of ERP to be released before further testing again. ERP is not currently installed. I will test Parent Child Control Feature as soon as the next build is released.

 

@novirusthanks I don't know how this is possible, but GoogleUpdate.exe manages to sneak its way past NVT Exe Radar Pro, I have a rule that denies GoogleUpdate.exe by process name regardless of path parent process signer etc., and I don't have an exclude rule for it, it works as supposed to when I'm starting a new instance of GoogleUpdate.exe, but there's an instance of that process that launches on boot every single time and manages to sneak its way past NVT Exe Radar Pro, I suppose because it starts before NVT Exe Radar Pro's service or something idk, this is 100% reproducible and happens every single time I boot my machine. After running task manager as soon as possible when my PC boots, I see 2 instances of googleupdate.exe, after about 15 secs one of the instances disappears but the other one remains, seen in this pic: https://i.lensdump.com/i/Agj2rc.png (mods say the picture must not be a hyperlink). I have also set the 2 google services to Manual and they are not running at the time, Google Update Service gupdate and Google Update Service gupdatem, and I've disabled network connection to googleupdate.exe with my firewall, simplewall. The googleupdate process continues to run indefinitely, task manager shows it as Running not Suspended, and Memprotect shows it's continually trying to access chrome.exe's memory

 

This is high likely the case.
Try to look at the start time of GoogleUpdate.exe to find out if it has really started before RadarPro.exe (until RadarPro.exe isn't launched, ERP isn't blocking files)

 

So essentially everything can sneak by Exe Radar Pro if it starts early enough, that's a very big security hole, just because googleupdate is the only (unwanted) one that I've seen so far, doesn't mean that there can't be more, we're just lucky that other boot processes are actually needed, but it doesn't change the fact that this needs to be fixed, we can't let malware / unwanted processes sneak by just like that, NVT ERP needs to be the first thing that starts after crucial windows processes like wininit

Also, I used sysinternals autoruns to check this, and it seems that the two googleupdate processes come from the task scheduler, there are two general tasks called "GoogleUpdateTaskMachineCore" and "GoogleUpdateTaskMachineUA", the latter was already disabled for me, now I disabled the former as well, I use KC Sumo for updates so I don't need scheduled check for updates, I already do it myself manually

 

@Floyd 57

We'll take a look at that.

We have identified the issue with W10 1809 update and we'll release a new build in a few days.

All our other apps that monitor process execution (OSA, Event Monitor Service, Process Logger, etc) are affected.

 

@novirusthanks-Thanks as always.

Been saying this it seems like many years but, leave it to MS to keep the work flow (adjustments) going strong and making plenty of work for software vendors a never ending part of their schedule.

 

@novirusthanks If I change the sounds to something else, they are not used and stay standard, though the newly-chosen-sound-file is written in the options.

 

Just saw that Microsoft may have stopped distribution temporarily for the latest Windows 10 update (1809):

https://malwaretips.com/threads/mic...r-2018-update-version-1809.87225/#post-768921

Maybe it's related

 

So you don't have to select anything in the child process area? It didn't work for me.

I also couldn't figure it out. I simply want start.exe to have full power to launch any app. Now I will always have to put ERP in alert-mode before I can sandbox apps. It's about convenience.

 

set alert mode > run the thing > go to event logs > select the problematic event > create rule from event and set it as exclude.

 

Here is a new v4.0 (pre-release) test30:
https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test30.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

Build 30
+ Fixed ERPv4 doesn't work on Windows 1809
+ Fixed If the Expression is long the text in the "Expression" column on the main window is truncated, even though the column is wide enough. If you double click the rule and then Save on the Rule Editor window (without changing anything), all the text in the Expression column is no longer truncated.
+ Fixed When the Alert Dialog fades-out in older PCs it is somehow very slow, why not remove fading-out effect on Alert Dialog?
+ Fixed When ERP is first installed, the first Backup ZIP file is empty (no files inside)
+ Fixed A folder \RadarPro\ is created in C:\ and C:\Users\<user>\AppData\Roaming\
+ Added Size column in Bytes to Backup Manager listview
+ Added DEL key support for deleting selected archives from the Backup Manager listview
+ Improved "Allow Known Safe Process Behaviors"
+ Minor fixes and improvements

@Rasheed187

Here are the rules I created:

Code:

<category>Sandboxie</> <action>Exclude</> <expression>[Parent.Name = C:\Program Files\Sandboxie\Start.exe] [Parent.Signer = Invincea, Inc.] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Sandboxie</> <action>Exclude</> <expression>[Proc.Name = SbieSvc.exe] [Proc.Signer = Invincea, Inc.] [Proc.Path = C:\Program Files\Sandboxie] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Sandboxie</> <action>Exclude</> <expression>[Proc.Name = Start.exe] [Proc.Signer = Invincea, Inc.] [Proc.Path = C:\Program Files\Sandboxie] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Sandboxie</> <action>Exclude</> <expression>[Proc.Name = SandboxieRpcSs.exe] [Proc.Signer = Invincea, Inc.] [Proc.Path = C:\Program Files\Sandboxie] [Action = Exclude]</> <enabled>1</> <comment></>
<category>Sandboxie</> <action>Exclude</> <expression>[Proc.Name = SandboxieDcomLaunch.exe] [Proc.Signer = Invincea, Inc.] [Proc.Path = C:\Program Files\Sandboxie] [Action = Exclude]</> <enabled>1</> <comment></>

Here are some events (as you can see Sandboxie's processes are allowed and also notepad.exe that is started from Start.exe):

Code:

Date/Time: 2018-10-06 17:30:58.054
Action:  Allow/Excluded
PID: 2296
Process Path: C:\Windows\System32\notepad.exe
SHA1: 7EB0139D2175739B3CCB0D1110067820BE6ABD29
Signer:
Command Line: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Dev\Desktop\fghg.txt
Parent: C:\Program Files\Sandboxie\Start.exe
Parent SHA1: 8A728729C35C858439D786A82C3CBD5CC0958F10
Parent Signer: Invincea, Inc.
Expression: [Parent.Name = C:\Program Files\Sandboxie\Start.exe] [Parent.Signer = Invincea, Inc.] [Action = Exclude]
Category: Sandboxie Start.exe
User/Domain: ANONYMOUS LOGON/NT AUTHORITY
Integrity Level: Untrusted
System File: True


Date/Time: 2018-10-06 17:30:57.960
Action:  Allow/Excluded
PID: 3664
Process Path: C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
SHA1: BBFF578BCBD00F09627259E6877128E4385448C5
Signer: Invincea, Inc.
Command Line: "C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe"
Parent: C:\Program Files\Sandboxie\SandboxieRpcSs.exe
Parent SHA1: 311E8F944063542E37A00AE12A70732CF2C98169
Parent Signer: Invincea, Inc.
Expression: [Proc.Name = SandboxieDcomLaunch.exe] [Proc.Signer = Invincea, Inc.] [Proc.Path = C:\Program Files\Sandboxie] [Action = Exclude]
Category: Sandboxie Start.exe
User/Domain: ANONYMOUS LOGON/NT AUTHORITY
Integrity Level: Untrusted
System File: False


Date/Time: 2018-10-06 17:30:57.882
Action:  Allow/Excluded
PID: 2192
Process Path: C:\Program Files\Sandboxie\SandboxieRpcSs.exe
SHA1: 311E8F944063542E37A00AE12A70732CF2C98169
Signer: Invincea, Inc.
Command Line: "C:\Program Files\Sandboxie\SandboxieRpcSs.exe"
Parent: C:\Program Files\Sandboxie\SbieSvc.exe
Parent SHA1: FFF5D40087480812AD345405187F7FB0FCFB62B3
Parent Signer: Invincea, Inc.
Expression: [Proc.Name = SandboxieRpcSs.exe] [Proc.Signer = Invincea, Inc.] [Proc.Path = C:\Program Files\Sandboxie] [Action = Exclude]
Category: Sandboxie Start.exe
User/Domain: ANONYMOUS LOGON/NT AUTHORITY
Integrity Level: Untrusted
System File: False


Date/Time: 2018-10-06 17:30:57.789
Action:  Allow/Excluded
PID: 3220
Process Path: C:\Program Files\Sandboxie\Start.exe
SHA1: 8A728729C35C858439D786A82C3CBD5CC0958F10
Signer: Invincea, Inc.
Command Line: "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Users\Dev\Desktop" /env:=Refresh "C:\Users\Dev\Desktop\fghg.txt"
Parent: C:\Program Files\Sandboxie\SbieSvc.exe
Parent SHA1: FFF5D40087480812AD345405187F7FB0FCFB62B3
Parent Signer: Invincea, Inc.
Expression: [Proc.Name = Start.exe] [Proc.Signer = Invincea, Inc.] [Proc.Path = C:\Program Files\Sandboxie] [Action = Exclude]
Category: Sandboxie Start.exe
User/Domain: ANONYMOUS LOGON/NT AUTHORITY
Integrity Level: Untrusted
System File: False


Date/Time: 2018-10-06 17:30:54.107
Action:  Allow/Excluded
PID: 1020
Process Path: C:\Program Files\Sandboxie\Start.exe
SHA1: 8A728729C35C858439D786A82C3CBD5CC0958F10
Signer: Invincea, Inc.
Command Line: "C:\Program Files\Sandboxie\Start.exe" /box:__ask__ "C:\Users\Dev\Desktop\fghg.txt"
Parent: C:\Windows\Explorer.EXE
Parent SHA1: EA23A45ADB3D8D61CA478DD90E8D956BA32FA786
Parent Signer:
Expression: [Proc.Name = Start.exe] [Proc.Signer = Invincea, Inc.] [Proc.Path = C:\Program Files\Sandboxie] [Action = Exclude]
Category: Sandboxie Start.exe
User/Domain: Dev/PC
Integrity Level: Medium
System File: False

Date/Time: 2018-10-06 17:36:58.903
Action:  Allow/Excluded
PID: 1048
Process Path: C:\Windows\System32\cmd.exe
SHA1: 4BBBD51DE263B20D9553560F57B6EFF526FCB55E
Signer:
Command Line: "C:\Windows\System32\cmd.exe"
Parent: C:\Program Files\Sandboxie\Start.exe
Parent SHA1: 8A728729C35C858439D786A82C3CBD5CC0958F10
Parent Signer: Invincea, Inc.
Expression: [Parent.Name = C:\Program Files\Sandboxie\Start.exe] [Parent.Signer = Invincea, Inc.] [Action = Exclude]
Category: Sandboxie Start.exe
User/Domain: ANONYMOUS LOGON/NT AUTHORITY
Integrity Level: Untrusted
System File: True

 

+1 I wanna know too. Can you tell what happened?

 

Thanks, is there a way I can import these rules?

 

Can confirm, close all does not work

Make a new .xml file, set encoding to UCS-2 LE BOM, in notepad++ with the encoding tab from the menu bar on top, paste the contents of the rules that NVT gave u (first code snippet), then import

 

Thanks guys, I've done it. But I did notice that some processes are still blocked. For example, no problem with Waterfox, but it blocked AppCheck and FastStone Image Viewer, not sure what's going on.

 

@novirusthanks- Confirmed: now the instant closing of Alert Dialog is effective! Many Thanks for that improvement.

 

Yes, I hope that you guys can check this out. So add these rules related to Sandboxie, put ERP in Lockdown Mode and run those apps via "Run Sandboxed" and tell me if you will get to see any blocks.

 

//Issue- Selecting newest created zip file with Backup Manager while in Alert Mode-After RadarPro restart, Alert (Protection Mode) Mode switches 0FF to Disabled-Indefinitely

Not experienced when selecting zip files above the newest created one.

//EDIT-Disregard earlier result. The newest created backup zip file created after installing this Build "did" exhibit the switching to 0FF after restart. I took it on myself to manually DELETE that particular zip file (corrupt maybe?) and now ANY zip files selected reload WITHOUT shutting 0FF the Alert Mode. Let's chalk that find up to Quirky and can just be dismissed I assume.

@novirusthanks- If user already selects a zip file from the list-exists is no provision to CANCEL. Clicking X disregards a cancellation.

 

I turned my computer on today after it being shut down for about 8 hours. The tray icon did not load. RadarPro.exe, and ERPSvc.exe ran, but not the tray icon. After rebooting the tray icon loaded. It's too early to know if it's reproducible.

I'm using Windows 10 x64 Pro version 1709, and ERP build 30.

 

Blue screen (win764), grows roots are too deep for me into my system.
Love OSAromor, good enough.

 

Running like a fine aged wine on this end all across systems. Windows 8-8.1-Windows buggy 10 even

Thank You @novirusthanks