New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,117
    Hi @Mr.X, does this list stand on its own, or does it supplement your AppGuard protection?
    Really I am asking like this: if you didn't use any other advanced security app, is there something you would add to this list?
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,442
    Location:
    Mexico
    Stands on its own. Nothing handled by AppGuard for vuln proc.
    Nothing to add to this list for the time being until Florian releases a new one.

    Note that this list still have there deprecated processes Florian removes on newer lists. I don't care I leave them because they could come back in the future, who knows. This list covers, not that sure, Windows 7, 8.1, 10+, so anyone can use it on any Windows versions now. I mean it won't hurt to have them all in a Vuln Proc category even if one version does not have some exes and others have.

    My list is not path or hash dependent as you already seen. I think ERP could block and alert any run attempt from any location or file hash.
     
  3. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    299
    Location:
    Europe
    Why are you complaining, NVT dev is doing you a favor by blocking MS Office :D

    Or, you know, any process :isay:
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,510
    Location:
    USA
    LOL, I have to use it for school and work.
    What office suite do you use?
     
  5. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    299
    Location:
    Europe
    School and work LUL, they're overrated anyway

    Recently, like in a long time, I haven't needed to create or edit any office-related stuff, I use google drive for viewing. Get the link of the file, add drive.google.com/viewerng/viewer?url= before it, and voila. For local files, go to drive.google.com, upload your file by either dragging it or by clicking New, and then you can view it. Infinitely more convenient (and secure) than installing bloated MS Office
     
    Last edited: Nov 29, 2018
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,510
    Location:
    USA
    I also use Google Docs from time to time. It really just depends on who i'm corresponding with.
     
  7. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    error nvt exe radar.png
    I got this error after ERP blocked something. The program didn't crash though and everything was fine.
     
  8. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    34
    If I understand correctly, It seems that NVT ERP does not have an "Admin bypass" option similar to what the native Windows SRP has. I wonder if anyone has suggested adding this as a feature into ERP 4.0 as one of the ON/OFF settings?

    Or has this idea already been discussed and abandoned? I tried searching this thread but did not find anything related - and I considered reading thru all 298 pages a bit too much of a job... :doubt:
     
  9. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    299
    Location:
    Europe
    If this is the path you want to take... then you can already use the "allow X" options on the back, that should cover like 98% of the "admin" programs (ofc can vary wildly, if you have a folder on your desktop full of unsigned admin-requiring tools, then yeah)
     
  10. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    34
    Ok, that may be the solution... or not, I don't know yet.

    I wonder if there is some documentation available describing what e.g. "Allow known safe process behaviors" or "Allow System Files" exactly mean?

    My point was not focused on allowing specific "admin progams", but instead on allowing "processes with admin privileges" as specified within SRP ("bypass for local administrators"; I guess probably meaning high/system integrity levels).

    I'm not sure what the "Allow X"s mean in ERP - do they allow specific programs to be executed (regardless of who is trying to execute them), or do they allow programs to be run only by local administrators?
     
  11. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    299
    Location:
    Europe
    I'm not sure exactly how it works, you can test it yourself, I don't use any of the "Allow X" stuff, but if I know the dev well, he made it so that the "Allow X" options override the other rules. The known safe process behaviors is just a list of hardcoded rules that the dev continuously updates for common software, to avoid common false-positives. Allow system files is likely anything from C:\Windows, or maybe a combination of folders such as C:\Windows\System32, C:\Windows\SysWOW64 etc. again you can test this yourself

    ERP either blocks or allows process execution based on a certain criteria (or asks you), "who" is trying to execute them in this case is the parent process (path, hash, signer), but there is no criteria for "parent process integrity level"

    @novirusthanks Ideally, in the future the parent process will also have a name criteria, and integrity level criteria, maybe even a cmdline criteria (what cmdline was the parent process launched with when it was a child process), obviously you can't apply cmdline criteria to an already running process otherwise

    And all of the above, as well as more, are the reasons why I use the what I like to call "God mode", where all of the options "Allow ..." are unchecked and you decide what to do for each and every process (as long as it starts after ERP's driver) using Alert Mode
     
    Last edited: Dec 3, 2018
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    Not everything in C:\Windows\* is allowed if "Allow System Files" is ticked.
    Regarding System Files:
    And "Allow X" options are not overriding all other rules. Ask/Deny rules still have a higher priority.
     
  13. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    299
    Location:
    Europe
    There are so many ways and APIs that "check" if a process is a system one, who knows that the dev is using, we can only hope he has implemented it well (well, I don't have to hope, cuz I don't use that)
     
  14. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    660
    I downloaded the NVT ERP installer from their website, installed it, and while trying to run it came up with the following error. Please see attached. 2018.12.16_14h25m09s_005_.png 2018.12.16_14h24m56s_004_.png 2018.12.16_14h27m24s_001_Error.png
     
  15. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    299
    Location:
    Europe
    Use that link to download the newest ERP 4, much better than 3
     
    Last edited by a moderator: Dec 16, 2018
  16. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    I can only see events from yesterday up to today in the program. But there are log files for almost every day back to november.
    Why aren't they shown in the events tab? It seems like only the last two files are shown.
    I do NOT "delete log files older than 15 days"

    @novirusthanks
    Also, I had to use procmon from sysinternals to find the folder where radarpro.exe writes the logs. There should be a button or notice in the program.
    There are "Allow/Protection Disabled" in the log files even though I have "log only blocked processes" activated.
     
    Last edited: Dec 16, 2018
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,510
    Location:
    USA
    Has Andreas informed anyone when the next build might be released?
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,512
    ERP is only showing events from the "current session".
     
  19. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    Oh that does make sense. Sometimes my computer is a week online. That's why I thought it would show all events.
    A little "Current Session" somewhere would be nice, though. :)

    @novirusthanks A feature request: Something like Lockdown, but it blocks even allowed processes from execution.
     
  20. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,994
    Location:
    Europe then Asia
    No way I adhere to this.
    And for what purpose?
    I want see your face, when you will reboot after doing such thing. Lol.
    That is silly.
     
  21. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    You don't have to use it.
     
  22. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    793
    Won't that mess with your computer?
     
  23. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    I guess not. As long as you start it after boot and not before. (*rolleyes*)
    I mean everything essential is already in memory and running. Also doing this will prevent processes from being forcibly terminated. Because that requires taskkill.exe.
    But maybe this is more of a separate tools job.
     
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,994
    Location:
    Europe then Asia
    So why not just make a rule in ERP that block taskkill?

    I don't know if you are aware that some processes (like rundll32.exe) are executed almost everytime you do something or very frequently.

    ERP has a very powerful command line editor, what you are asking could be done manually by yourself. However the feature you are asking may be mis-used by less techie/aware users and wreck havoc on a system.
    When suggesting features, remember to imagine a noob using it.
     
  25. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    588
    Location:
    Germany
    Because that's not what I'm after. Yes I know. ERP asks sometimes when I open certain settings from obscure sources. Yes, I should write them down and tell them Novirusthanks. I did not.

    Thanks, I'll look into it. :)

    It's weird that you consider noobs using ERP. That's so not you. :D
    You can make that argument about windows itself: There's format.exe, diskpart.exe, systemreset.exe... Even noobs know not to mess with certain things. Make a warning pop-up and everything is fine.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.