New Antiexecutable: NoVirusThanks EXE Radar Pro

Discussion in 'other anti-malware software' started by sg09, Jun 3, 2011.

  1. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    accounts doesn't share the settings. Each user uses its own settings.
     
  2. 10sh1

    10sh1 Registered Member

    Joined:
    Feb 25, 2017
    Posts:
    6
    Location:
    Earth
    Hello. Could you please add an option to mass create rules like for example in Microsoft AppLocker where you can scan folder and its subfolders and generate hash based rules for every app it finds there?
     
  3. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    You can already by using the rule editor and allowing/excluding the folder.
     
  4. 10sh1

    10sh1 Registered Member

    Joined:
    Feb 25, 2017
    Posts:
    6
    Location:
    Earth
    Could you point out where is this option? Because I can't find anything corresponding in Expression Builder on beta32.
    nve_rules.png
     
  5. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    if my memory is good (i dont have ERP installed at the moment):
    select folder in Path with wildcard (i.e: D:\my apps\*) > action: exclude.
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    13,825
    :cautious:
    The user is proposing an Applocker-like feature.
    After selecting of a folder, for example: "C:\Program Files", ERP is looking into this folder and subfolders and is adding each single file as a hash-based rule.
     
  7. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    yes he wants the v3 feature, but adding each file that way is pointless unless they are LOLbins.
    my method is the one i do trying to replicate the said v3 feature the easy and fast way.

    ERP is anti-exe not SRP anyway.
     
  8. 10sh1

    10sh1 Registered Member

    Joined:
    Feb 25, 2017
    Posts:
    6
    Location:
    Earth
    Thank you for the clarification, that's exactly what I was asking for.
    Afaik that is a path based rule and I am trying to create a hash or a signer rule.
    Well, for me it is definitely not pointless because it can save my time. At present, if I want to add several hash or signer based rules I have to manually open an exe file every time which is very time consuming. It would help me a lot if there would be an option that I described above. As for path based rules there are two reasons why I don't want to use it, first, from time to time I run applications from external media, for example Directory Opus, that's why I want to be able to run my applications regardless of path changes, second, I don't find path based rules secure.
     
  9. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    476
    Location:
    Europe
    Security is in the eye of the beholder, some people might have 10 security programs on their PC and still feel like the NSA is gonna hack them, others know that malware isn't just going to magically appear on your PC. If you're the only one using your PC, there's nothing to worry about, as long as you trust what programs you're using and what you're running, and keep your OS and programs updated

    In your example,you plug in a usb, you know what's in the usb, you know what programs you're executing, you use anti exe as a kinda of a warning thing, if the hash of the exes changes, you'll know, but guess what, that's not gonna happen by itself, the exes won't just magically change to some malicious ones, assuming the rest of your pc is clean, which you should know about

    This will be a useful feature for sure, but it's by no means a mandatory thing in order to be "secure"
     
    Last edited: Feb 24, 2019
  10. 10sh1

    10sh1 Registered Member

    Joined:
    Feb 25, 2017
    Posts:
    6
    Location:
    Earth
    It works this way only if you're using removable media on your computers that are clean, in my case I am using my flash drive on other people PCs, and from my past experience file infectors like different variations of Sality can infect executables on usb drive pretty easily. There are other attack vectors that can utilize inborn vulnerability of path based rules that's why as rule of thumb I prefer using hash or signature based rules.
    EXE Radar Pro or any anti-exe software or firewall solutions are all not mandatory to stay secure, for example you can always use an air gapped computer, the whole point of using them is because it is easier that way.
     
  11. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    476
    Location:
    Europe
    Ok, so what does NVT ERP have to do with this? If you use a flash drive on someone's pc, and they don't have NVT ERP, they won't be able to utilize the rules that you're asking for. What you could do, is use some program that checks the hashes of all files on the flash drive, something like https://www.nirsoft.net/utils/hash_my_files.html , then each time you plug in the flash drive, you can use that to make sure the files haven't been modified before you run them, and you'll use a clean txt/html/xml file for comparison by exporting the known-clean hashes and then comparing the resulted exported file with the known-clean one. Of course, this doesn't mean there won't be something like NVT ERP but instead malicious installed on the other PC, that intercepts api calls and the likes, and when you decide to run your exe file on the flash drive it instead decides to run another exe or do shenanigans like snoop on your exe etc. Also the program I linked uses md5/sha1 hashes which aren't the most secure ones, but I think it'll do the job, if you do a google search you'll likely find many similar programs. You can use something like text-compare.com to compare the contents of the exported files, or ironically, compare their hashes
     
    Last edited: Feb 24, 2019
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    @10sh1 Path-based rules are secure enough, and surely less an hassle than hash-based ones...do you plan to never update your apps? i don't think so...

    And if you share work files on USBs with other computers, it is not an anti-exe that you need but a sandbox.
     
    Last edited: Feb 24, 2019
  13. 10sh1

    10sh1 Registered Member

    Joined:
    Feb 25, 2017
    Posts:
    6
    Location:
    Earth
    I am not trying to utilize NVT ERP rules on other people's PCs, I just need a hash or a signature check before an application runs in order to block infected executable. That's all.
    Are you implying that hash based rules should be removed from NVT ERP? Sorry but I don't understand your point and I don't find it much of a problem to manually update hash after an application update.
     
  14. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    no, i meant why asking for a feature to avoid adding hashes one by one, when you have to do the same to update the said hashes.
     
  15. 10sh1

    10sh1 Registered Member

    Joined:
    Feb 25, 2017
    Posts:
    6
    Location:
    Earth
    Updating rules for one or two applications once in a half year is not the same as adding a bulk of 30-40 applications at a time, you can also use signature based rules if you update your apps frequently. ;)
    It also would be great if you could add more granular approach in creation of signature based rules where it is possible to limit the rule to the specified version of the file, product name and publisher or to limit the rule to the specified product name and publisher etc, like it is shown on the screen shot of AppLocker below.
    Signer_rules.gif
     
  16. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    353
    Location:
    Canada
    I've finally installed V4 to try out - looks good - just have a few minor comments/questions,,,

    - the default Trusted Vendor list is pretty huge - I deleted these and used the scan function
    - the 'add trusted vendor' button on the V3 alerts is gone? Did anyone else use this?
    - temporarily changing modes is gone for some of the options - .e.g. "Protection modes - Allow mode - enable for xx minutes". I usually select this for App installs - I find 'install mode' often fails to disable ERP enough to enable the install... and I forget to change the setting back.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,284
    Location:
    U.S.A. (South)
    @novirusthanks- What's the chances on dressing up the Alert Box a little more. In some manner to make it stand out a bit stronger than what it stays at now.

    On a different note it might not come as any surprise but v4 to date so far is still proved above board effectively accurate.

    My setup gives ERP work to do each reboot/startup with as starters by way of a carefully crafted WiFi script which taps into both a CMD/VBS file combo where in series initiates Microsoft's Virtual WiFi Network with the least possible effort on the end user's side. ERP v4 rules settings offers protection by still alerting to the CMD (both times) without any necessity of assigning them by Allow Rules. Alert Rules is proven adequately sufficient despite the fact a manual Install action is the requirement I chose to apply to this procedure.

    Keep up the great work and development. Should anything raise serious concern or present an opportunity to bring some attention to, rest assured i'll pass that up the chain for you of possible interests in better refining this fine piece of work.

    Thanks-EASTER
     
  18. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,338
    I have seen this frustrating issue, too. I wish I could nail it down what the exact problem is, then it would be easier to fix.
     
  19. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    110
    Location:
    Brooklyn, NY
    I'm having a problem re-establishing ERP on here. It installs but as soon as I hit "Finish" there's an error box. It is logged in Event Viewer as Event 1000 Application error. I wrote to support@novirusthanks.org but that was some days ago. I see similar events happened a few months ago, but nothing recently. Windows 10 17763.529 with Windows Defender and OSArmor/Sandboxie.

    exe runtime error.PNG
    erp error.PNG
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,525
    Location:
    Mexico
    ERP is still buggy as hell.
     
  21. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    663
    It was last updated over 4 years ago.
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    The official stable yes, the beta is way more recent and quite stable (to me) .
     
  23. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,794
    Location:
    Canada
    On my side too the beta has been quite stable on two different PC.
     
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    @novirusthanks ERP v4 test32 is buggy on my 1903, observed behaviors are;

    - restart hanging
    - when importing backup zip file , exiting and restarting ERP, ERP's GUI wont load instantly and rather lags then crashes.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,643
    Location:
    The Netherlands
    Which version are you talking about? I have no problems on my Win 8 system. The thing that does bug me is that there is still no strict parent-child process control. I would like to add explorer.exe and svchost.exe to my vulnerable process list, but this isn't possible.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.