New Antiexecutable: NoVirusThanks EXE Radar Pro

NoVirusThanks,
Does ERP have behavior analysis of suspicious behavior built into its programming? Seems like I read that at your site at some point.

Thanks.

Regards,

Bob

 

No.
It was part of ERP in older versions...

 

Thanks for the reply, siketa.

I'm a bit surprised. Wonder why it was dropped? That would seem to be a very useful feature.

Later...

 

I also asked that Andreas and I think he replied that it was not necessary anymore...or something like that.

 

Is it still required to un-install the old version first of erp or can you just overwrite it now?

 

An upgrade from 2.7.6 to 2.7.7 will still require uninstallation of the older version.
But 2.7.7 comes with new integrated Updater so it will be no "issue" any more...

 

But with beta's I have to un-install first? cause I have 2.7.7 b18 and when I check for updates it shows 2.7.6 is available

 

This is only during beta testing....
Of course it will warn you about next 2.7.8 version when its released, not about previous 2.7.6.

 

Ok thanks

 

I would like to know how is the protection offered by ERP compared with a traditional HIPS. My understanding is that ERP only protects against executables, while a traditional HIPS would protect also the memory and the registry, or am I missing something?

Also I would like to know what other security programs do I have to install on to of ERP to have the same level of protection than an HIPS

 

True.
HIPS gives you more granular system control AFTER file is executed.
ERP prevents execution in the first place (by user decision or autoblock in Lockdown mode).

MJ Registry Watcher, WinPatrol come first to my mind....

 

There is any other way I can get infected without executing a file, so ERP can do nothing, but an HIPS would protect? or all the possible attacks start in the execution of a file?

Someone said in other tread that ERP will add soon dll injections, is this true? there is any estimate date?

Why do you prefer ERP instead of an HIPS?

Is this bypass fixed already?
https://www.youtube.com/watch?v=5KXbnIhhODc

What kind of files is ERP able to handle?
binary - .exe, .dll, .ocx, .sys etc
script - .vbs, .js etc

 

Q1 should be answered by Andreas.
Q2: I said it....Let's wait and see if Andreas will implement that feature in 2.7.8
Q3: I prefer it cause it has: not too many popups, Lockdown mode, nice GUI, great support, it is light, etc...

 

Yes...by using Vulnerable Processes rundll32 and regsvr32.

 

@guest

You can monitor for any file execution by taking care of the processes used to load .dll files (regsvr32.exe and rundll32.exe), .vbs files (wscript.exe), .bat files (cmd.exe), and so on. Plus you can add to "Vulnerable Processes" regsvr32.exe (added by default) and be alerted everytime it is executed to load a DLL, you can whitelist trusted commandline strings used to load trusted DLLs and block the rest.

From my own tests ( https://www.wilderssecurity.com/showpost.php?p=2199178&postcount=1686 ), ERP could stop the execution of all payloads dropped by popular exploit kits (such as BlackHole, RedKit, etc). ERP does not guard the memory as it is an anti-executable software and it used to block the payload from being executed in the system. EMET is a great companion to mitigate memory-only exploits. As you can read from this recent article: https://blogs.technet.com/b/srd/arc...the-wild-not-for-so-long.aspx?Redirected=true

And even if the exploit bypassed EMET, ERP would have detected the execution of the payload:

Regarding the second question:

Yes, we finished from few weeks a DLL injection monitoring software that works great in both x86 and x64. Now we plan to include this technology in ERP, but the main focus is to keep ERP simple, we need to test and see if adding it, can maintain ERP simple to use. Most probably, in few days I will release here a beta version of the DLL injection monitoring so everyone can test it and report for possible issues and we may discuss about the integration on ERP.

 

@novirusthanks
Thanks for your answer, it was quite detail which I think it confused me a little bit.

The kind of payloads that are automatically executed by the browser, can ERP stop this?

When you say ERP doesn't guard the memory, this means that I can get infected (without EMET) how would be the infection? (example)

I need to clearly understand what other layers do I need to protect and how to get more or less the same protection than with an HIPS.

Have you think about a feature that scans and show a rating in the ERP interface of all the processes running and whitelisted using Virus Total? something like Crystal Security and Crystal X https://www.wilderssecurity.com/showthread.php?t=317258

 

I don't think we will have that in ERP any time soon.
The goal is to further simplify it, not load it with other functionalities.
You know the KISS term, right?

 

to check a hash on VT doesn't add any load to ERP, the only difference is that you would have a column with something like this 28/40 which means that 28 AV over 40 detect this as malware, and then right click and open in VT if you want to see the details, that's all, you don't even need to upload (if has been already scanned then unknown) the file because it uses the hash.

For example any file can be checked like this, it's like a shortcut to VT

-http://www.virustotal.com/file/[HASH]/analysis/-

 

is it possible to have selectable checkboxes to add all these types of files (.vbs, .bat, etc.) for monitoring by the program? (many of us don't know which processes are launching these files.)

i was hoping ERP could intercept all the little stuff that ScripTrap does.
not sure if necesssary though.

 

Hmmm....I like your idea.
Andreas, that would make it more user-friendly....right?

 

Installed EXE Radar Pro as TRIAL, but when reboot the computer ERP asks for activation code and email. Whatever doing I can not bypass the "Software Activation System" message window. Please help.

 

1) Where did you download it from?
2) Have you ever used it before?

Try to uninstall it, clean your PC with CCleaner and install again.

 

1) Downloaded it from: http://downloads.novirusthanks.org/download-erp.php
2) No, it is the first time installing it.

Actually I use CCleaner regularly and already tried uninstalling and installing again. When the installation finishes ERP runs normally and I am able to navigate through it. However, when either exiting it or rebooting the computer is asks for activation.

 

Thanks.
I think dr.Andreas will take over...

 

@guest

See this reply on another thread:
https://www.wilderssecurity.com/showpost.php?p=2253541&postcount=8

Basically, ERP does not guard the memory as it is an Anti-Executable, it is focused in the monitoring of execution of processes. In short, you need a companion for ERP that can guard the memory, such as EMET (to mitigate memory-exploits) or AG (to guard the memory) or SBIE (to isolate web browsers, PDF, Java, etc) or mixing these apps, like ERP+EMET+SBIE or ERP+AG+SBIE or ERP+SBIE, etc. I would recommend also NOSCRIPT for FF.

VirusTotal terms:

We can't use VT API in ERP for automated queries.

@syrog

I sent you a PM.

@Snoop3

I don't think it would be needed, I mean by default ERP has all the vulnerable processes monitored, including: cmd.exe (that handles .bat files), wscript.exe/cscript.exe (that handles scripts execution), regsvr32.exe / rundll32.exe (that handle loading of DLLs). Just wanted to keep ERP simple/easier and adding this option may be redundant. Monitoring only file extensions is also weak, wscript.exe can be used to load a script that has no extension at all or that has a fake extension, such as script.abc or regsvr32.exe can be used to load a DLL with a random extension, such as module.$$$ or module.LLD.