NoVirusThanks

From NoVirusThanks
Verified
Developer
Here is the first public beta of ERP v4.0 (pre-release) test 1:
http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test1.exe

exeradarpro.png


*** Please do not share the download link, we will delete it when we'll release the official v4.0 ***

This is the changelog so far (summarized):

+ Redesigned the application from scratch
+ Kernel-drivers are co-signed by MS
+ Allow to enable\disable\search\sort\categorize rules
+ Simplified the user interface
+ More detailed events that show also the triggered rule
+ Create rules grouping process fields (name, signer, cmdline, parent, etc)
+ Allow matching parent process AND child process
+ Support wildcard (? and * character) on each process field
+ Improved support for Limited User Accounts and Fast User Switching
+ Self-protection against process termination is auto-enabled
+ Only Task Manager is allowed to terminate the program
+ Improved support for Windows 10

How to handle Vulnerable Processes?
I create a new category in Rules, named like "Vulnerable Processes", and I add there all system processes commonly hijacked and misused by malware, example cmd.exe, powershell.exe, rundll32.exe, etc. I set the Action = Ask to be always notified when they are executed. Other system processes like vssadmin.exe, reg.exe, regini.exe, etc I prefer to set Action = Deny to automatically block them (I don't need them). As you can see from the screenshot below I added also the SysWOW64 versions (I'm on a 64-bit OS). To allow a vulnerable process I just create a new rule matching the process, the parent process (can be useful) and the command-line string. In some safe cases, I just match the parent process and the child (vulnerable) process, i.e C:\Program Files\Safe\Process.exe (parent) -> C:\WINDOWS\System32\cmd.exe (child), without matching the command-line.

vuln-processes.png


*** Probably you may avoid matching the SHA1 hash of vulnerable processes, because lets say a malware copies cmd.exe to Temp folder, then when it is executed you would get an Alert Dialog because it is not anymore a system process but is considered as an unknown process. Moreover the ones I added are not even digitally signed by MS. ***

test1.png


I exported my list of vulnerable processes (made quickly, you may add some more):
http://downloads.novirusthanks.org/files/VulnerableProcesses_Rules.csv

Just click on "Rules" -> "Import" and select this CSV file to import them.

Now that rules can be categorized you can just create new categories and put your custom rules there. One important thing, if you create a rule to allow all processes on C:\WINDOWS\* then it takes precedence on the Action = Ask so all processes in C:\WINDOWS\* will be allowed (also processes with Action = Ask). This first public beta should be pretty stable and you should familiarize with it easily, it has a simple interface to create and manage rules and to check events. The settings tab has a few important and simple option. The self-protection against process termination is enabled by default and can't be changed via the settings (it is not present there as option). Only task manager can terminate EXE Radar Pro processes.

Let me know your feedback guys :)
 
Last edited:

Telos

Level 16
Verified
Content Creator
When I go to import the csv, the main window stays on top of the file selection window, making the import a bit unwieldy.

2018-02-28_21h45_28.png

EDIT1: After a reboot the import window behavior was normal (not hidden behind the app window). I don't know if this is due to a fresh install, or some quirk with my system. I'll do a clean reinstall and see what happens.

EDIT2: After a clean reinstall, the import window appeared unhindered as intended. My original observation must have been due to a system anomaly.
 
Last edited:
D

Deleted member 178

Umbra, how is it? Does it work smoothly? Bugs were fixed?
Now, it works well on both admin & SUA; that was the major issue in the private beta.

Also, I have a question for all of you. What is the opinion on whether you need UAC while running an Anti-exe?
To me, i always enable UAC at max (with password) even on my admin account.

Yay! Like @Umbra says, time to dig out Appguard and NVT ERP. :D
One of my machine has ERP + Appguard + OSA
i think you can't beat it.
 

AMD1

Level 4
Verified
As usual, stuck at the first hurdle !

I have created a new category "Whitelist C:\WINDOWS\* " and I want to allow all processes (like version 3 whereby you browsed to the windows folder and it auto-imported them all) but I need a little bit of help to set up this rule. Once I know how to do this I should be able to add my Programs Files (x86) folder without assistance hopefully !!
 
D

Deleted member 178

As usual, stuck at the first hurdle !

I have created a new category "Whitelist C:\WINDOWS\* " and I want to allow all processes (like version 3 whereby you browsed to the windows folder and it auto-imported them all)
I used to do that in v3 too (i miss this option honestly) , but now i just ticked all the "allow" settings (except Allow All Signed Processes) and set ERP to Lockdown Mode.
If some processes are blocked , i switch to Alert Mode, relaunch and allow them, then switch back to Lockdown.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
A few questions:

a) What do you think about this possible improvements for the Alert Dialog:

Option 1: We put "checks" on process fields that will be used when "Remember the action" is checked:

option1.png


Option 2:
We open "Rule Editor" when "Remember the action" is checked:

option2.png

b)
What do you think about joining "Rule Editor" and "Expression Builder":

new-rule-editor.png


@Umbra

You mean option to whitelist all .exe files on a folder and\or subfolders?

It is missing, we should add it soon.
 

shmu26

Level 82
Verified
Trusted
Content Creator
As usual, stuck at the first hurdle !

I have created a new category "Whitelist C:\WINDOWS\* " and I want to allow all processes (like version 3 whereby you browsed to the windows folder and it auto-imported them all) but I need a little bit of help to set up this rule. Once I know how to do this I should be able to add my Programs Files (x86) folder without assistance hopefully !!
Careful, if you exclude C:\WINDOWS\* then all your vulnerable processes will be excluded, too. This is new for ERP4
 
D

Deleted member 178

@NoVirusThanks

You mean option to whitelist all .exe files on a folder and\or subfolders?
Yes.

about options for alerts:

Option 1 is easier to handle for basic users, option 2 would be overwhelming for them.
Option 2 is better for more advanced users.

why not do both:
option 1 is the default then put an "advanced option" button in the alert dialog leading to option 2? :D

About the merging, i'm favorable to it, less windows to open, easier the use.