- May 7, 2016
- 1,287
Can't import VulnerableProcesses_Rules.csv after a clean install of No virus Thanks new v4.0 (pre-release) test3.
Only XML files option is available.
Only XML files option is available.
Last edited:
EXE Radar Pro v4 (Beta)
- Thread starter NoVirusThanks
- Start date
- Jul 3, 2015
- 8,153
please add system rule for tiworker (win10 x64)
Date/Time : 2018-03-23 11:24:53.307
Action : Allow/Learning Mode
Expression : -
Category : Learning Mode
PID : 11664
Process : C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.16299.251_none_16dd4c82321e5ccc\TiWorker.exe
Integrity Level: System
User/Domain : SYSTEM/NT AUTHORITY
System File : False
SHA1 : A6F1007F24FFFEE3324AE75B2921E147165B93E7
Signer :
Command : C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.16299.251_none_16dd4c82321e5ccc\TiWorker.exe -Embedding
Parent : C:\Windows\System32\svchost.exe
Parent SHA1 : B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
Parent Signer : Microsoft Windows Publisher
Date/Time : 2018-03-23 11:24:53.307
Action : Allow/Learning Mode
Expression : -
Category : Learning Mode
PID : 11664
Process : C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.16299.251_none_16dd4c82321e5ccc\TiWorker.exe
Integrity Level: System
User/Domain : SYSTEM/NT AUTHORITY
System File : False
SHA1 : A6F1007F24FFFEE3324AE75B2921E147165B93E7
Signer :
Command : C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.16299.251_none_16dd4c82321e5ccc\TiWorker.exe -Embedding
Parent : C:\Windows\System32\svchost.exe
Parent SHA1 : B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
Parent Signer : Microsoft Windows Publisher
- Jul 3, 2015
- 8,153
There are some rough edges with multiple user accounts.
When switching between them, or signing in and out of them, sometimes I see system hanging or BSODs. It does not seem to matter whether it is in alert mode, learning, or disabled.
It does not matter whether they are admin or SUA.
The factor that produces the error is when two accounts are signed in at the same time.
Sign into account A, switch to account B, sign out of B, and it's BSOD.
When switching between them, or signing in and out of them, sometimes I see system hanging or BSODs. It does not seem to matter whether it is in alert mode, learning, or disabled.
It does not matter whether they are admin or SUA.
The factor that produces the error is when two accounts are signed in at the same time.
Sign into account A, switch to account B, sign out of B, and it's BSOD.
Last edited:
- Aug 31, 2016
- 578
Copy and paste the text below into Notepad (or similar) and save with name Rules.xml. Then import into ERP 4.
Code:
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]</> <enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cmd.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Proc.Path = C:\Windows\System32\WindowsPowerShell\v1.0] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = powershell.exe] [Proc.Path = C:\Windows\SysWOW64\WindowsPowerShell\v1.0] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rundll32.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = rundll32.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = regsvr32.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = at.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = vssadmin.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = vssadmin.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = mshta.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = mshta.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = reg.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = reg.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = regini.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = regini.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = takeown.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = takeown.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = cacls.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = cacls.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = icacls.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = icacls.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = schtasks.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wscript.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cscript.exe] [Proc.Path = C:\Windows\System32] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = wbadmin.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = wscript.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Ask</> <expression>[Proc.Name = cscript.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Ask]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = wevtutil.exe] [Proc.Path = C:\Windows\SysWOW64] [Action = Deny]<enabled>1</>
<category>Vulnerable Processes</> <action>Deny</> <expression>[Proc.Name = wevtutil.exe] [Proc.Path = C:\Windows\System32] [Action = Deny]<enabled>1</>Hi just wanted to add the login problem still exists.Thks
- Aug 23, 2012
- 292
Here is a new v4.0 (pre-release) test4:
http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test4.exe
*** Please do not share the download link, we will delete it when we'll release the official v4 ***
So far this is what's new compared to the previous pre-release:
+ Added option to "Password Protect Power Options"
+ Password protect also "Allow" and "Custom Rule" button on Alert Dialog
+ Added button to set/change password
+ Fixed "Allow Known Safe Process Behaviors"
+ Added more rules on "Allow Known Safe Process Behaviors"
+ Support wildcard on "Exclude from Notification" rules
+ Added "Close" button on "Event Details" window
+ Fixed counting of stats on main window
+ The issue with "black screen" or "desktop is not loaded" should be fixed
+ Fixed "the Protection Mode is changing after options in Settings has been ticked/unticked"
+ On "Export Rules" ask to overwrite the file if it already exists
+ On "Export Rules" show a warning message if the Rules.xml is not selected
+ Order of fields on "Expression Builder" is same as on "Alert Dialog"
+ Option "Allow Microsoft Windows Apps" is checked by default
+ Option "Allow All Software from Program Files Folder" is checked by default
+ Option "Allow All Microsoft-Signed Processes" is checked by default
+ Minor fixes and optimizations
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
Uploaded a new list of vulnerable processes (XML):
http://downloads.novirusthanks.org/files/VulnerableProcesses.xml
@shmu26
Rule for TiWorker.exe added.
Will try that to see if I can reproduce that issue.
@Captain Awesome
I've uploaded the XML version of vulnerable processes (now checking only process name, i.e powershell.exe).
@blueblackwow65
Can you try this new build?
http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test4.exe
*** Please do not share the download link, we will delete it when we'll release the official v4 ***
So far this is what's new compared to the previous pre-release:
+ Added option to "Password Protect Power Options"
+ Password protect also "Allow" and "Custom Rule" button on Alert Dialog
+ Added button to set/change password
+ Fixed "Allow Known Safe Process Behaviors"
+ Added more rules on "Allow Known Safe Process Behaviors"
+ Support wildcard on "Exclude from Notification" rules
+ Added "Close" button on "Event Details" window
+ Fixed counting of stats on main window
+ The issue with "black screen" or "desktop is not loaded" should be fixed
+ Fixed "the Protection Mode is changing after options in Settings has been ticked/unticked"
+ On "Export Rules" ask to overwrite the file if it already exists
+ On "Export Rules" show a warning message if the Rules.xml is not selected
+ Order of fields on "Expression Builder" is same as on "Alert Dialog"
+ Option "Allow Microsoft Windows Apps" is checked by default
+ Option "Allow All Software from Program Files Folder" is checked by default
+ Option "Allow All Microsoft-Signed Processes" is checked by default
+ Minor fixes and optimizations
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
Uploaded a new list of vulnerable processes (XML):
http://downloads.novirusthanks.org/files/VulnerableProcesses.xml
@shmu26
Rule for TiWorker.exe added.
Will try that to see if I can reproduce that issue.
@Captain Awesome
I've uploaded the XML version of vulnerable processes (now checking only process name, i.e powershell.exe).
@blueblackwow65
Can you try this new build?
- Aug 30, 2012
- 6,598
I've noticed that
+ Option "Allow All Software from Program Files Folder" is checked by default. This option is allowing files to be executed from different locations (Desktop, random folder) assisted by the rule that file is executed from a Program Files folder, which obviously isn't the case according to Events.
If this option is unchecked, then everything is back to normal, except the Explorer.exe won't run at the Windows start routine, resulting in frozen, blank desktop.
+ Option "Allow All Software from Program Files Folder" is checked by default. This option is allowing files to be executed from different locations (Desktop, random folder) assisted by the rule that file is executed from a Program Files folder, which obviously isn't the case according to Events.
If this option is unchecked, then everything is back to normal, except the Explorer.exe won't run at the Windows start routine, resulting in frozen, blank desktop.
- Aug 23, 2012
- 292
@AMD1
The Trusted Vendors list cannot be edited for now, but we plan to allow it soon.
It has 150+ well known software vendors (signers) to the list.
@BoraMurdar
The option "Allow All Software from Program Files Folder" should only auto-allow programs located on:
C:\Program Files\*
C:\Program Files (x86)\*
Here is a screenshot:
The option "Allow System Files" should auto-allow C:\WINDOWS\Explorer.exe and other system processes.
I'll add an internal rule to auto-allow C:\WINDOWS\Explorer.exe when the PC is booted (safe way).
The Trusted Vendors list cannot be edited for now, but we plan to allow it soon.
It has 150+ well known software vendors (signers) to the list.
@BoraMurdar
The option "Allow All Software from Program Files Folder" should only auto-allow programs located on:
C:\Program Files\*
C:\Program Files (x86)\*
Here is a screenshot:
The option "Allow System Files" should auto-allow C:\WINDOWS\Explorer.exe and other system processes.
I'll add an internal rule to auto-allow C:\WINDOWS\Explorer.exe when the PC is booted (safe way).
- Dec 21, 2017
- 478
do i still need this if i have kaspersky total security with TAM enabled
- Aug 30, 2012
- 6,598
I think you didn't follow.
This is my initial settings
I've tried to run a random executable which was placed on my Desktop, in this case, portable CPU-Z app. And of course, I am getting a notification from ERP 4
Events, as expected
Now, I have checked the option to allow all executables originated from Program Files
Run the CPU-Z app, and I wasn't notified about any execution activity, as you can see in the screenshot below, CPU-Z is running and Events are saying basically that I wasn't notified because the program was executed from a Program Files folder. Again, CPU-Z is executed from Desktop folder and it happens the same with other locations. No matter what app is in question.
@BoraMurdar portable version of CPU-Z?
Last edited by a moderator:
- Aug 30, 2012
- 6,598
Yes, portable edition. It happens also with other tools.
@BoraMurdar i tried it too, i don't even have alerts unless i untick "allow processes signed by trusted vendors"
- Aug 30, 2012
- 6,598
Allow processes signed by Trusted Vendors is ticked + Allow all soft from Program Files folder is ticked = you don't get any alert when running an app for which the rule doesn't exist and app's location is outside the Program Files folder.
And when the Allow processes signed by trusted vendors is unticked then you are getting an alert under same circumstances?
Last edited by a moderator:
- Aug 23, 2012
- 292
@BoraMurdar
Thanks for the detailed information with screenshots.
Are you under LUA?
From Admin account it works fine.
Looks like your issue is that ERPv4 identifies the cpuz_x32.exe as if it is executed from Program Files folder but instead it is executed from Desktop folder, correct?
And it is allowed because the "Allow All Software from Program Files folder" is checked.
I can't reproduce this strange behavior on W10 with Admin account, will test later on a W10 with LUA account.
Anyone can reproduce this behavior:
Program Files folder is not correctly identified by ERPv4 when "Allow All Software from Program Files folder" is checked, and executables from other locations are executed with Action = Allow/Program Files (on Events tab).
Thanks for the detailed information with screenshots.
Are you under LUA?
From Admin account it works fine.
Looks like your issue is that ERPv4 identifies the cpuz_x32.exe as if it is executed from Program Files folder but instead it is executed from Desktop folder, correct?
And it is allowed because the "Allow All Software from Program Files folder" is checked.
I can't reproduce this strange behavior on W10 with Admin account, will test later on a W10 with LUA account.
Anyone can reproduce this behavior:
Program Files folder is not correctly identified by ERPv4 when "Allow All Software from Program Files folder" is checked, and executables from other locations are executed with Action = Allow/Program Files (on Events tab).
- Aug 30, 2012
- 6,598
Yes and yes, Admin account.
- Aug 31, 2016
- 578
I cannot reproduce this behavior, ERP4 works exactly as advertised on my Win 10 Pro x64 PC with this setting ticked. Tested with same program (CPU-Z running from Desktop under Admin account) as @BoraMurdar.
Update:
A thought came to me. As @Umbra and @BoraMurdar have the same problem. Do you both use the same AV: Emsisoft?
Last edited:
- Aug 23, 2012
- 292
Here is a new v4.0 (pre-release) test5:
http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test5.exe
*** Please do not share the download link, we will delete it when we'll release the official v4 ***
So far this is what's new compared to the previous pre-release:
+ Fixed option "Allow All Software from Program Files folder"
+ Rules are now checked for existing conflictions by action (Allow, Deny, Ask)
+ Expression Builder Parent Process "Name" field renamed to "Full Path Name" for clarity
+ Expression Builder Parent Process "Hash" (SHA1) field is now moved above "Signer" field
+ Removed the option (checkbox) "Block Suspicious Process Behaviors" from "Settings" tab
+ Pre-filled the "Hash (SHA1)" field for Parent Process when from "Custom Rule"->"Edit Expression" is clicked on Alert Dialog
+ Improved fix for "black screen" or "desktop is not loaded" issue
+ Minor fixes and optimizations
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
We'll add a new action "Exclude" that will be used to exclude (allow) an event (something like "Safe Command-lines" on ERPv3), it will override the other actions.
What do you think guys?
@BoraMurdar
Please let me know if the issue you had is fixed now.
http://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test5.exe
*** Please do not share the download link, we will delete it when we'll release the official v4 ***
So far this is what's new compared to the previous pre-release:
+ Fixed option "Allow All Software from Program Files folder"
+ Rules are now checked for existing conflictions by action (Allow, Deny, Ask)
+ Expression Builder Parent Process "Name" field renamed to "Full Path Name" for clarity
+ Expression Builder Parent Process "Hash" (SHA1) field is now moved above "Signer" field
+ Removed the option (checkbox) "Block Suspicious Process Behaviors" from "Settings" tab
+ Pre-filled the "Hash (SHA1)" field for Parent Process when from "Custom Rule"->"Edit Expression" is clicked on Alert Dialog
+ Improved fix for "black screen" or "desktop is not loaded" issue
+ Minor fixes and optimizations
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
We'll add a new action "Exclude" that will be used to exclude (allow) an event (something like "Safe Command-lines" on ERPv3), it will override the other actions.
What do you think guys?
@BoraMurdar
Please let me know if the issue you had is fixed now.
Last edited:
Similar threads
