EXE Radar Pro v4 (Beta)

NoVirusThanks

From NoVirusThanks
Thread author
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v4.0 (pre-release) test18:
https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test18.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

So far this is what's new compared to the previous pre-release:

+ Resizing of columns to 0px on Events tab should work fine (make sure to delete RadarPro.conf file first)
+ "Do not auto-close notification dialog" is now enabled by default
+ Added more signers to Trusted Vendors
+ Fixed memory leak when Blocked Notification Dialog was displayed
+ Fixed When a process is blocked (due to a rule with Action = Deny) and the notification window is displayed, I cannot run any new process while the notification window is shown
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
 

Hi Brothers

Level 2
Verified
Apr 19, 2018
71
So, I'm new to EXE Radar Pro, I'm trying to set it up for the first time but I'm having a small (BIG) issue over here: I open chrome, I allow it like this:

8uelkc.png


Then I start getting a prompt for each tab I have opened (a LOT) whose cmd lines are exactly the same except with different ID numbers,
like this:

8unBCv.png


Here's how they look:

8unnSD.png


And I get a few one-off cmd-lines that I get asked about only once for all tabs but they're different each time I close chrome and reopen it, such as
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\User\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\User\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\User\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=67.0.3396.87 --initial-client-data=0x1f8,0x1fc,0x200,0x1f4,0x204,0x7ff9110a3228,0x7ff9110a3238,0x7ff9110a3248
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1484,7903285462501686869,2308012365502304144,131072 --enable-features=ParallelDownloading --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=A8823E5019A27B8E26667B9D80529E5C --mojo-platform-channel-handle=1504 --ignored=" --type=renderer " /prefetch:2
and a few others. I'm wondering if allowing child process chrome.exe with parent process chrome.exe in the whitelist is safe? Other processes won't be able to open chrome without asking me, which is what I want, and chrome will be able to open itself, but I'm not sure if that fixes it or is just a temporary solution. The other more permanent-like solution I was thinking of is simply replacing all those numbers in the cmd line with *******, so if the cmd line is the same one as the one in the whitelist but it can have any numbers on place of the stars *** then it will get allowed, thus it won't ask me specifically for each tab, but I'm not sure if EXE Radar Pro currently supports this. I also have this same problem with other processes as well, where allowing the child process by parent process might be a danger, like dllhost:

8unvxq.png

Instead of the numbers after process id {blablabla} I could put stars **** there and if the cmd line matches but with any numbers instead of stars, then it gets allowed, that's my idea. This way I won't have to allow it by parent process or parent signer or have to check through each prompt cuz there are a lot of prompts and allowing by something else might not be 100% safe, I'm not sure about this. Here are my EXE Radar Pro settings just in case, using latest version test 18 btw:

8unYpM.png
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
So, I'm new to EXE Radar Pro, I'm trying to set it up for the first time but I'm having a small (BIG) issue over here: I open chrome, I allow it like this:

8uelkc.png


Then I start getting a prompt for each tab I have opened (a LOT) whose cmd lines are exactly the same except with different ID numbers,
like this:

8unBCv.png


Here's how they look:

8unnSD.png


And I get a few one-off cmd-lines that I get asked about only once for all tabs but they're different each time I close chrome and reopen it, such as
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\User\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\User\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\User\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=67.0.3396.87 --initial-client-data=0x1f8,0x1fc,0x200,0x1f4,0x204,0x7ff9110a3228,0x7ff9110a3238,0x7ff9110a3248
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1484,7903285462501686869,2308012365502304144,131072 --enable-features=ParallelDownloading --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=A8823E5019A27B8E26667B9D80529E5C --mojo-platform-channel-handle=1504 --ignored=" --type=renderer " /prefetch:2
and a few others. I'm wondering if allowing child process chrome.exe with parent process chrome.exe in the whitelist is safe? Other processes won't be able to open chrome without asking me, which is what I want, and chrome will be able to open itself, but I'm not sure if that fixes it or is just a temporary solution. The other more permanent-like solution I was thinking of is simply replacing all those numbers in the cmd line with *******, so if the cmd line is the same one as the one in the whitelist but it can have any numbers on place of the stars *** then it will get allowed, thus it won't ask me specifically for each tab, but I'm not sure if EXE Radar Pro currently supports this. I also have this same problem with other processes as well, where allowing the child process by parent process might be a danger, like dllhost:

8unvxq.png

Instead of the numbers after process id {blablabla} I could put stars **** there and if the cmd line matches but with any numbers instead of stars, then it gets allowed, that's my idea. This way I won't have to allow it by parent process or parent signer or have to check through each prompt cuz there are a lot of prompts and allowing by something else might not be 100% safe, I'm not sure about this. Here are my EXE Radar Pro settings just in case, using latest version test 18 btw:

8unYpM.png
If Chrome is installed in program folder, like usual, the simplest solution would be to go into ERP settings and allow things to run from program folder. That's the default setting for ERP.

Maybe you have Chrome installed in a custom location? If so, make a rule that allows Chrome (parent) to execute Chrome (child). That way, Chrome will run normally, but you will still have control over suspicious child processes.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@NoVirusThanks, here is a OneDrive command line that maybe could be added to internal rules, it is from Win 10 x64 1803

"C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\shmu\AppData\Local\Microsoft\OneDrive\*"
 

Hi Brothers

Level 2
Verified
Apr 19, 2018
71
If Chrome is installed in program folder, like usual, the simplest solution would be to go into ERP settings and allow things to run from program folder. That's the default setting for ERP.

Maybe you have Chrome installed in a custom location? If so, make a rule that allows Chrome (parent) to execute Chrome (child). That way, Chrome will run normally, but you will still have control over suspicious child processes.

I want to have complete control over everything (I AM the process OVERLORD) so that's why I'm not allowing anything by default. Like I said I'm not sure that allowing child process chrome.exe being ran by parent process chrome.exe is 100% safe, because in that case any child process chrome.exe from parent process chrome.exe will be allowed, my goal is to have only specific child processes chrome.exe from parent process chrome.exe allowed (the ones that open for each tab), this way if there is another child process chrome.exe spawned from parent process chrome.exe that is different than what is needed for each tab, I'll be able to monitor it and make sure I need it before allowing it. If I do what you propose, I'll only have control of child processes chrome.exe being spawned from parent processes NOT chrome.exe, I want to have control over ALL child processes chrome.exe including those spawned by parent process chrome.exe, and whitelisting those spawned for each tab that's opened, which is currently impossible firstly because for each tab I have to whitelist the specific command line (of child process chrome.exe from parent process chrome.exe) all over again, and secondly because each time I close and reopen chrome the command lines are different so they won't be automatically allowed because the whitelisted commands from last time are with different numbers since the numbers change each time a new tab is opened or chrome is closed
 
Last edited:
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I want to have complete control over everything (I AM the process OVERLORD) so that's why I'm not allowing anything by default. Like I said I'm not sure that allowing child process chrome.exe being ran by parent process chrome.exe is 100% safe, because in that case any child process chrome.exe from parent process chrome.exe will be allowed, my goal is to have only specific child processes chrome.exe from parent process chrome.exe allowed (the ones that open for each tab), this way if there is another child process chrome.exe spawned from parent process chrome.exe that is different than what is needed for each tab, I'll be able to monitor it and make sure I need it before allowing it. If I do what you propose, I'll only have control of child processes chrome.exe being spawned from parent processes NOT chrome.exe, I want to have control over ALL child processes chrome.exe including those spawned by parent process chrome.exe, and whitelisting those spawned for each tab that's opened, which is currently impossible firstly because for each tab I have to whitelist the specific command line (of child process chrome.exe from parent process chrome.exe) all over again, and secondly because each time I close and reopen chrome the command lines are different so they won't be automatically allowed because the whitelisted commands from last time are with different numbers since the numbers change each time a new tab is opened or chrome is closed
I see. I have experimented in the past with the approach that you are taking, although with a different anti-exe software (ReHIPS). I think you are pretty much charting your own territory here, you just have to take a good comparative look at the various command lines generated by Chrome, note the similarities and differences, and edit them with wildcards wherever you see random character strings and minor differences
 

Hi Brothers

Level 2
Verified
Apr 19, 2018
71
Well, guess I'll keep using Voodoo Shield for the time being, or at least until this problem is fixed

I keep getting these

8uPNmq.png

8uPDID.png


At first my entire PC freezed since EXE Radar Pro was still working but wasn't showing any notifications (I hadn't set any rules at the time, I was doing just that before it started doing this). Then for a few reboots same thing continued, and finally after a few more reboots it started simply not working - an EXE Radar Pro tray icon would appear every few minutes, leading to multiple icons which I have to mouse over for them to disappear, all but one of them. When I try to start EXE Radar Pro from the desktop icon or right click the tray icon and choose either Show Main Window or Exit I get those messages, and EXE Radar Pro is not blocking or doing anything. I tried uninstalling, rebooting and installing test 18 again, same thing

EDIT: This also happens in safe mode
 
Last edited:
  • Like
Reactions: lowdetection

redsworn

Level 4
Verified
Well-known
Dec 6, 2017
191
Is it still advised to use the 3.1 beta instead of the newest from here?
No. ERP 3.1 is what? 2 years old or something? You better use v4 since it's being actively developed.
ERP v4 is relatively stable. But you should still create system backup first just in case.
 

lowdetection

Level 7
Verified
Well-known
Jul 1, 2017
317
About the Access Violation error, I experienced more than once, still not understood what maybe the main cause, but some corruption should happen into the databases contained into AppData folder;
when happen this, I clean all the folders created by this program manually, reboot, and install again.

This may make it working, but the main cause is hunt down what cause the database corruption, or add something to protect those files from corruption? Not sure. :unsure:
 

Hi Brothers

Level 2
Verified
Apr 19, 2018
71
About the Access Violation error, I experienced more than once, still not understood what maybe the main cause, but some corruption should happen into the databases contained into AppData folder;
when happen this, I clean all the folders created by this program manually, reboot, and install again.

This may make it working, but the main cause is hunt down what cause the database corruption, or add something to protect those files from corruption? Not sure. :unsure:

YOU WERE ABSOLUTELY CORRECT!!!!

I deleted C:\Users\User\AppData\Roaming\NoVirusThanks\RadarPro.conf (which was full of NULL NULL NULL and some weird symbols), and then when I installed EXE Radar Pro again, it's now working!!!! Now RadarPro.conf is normal, so that must have been the problem. On an unrelated note, I wonder why didn't Revo delete this file, I'm gonna have to scold it when I get home :LOL:

Also btw, a default button in the Settings menu would be nice
 

lowdetection

Level 7
Verified
Well-known
Jul 1, 2017
317
My two cents solution, maybe we can add also xpath and copy the logs to desktop before wipe them, and extend the operation to also other products.

Code:
@ECHO OFF

ECHO Removing NoVirusThanks Config and Logs...
ECHO.

taskkill /f /im RadarPro.exe
net stop ERPSvc


del "%ProgramData%\NoVirusThanks" /s /f /q
del "%AppData%\NoVirusThanks" /s /f /q

ECHO Removed!
ECHO.
ECHO.
ECHO     **** Press any key to exit ****
pause > NUL
 

Yellowing

Level 5
Verified
Jun 7, 2018
221
You are giving confirmation that the file has been deleted, but do not check this. :emoji_fearful: :eek::)
Try:
Code:
DIR /A-D "%ProgramData%\NoVirusThanks\EXE Radar Pro\Events" >NUL && SET DEL=0 || SET DEL=1
IF EXIST "%AppData%\NoVirusThanks\RadarPro.conf" SET DEL=0
IF %DEL%==0 (ECHO Some things are still there) ELSE (ECHO All removed!)
after the del commands. :)

And you HAVE to run it as administrator to change services, I think. :unsure:
 

NoVirusThanks

From NoVirusThanks
Thread author
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v4.0 (pre-release) test20:
https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test20.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

So far this is what's new compared to the previous pre-release:

+ While "Process Blocked" notification window is active, I cannot edit/do things on the main GUI
+ Added a button "Close All" on the left of "Close" button, in the "Process Blocked" notification window to close all active "Process Blocked" notifications
+ If I enable the option "Settings" -> "Password Protect Power Options" and then I right-click on the tray icon -> "Enable Passive Mode" I am not asked for the password
+ Support explicitly appended \ to process Path rule field, example:
C:\Program Files*\Internet Explorer
C:\Program Files*\Internet Explorer\
C:\Program Files*\Internet Explorer\*
C:\Program Files*\Internet Explorer*\*
+ Improved "Allow Known Safe Process Behaviors"
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
 

Snickers102

Level 1
Verified
Jul 5, 2018
46
Using test 20, Alert Mode doesn't work, no matter how much I allow something and create rules, it always behaves as if my entire alert mode list is completely empty, making the program unusable for me. After a few uninstall and reinstalls, with a reboot each time, this happens every single time. Test 18 works fine, only happens with test 20. Using Windows 10 Pro 1803 17134.167
 
  • Like
Reactions: lowdetection

NoVirusThanks

From NoVirusThanks
Thread author
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v4.0 (pre-release) test21:
https://downloads.novirusthanks.org/files/exe_radar_pro_4_setup_test21.exe

*** Please do not share the download link, we will delete it when we'll release the official v4 ***

So far this is what's new compared to the previous pre-release:

+ Removed the option "Distinct to" on Expression Builder
+ Fixed adding a rule via "Alert Dialog" -> "Remember the action"
+ Fixed some rules that have no "\" at the end of the Path field are ignored
+ Fixed support old rules that have no "\" at the end of the Path field
+ Change tray icon based on Protection Modes
+ All blocked processes (via Lockdown Mode, Auto-Block Ask Actions, Manually Blocking via Alert Dialog etc. now displays the Blocked Process dialog (if the user has this enabled)
+ Learning Mode now uses a - (hyphen) or blank character for all expressions when a rule is auto-created for the first time
+ Remember THE Action checkbox in Alert dialog is re-captioned to now say Remember THIS Action since it's better/proper English
+ If the rule action is Allow and a user chooses Remember This Action via the Alert dialog the rule is created as an Exclusion now. Before it was Allow but this is 2nd most priority, not 1st
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@Snickers102

Please use this new build, should fix that issue.

Let me know.
 

Snickers102

Level 1
Verified
Jul 5, 2018
46
Test 21 works great! Everything's good now

I think "Add as rule" or simply "Remember action" (or just "Remember") is better than "Remember this action." , the dot also makes it look worse

As far as I tested, the priority order is Exclude > Deny > Ask > Allow, so Allow has the lowest priority

Would be useful if the user can create priorities. Let's say a priority has 3 types, either allow, deny or ask, and each priority will have a number. The number, for example between 1 and 9, will indicate how strong the priority is. For example, Allow[3] is stronger than Deny[2], so if cmd.exe from system32 has priority Deny[2] but a specific batch file has priority Allow[3], the batch file gets allowed to run since the rule takes priority over the deny cmd.exe rule since 3 is a higher number than 2. But then let's say that same batch file with additional properties (such as when started by a specific parent process) has priority of Deny[4], then that specific batch file will get denied when started by the specified parent process from the Deny[4] rule. And then let's say we have Ask[5] rule of that specific batch file, when started by that same parent process, but the parent process has a different (or no) signer. Then, we'd get asked whether to allow that specific batch file started by that specific parent process, since this Ask[5] rule takes priority over the Deny[4] rule (which specifies a specific parent process and a specific signer, while Ask[5] doesn't have that specific signer), which takes priority over Allow[3] which has no specific parent process in the rule, which takes priority over Deny[2] which denies any batch file (started from cmd.exe child process) without a higher priority rule. I think only 2 levels of priority for allow (level 1 being exclude and level 2 being allow), and only 1 level for deny and 1 level for ask is too little, in the above scenario these 4 rule priorities with only a total combined of 4 levels would not be anywhere near enough for what someone might be trying to do with a case like that

It would also be pretty cool if there was a manual, cuz I have 0 idea how I'm supposed to use wildcards, they don't work like excubits' wildcards (for example), I simply don't know the syntax of Exe Radar Pro, just plain "*" instead of a character doesn't seem to work

And, to top it off for now, how about we can customize the color of the tray icon shield? For example, I may want my alert mode icon to be in blue or green, not red, cuz red doesn't "merge" well with the color of my other tray icons, it makes it looks ugly when there's so much potential to look cool, if only at least 1 developer was like "let's let users choose their own color" instead of forcing us to use whatever color they picked and ruining our taskbar icon color sync

EDIT: Forgot to mention, a VERY important feature still missing, files that no longer exist and have a specified path should get automatically deleted from the rules list, this makes the rule list a lot bigger than it should be over time and every few weeks I have to reset it cuz it just gets so huge after accumulating so many useless leftover rules
 
Last edited:
  • Like
Reactions: lowdetection

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top