NoVirusThanks OSArmor: An Additional Layer of Defense

...and one more for good measure.

 

Thanks for the info, will check it out.

 

I'm using OSA with Harmony Endpoint. Very powerful combo. In OSA i enabled all "suspicious" protections and basic lolbin stuff, Harmony Endpoint takes cares the rest.
Tested this combo against various bazaar samples about a week. I do not download or run anything from "user space folders". I just save pictures, videos etc to custom folders.
I was kinda impressed, when running some .exe samples, OSA reacted really fast "suspicious process detected". Before mighty Harmony Endpoint even reacts. I was like...wow.

Just one feature in OSA is that it really needs some more tampering protections(self protection mechanism). It's easy terminate OSA processes. When testing some malwares, they "kill" all the runnin processes which are not protected(chrome,outlook etc).

 

After enabling medium protection, I am getting a repeated block. I don't know what is making this run.
Here is a Microsoft doc about the cmdlet:
https://learn.microsoft.com/en-us/p...t/disable-computerrestore?view=powershell-5.1

Code:

Date/Time: 4/17/2024 10:09:39 AM
Process: [16032]C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Process Size: 413.5 KB (423,424 bytes)
Process MD5 Hash: 61732DBA77466B624C014B67A1E1348E
Parent: [4904]C:\Windows\SysWOW64\cmd.exe
Parent Process Size: 239.5 KB (245,248 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell.exe  "Disable-ComputerRestore -Drive \"C:\""
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Is "Enable OSArmor self-defense (process termination)" enabled?

 

I cannot update my payment method over on FastSpring. Any ideas what I'm doing wrong. FastSpring tells me...talk to my credit card. My credit card tells me...talk to FastSpring.
My Appsvoid sub expires in May. My OSArmor sub expires in December.

Spoiler: unexpected error

 

Maybe reach out to @novirusthanks.

 

I got this short time ago, but then I had problems with my Opera browser. It locked up, and I had to reboot the laptop.

Finally, here it is, and I chose ignore.

 

We have released OSArmor v1.9.9:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

If you find false positives or issues please let me know.

@shmu26

It looks like something in the system (e.g a Windows Update or a system process or a service of a backup software) is doing that activity.

You should not see the alerts in this new build.

@bjm_

We resolved the issue via email, thanks for reporting that.

@Tarnak

FP fixed.

@moredhelfinland

We have an option (enabled by default) to protect OSA processes from termination (only Task Manager is allowed to terminate them).

We intentionally didn't add other particular/advanced tampering protections because a process to damage OSA has to [1] run in the system and [2] gain admin privileges.

It already covers protection from tampering done by abusing system processes.

 

Auto updated a short time ago to v1.9.9.0 , and scanned for New Trusted Vendors.

 

OSArmor has been updated to v2.0.0.0.

Changelog:
+ Save log files in YYYY-MM-DD.log format
+ Save date/time in log files in YYYY-MM-DD HH:mm:ss format
+ Save also date/time in UTC
+ Added more JSON data on HTTP POST request (Enterprise version)
+ Minor improvements

Source: https://www.osarmor.com/changelog/

 

Got it now...

 

Hi @novirusthanks ,

Just seen a message from OSA on starting Windows that OSA service wasn't running and suggested I start the service, restart my machine, or reinstall the latest version. I've seen it once or twice before with recent builds. A system restart gets it going.

Not a big deal, but if I didn't catch the pop up I may not have noticed that OSA wasn't running.

I've installed the latest version of the top for now.

Thanks.

 

We have released OSArmor v2.0.1:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

If you find false positives or issues please let me know.

This update was focused mainly on the Enterprise version but we made improvements also to Personal and Business versions.

@Krusty

Please let me know if you notice that again with this new v2.0.1 version.

 

Got it a short time ago...