NoVirusThanks OSArmor: An Additional Layer of Defense

We have released OSArmor v1.9.1:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

In case you used test builds you need to install this final release "over-the-top".

If you find false positives or issues please let me know.

 

Thank you for the update. Installed automatically on two W7 machines and no problems to report.

 

Same for me, thanks.

 

I just got this:

Spoiler: Rule Name: Block execution of schtasks.exe

Date/Time: 13/12/2023 6:27:35 AM
Process: [10584]C:\Windows\System32\schtasks.exe
Process Size: 229.5 KB (235,008 bytes)
Process MD5 Hash: D4DA03B7BB20B7E4F1B762A365D4DD4F
Parent: [10828]C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe
Parent Process Size: 23.94 MB (25,105,696 bytes)
Rule: BlockSchtasksExe
Rule Name: Block execution of schtasks.exe
Command Line: schtasks /run /TN "AMDRyzenMasterSDKTask"
Signer: <NULL>
Parent Signer: Advanced Micro Devices, Inc.
User/Domain: David/DAVID-HP
System File: True
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False

 

I didn't even know you had made a new GUI for OSArmor, it looks pretty good! I see that it remembers screensize and position, which is cool, but can you also make the configurator remember the columsize? Perhaps you can also make the Alerts column sortable (low, medium, high).

 

Here is a pre-release test 3 version of OSArmor PERSONAL v1.9.2:

Code:

https://downloads.osarmor.com/osa-personal-1-9-2-test3.exe

Here is what's new so far:

You can install this test build over-the-top of the currently installed version (reboot is not needed).

If you find issues or FPs please let me know.

@Krusty

FP is fixed now, thanks for reporting it.

@Rasheed187

Glad you like the new UI!

Yes, added it on this new build.

 

Thank you.

 

Date/Time: 12/15/2023 3:39:15 PM
Process: [5736]C:\Windows\SysWOW64\cmd.exe
Process Size: 231 KB (236,544 bytes)
Process MD5 Hash: D3348AC2130C7E754754A6E9CB053B09
Parent: [4236]C:\Windows\SysWOW64\cmd.exe
Parent Process Size: 231 KB (236,544 bytes)
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Program Files (x86)\Google\GoogleUpdater\121.0.6167.0" "
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

https://www.reddit.com/r/chrome/comments/18do1gz/is_this_part_of_some_new_chrome_update_im_not/

 

OK thanks, I'm very picky when it comes to the GUI.

 

Me too!

Happy Holidays,
Robert

 

Installed new version of SSDFresh.
Date/Time: 12/28/2023 4:47:32 PM
Process: [5592]C:\Users\Bruce\AppData\Local\Temp\is-1OC5S.tmp\setup.tmp
Process Size: 3.07 MB (3,219,968 bytes)
Process MD5 Hash: 452C4FBAEE7EB77ECCE95F3ABAF626D0
Parent: [4736]C:\Users\Bruce\AppData\Local\Temp\3z3o4yqz.oq0\setup.exe
Parent Process Size: 6.38 MB (6,686,952 bytes)
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\Bruce\AppData\Local\Temp\is-1OC5S.tmp\setup.tmp" /SL5="$30478,5800243,886784,C:\Users\Bruce\AppData\Local\Temp\3z3o4yqz.oq0\setup.exe"
Signer: <NULL>
Parent Signer: Ascora GmbH
User/Domain: Bruce/BRUCE
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False

 

Trying to open a link from Microsoft Outlook what should open Edge Browser...

I tried to make an exception via the popup, still doesn't work.

Process: [9804]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Process Size: 3,68 MB (3.854.280 bytes)
Process MD5 Hash: F6E7A024CC79AC12294D0DA6072C5073
Parent: [14956]C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Parent Process Size: 42,72 MB (44.792.728 bytes)
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:///?url=https ***
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: *****
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False

 

Perhaps I misunderstood, but in the latest build this has NOT been fixed, right? Because I just saw that you still can't sort columns and OSArmor also doesn't remember columnsize.

 

@Dragon1952

I contacted Ascorsa company and asked them to digitally sign also the .tmp file of their programs, they said they will do that on the next versions.

@Duxar

It will be fixed in the next build (a few days and will release it).

A quick exclusion rule would be this:

Code:

[%PROCESS%: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe] [%SIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Program Files\Microsoft Office\*\OUTLOOK.EXE] [%PARENTSIGNER%: Microsoft Corporation] [%PROCESSCMDLINE%: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:///?url=https://*]

Untested, but should work fine, let me know in case.

@Rasheed187

Sorting of "Alerts" column has not been added but I am not sure if it will be added, probably we may sort alphabetically by default the rule names (yet to discuss).

Regarding remember of column sizes, it has been added but if you resize the app window manually the column sizes will be reset (it has auto-column-resize enabled when the app window is manually resized).

So now a workaround is you first resize the app window as desired, and then you change column size.

I will disable the auto-column-resize on the next build.

 

Thank you.

 

Sorting by columns is perhaps not the most important thing, but column-size should always be remembered, no matter if window size is changed IMO. Now you will always get to the the annoying horizontal scrollbar upon startup.

 

I got this warning:



And then slammed with the following:

Code:

Date/Time: 11/01/2024 6:18:14 AM

Process: [3196]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Process Size: 45.99 KB (47,096 bytes)
Process MD5 Hash: 8166CCB6A04B855AA918B36079C63B7D
Parent: [12620]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Parent Process Size: 2.45 MB (2,569,688 bytes)
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\KrisTwo\AppData\Local\Temp\RES928C.tmp" "c:\Users\KrisTwo\AppData\Local\Temp\CSCE7517B9881E8449D84A7DFEA9A52492.TMP"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False


Date/Time: 11/01/2024 6:18:13 AM

Process: [9160]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Process Size: 45.99 KB (47,096 bytes)
Process MD5 Hash: 8166CCB6A04B855AA918B36079C63B7D
Parent: [2756]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Parent Process Size: 2.45 MB (2,569,688 bytes)
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\KrisTwo\AppData\Local\Temp\RES8ED3.tmp" "c:\Users\KrisTwo\AppData\Local\Temp\CSC7566CF8DC8334995ADC58F1780F85AEF.TMP"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False


Date/Time: 11/01/2024 6:16:15 AM

Process: [6980]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Process Size: 45.99 KB (47,096 bytes)
Process MD5 Hash: 8166CCB6A04B855AA918B36079C63B7D
Parent: [13980]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Parent Process Size: 2.45 MB (2,569,688 bytes)
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\KrisTwo\AppData\Local\Temp\RESC1C4.tmp" "c:\Users\KrisTwo\AppData\Local\Temp\CSCB1C7CEEEBC36437F80746FEF2C5AAFA0.TMP"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False


Date/Time: 11/01/2024 6:16:13 AM

Process: [5296]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Process Size: 45.99 KB (47,096 bytes)
Process MD5 Hash: 8166CCB6A04B855AA918B36079C63B7D
Parent: [1448]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Parent Process Size: 2.45 MB (2,569,688 bytes)
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\KrisTwo\AppData\Local\Temp\RESBA80.tmp" "c:\Users\KrisTwo\AppData\Local\Temp\CSC8AC1D5EE85204F17A6E57D5E3E678070.TMP"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False


Date/Time: 11/01/2024 6:16:11 AM

Process: [4156]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Process Size: 45.99 KB (47,096 bytes)
Process MD5 Hash: 8166CCB6A04B855AA918B36079C63B7D
Parent: [11032]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Parent Process Size: 2.45 MB (2,569,688 bytes)
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\KrisTwo\AppData\Local\Temp\RESAAA2.tmp" "c:\Users\KrisTwo\AppData\Local\Temp\CSC6D71BC5CE5D84DF981273485B559DACD.TMP"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False

I don't know why the explosion of these events.

I was only doing a fresh install of Cyberlock at the time: https://www.wilderssecurity.com/threads/voodooshield-cyberlock.313706/page-763#post-3179719

 

Date/Time: 1/4/2024 10:31:56 AM
Process: [8392]C:\Windows\System32\rundll32.exe
Process Size: 70 KB (71,680 bytes)
Process MD5 Hash: 100F56A73211E0B2BCD076A55E6393FD
Parent: [5440]C:\Windows\System32\svchost.exe
Parent Process Size: 54.16 KB (55,456 bytes)
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Signer: <NULL>
Parent Signer: Microsoft Windows Publisher
User/Domain: xxxxx
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: System
Passive Logging: False

 

Here is a pre-release test 1 version of OSArmor PERSONAL v1.9.3:

Code:

https://downloads.osarmor.com/osa-personal-1-9-3-setup-test1.exe

Here is what's new so far:

You can install this test build over-the-top of the currently installed version (reboot is not needed).

If you find issues or FPs please let me know.

 

Date/Time: 1/30/2024 4:02:28 PM
Process: [4744]C:\Windows\SysWOW64\cmd.exe
Process Size: 231 KB (236,544 bytes)
Process MD5 Hash: D3348AC2130C7E754754A6E9CB053B09
Parent: [11048]C:\Windows\SysWOW64\cmd.exe
Parent Process Size: 231 KB (236,544 bytes)
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Program Files (x86)\Google\GoogleUpdater\122.0.6253.8" "
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

@Dragon1952

I can't reproduce that alert with Google Chrome (Stable): I tried to download an old version and then open it -> Check for updates -> Do the update -> Chrome updated fine to latest version (no alerts from OSA).

Do you use Chrome Stable? And in case do you have a link from where I can download the specific version you are using?

Also, can you show a screenshot of OSA Configurator -> Settings -> General tab?

You can send the screenshot via PM if you prefer.

Thank you!

 

Chrome is up to date
Version 121.0.6167.140 (Official Build) (64-bit) My General Tab is default i think. I have 5 settings checked. The 1,2,3,6 and 7 Settings are checked.

 

@Dragon1952

Is the alert showing when Chrome is updating to a new version?

I tried to download an old version of Chrome and install to the latest version, no alerts shown:



Just trying to understand when the alert is showing so I can reproduce it.

Also, can you send me via email the OSA .log file where there is the blocked event? Logs are located here:
C:\Program Files\NoVirusThanks\OSArmorDevSvc\Logs

Thanks.

 

Date/Time: 1/31/2024 11:20:28 PM
Process: [7356]C:\Users\Bxxxx\AppData\Local\inspect64.exe
Process Size: 3.5 KB (3,584 bytes)
Process MD5 Hash: 3F44FEEE801583A60D0D279020A00979
Parent: [7780]C:\Users\Bxxxx\Downloads\InSpectre (1).exe
Parent Process Size: 125.15 KB (128,152 bytes)
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: C:\Users\Bxxxx\AppData\Local\inspect64.exe
Signer: <NULL>
Parent Signer: Gibson Research Corporation
User/Domain: Bxxx/Bxxx
System File: False
Parent System File: False
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False