NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    We've released a new experimental security tool:

    NoVirusThanks OSArmor

    novirusthanks-osarmor.png

    Monitor and block suspicious processes behaviors to prevent infections by malware, ransomware, and other threats. This security application analyzes parent processes and prevents, for example, MS Word from running cmd.exe or powershell.exe, it prevents ransomware from deleting shadow copies of files via vssadmin.exe, it blocks processes with double file extensions (i.e invoice.pdf.exe), it blocks USB-spreading malware, and much more. It monitors commonly exploited processes (such as MS Office, Java, Web Browsers, Adobe PDF, Flash, etc) and blocks suspicious child processes, blocking the exploit payloads and thus preventing the malware infection.

    This program is compatible with other security software and adds an additional layer of defense to prevent malware and ransomware infections. So far, we have added more than 30 smart policies to block malicious processes behaviors and improve your system security. You don't have to configure anything, just install it and forget about it. If needed, you can enable or disable the policies via the "Configurator" application, that needs Admin privileges.

    For Windows XP, Vista, 7, 8, 10 (32\64-bit)

    *** Doesn't support Secure Boot for now ***

    Download & more info here:
    http://www.novirusthanks.org/products/osarmor/

    To test the real-time protections, just try to run a process named invoice.pdf.exe

    Watch the video of OSArmor in action:
    Block MSWord and SWF (Flash) Exploit Payload with OSArmor
    Block MS Word (DOC) Exploit Payload with OSArmor
    Block MS Excel Exploit Payload with OSArmor


    Feedbacks are welcome :)
     
    Last edited: Dec 18, 2017
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Will play a bit later. Sounds intriguing
     
  3. plat1098

    plat1098 Guest

    Hi, exe can be whitelisted (Jotti 4) but I don't wish to disable SecureBoot. :) Many thanks, looking forward to trying this successfully.

    driver sign.PNG
     
  4. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    2066.png
    are unchecked correct by default....all other boxes are checked
     
  5. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @plat1098

    We've ordered an EV codesign to make it work with Secure Boot, as soon as we'll receive it we'll update the kernel-mode driver.

    I've updated the main thread with these information.

    @bjm_

    We have left that options unchecked by default because they may generate some false positives.

    There are still many legit (but unsigned) processes that start from \AppData\Local\Temp\* folder.
     
    Last edited: Dec 17, 2017
  6. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,283
    Location:
    UK
    Looks usefull thanks NVT.

    and thanks for supporting xp as well since i like the same security installed on xp and win7.
     
  7. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    it wont open config tool for me
    no icon in taskbar
    but seems block must of things like shortcut on desktop which created from ini file from windows folder
    windows 7 sp1 32bit spyshelter firewall

    and thanks for the tool too :)

    edit:it block silently for me no popup window
    edit2:apparently it block everything for me no popup
     
    Last edited: Dec 17, 2017
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @co22

    That's strange, will try on a VM with your same setup (W7 32-bit + Spyshelter FW) to see if I can reproduce it.

    If it blocked some legit processes, please do this:

    - Browse to C:\OSArmorDevSvc\Logs\
    - Paste here the content of the log file so I can see what is blocked

    Thanks :)
     
  9. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    hello
    i checked there nothing in there(except one txt file which is not log file)
    i have also Pumpernickel memprotect Bouncer but all disabled
    i have hard reset to go safemode and uninstall
     
  10. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Um, is a relationship with OSA okay while I'm married to ERP 3.1 (Vulnerable Processes overlap?)
     
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Last edited: Dec 17, 2017
  12. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    hello
    found problem deleted MemProtect driver solve it
    i already disabled driver however ProcessHacker show driver its running but when i try to stop it ProcessHacker say its already stopped.
    so after uninstall worked fine

    thanks best regards
     
  13. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
    This is just great, I have no words. And it supports XP. Big thank you, NoVirusThanks.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Initial results.

    1. Had to completely uninstall HMPA. Did think to look if it's malware detection had an exception
    2 EAM flagged as a virus.
    3. Tested it against 3 pieces of ransomware. Stopped after it failed on all 3
     
  15. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Thanks NVT...great tool and I think it can be considered as behavioral blocker...first from years?
     
  16. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Thanks for your test, Peter. Much appreciated. Well, this tool is still experimental, isn't it? Anyway, I'll keep a closer look at this thread from time to time. Interesting tool anyway.
     
  17. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
    What kind of ransomware? Simple exe files or exploits like in the description?
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Peter2150

    Randomware is spread via email as attachment (.doc file, .pdf file, etc) or delivered via exploit kit payloads. This program does not block the ransomware when it is executed manually by double clicking the .exe file, it prevents the infection by a ransomware by blocking the payload of the exploit used to delivery the ransomware, see this video to get an idea:
    Block MSWord and SWF (Flash) Exploit Payload with OSArmor

    In the video, OSArmor blocks the payload of the .DOC (MSWord) and .SWF (Flash) exploits that in this case is cmd.exe that was used to download the ransowmare and execute it. By blocking cmd.exe (payload) execution, the PC is safe and the ransomware is not downloaded or executed.

    It works by preventing a malware or ransomware infection in real-world scenario.

    You should test it with real-world scenarios:
    - Opening a malicious .DOC\.PDF.\XLS.\etc. file used to exploit MSWord\MSExcel\PDF Reader\etc to drop\download and execute a payload (malware\ransomware\etc) in the system
    - Visiting a malicious website that exploits a vulnerability (Java\Flash Player\PDF\etc) to download and execute a payload in the system
    - And so on. Simply clicking on a .exe file or a .vbs file would not trigger any alert.

    OSArmor can also block fileless malware that execute JS or VBS code, i.e Poweliks:
    Poweliks click-fraud malware goes fileless in attempt to prevent removal

    @ichito

    Yes it can be considered like a behavioral blocker with pre-built rules (install and forget).
     
    Last edited: Dec 17, 2017
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Andreas

    Gotcha. Any thing you can do to stop the alerts by not only HMPA, but EAM
     
  20. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Already contacted Emsisoft about the FP detection (thanks for reporting it).

    About HMPA I don't know, I will install it and will see what alerts it generates.
    Probably will require to add OSArmor *.exe files in a sort of whitelist or similar.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It alerts in their new antimalware module. I blocked it just trying to get it installed.
     
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    HitmanPro detection
    Code:
    HitmanPro 3.7.20.286
    www.hitmanpro.com
    
       Computer name . . . . : BJM-PCW10
       Windows . . . . . . . : 10.0.0.14393.X64/4
       User name . . . . . . : BJM-PCW10\bjms
       UAC . . . . . . . . . : Enabled
       License . . . . . . . : Paid (442 days left)
    
       Scan date . . . . . . : 2017-12-17 16:18:46
       Scan mode . . . . . . : Context
       Scan duration . . . . : 2s
       Disk access mode  . . : Direct disk access (SRB)
       Cloud . . . . . . . . : Internet
       Reboot  . . . . . . . : No
    
       Threats . . . . . . . : 1
    
       Objects scanned . . . : 10
       Files scanned . . . . : 10
       Remnants scanned  . . : 0 files / 0 keys
    
    Malware _____________________________________________________________________
    
       C:\OSArmorDevSvc\OSArmorDevSvc.exe
          Size . . . . . . . : 2,579,728 bytes
          Age  . . . . . . . : 0.2 days (2017-12-17 11:05:20)
          Entropy  . . . . . : 5.9
          SHA-256  . . . . . : 39C261D6D7AE8C3283879673DF989F5FDF35150985523795E2EF695AC32D4909
          Product  . . . . . : NoVirusThanks OSArmor Service
          Publisher  . . . . : NoVirusThanks Company Srl
          Description  . . . : NoVirusThanks OSArmor Service
          Version  . . . . . : 1.0.0.0
          Copyright  . . . . : NoVirusThanks Company Srl
          RSA Key Size . . . : 2048
          LanguageID . . . . : 1033
          Authenticode . . . : Valid
        > Bitdefender  . . . : Gen:Trojan.Heur.LShot.1
    
    
    
    
     
    Last edited: Dec 17, 2017
  23. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Maybe you should get in touch with Bitdefender:
    Bitdefender . . . : Gen:Trojan.Heur.LShot.1
     
  24. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Thanks @Peter2150 and @bjm_

    It is detected because of BitDefender false positive.

    Have already contacted BitDefender, hope they'll fix the FP asap.
     
  25. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Only alert was with EAM when installing, took it out of quarantine and everything is quiet now. :thumb:
    Set and forget.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.