NoVirusThanks OSArmor: An Additional Layer of Defense

I was just about to write this, you need a specialized anti-ransomware tool, to block ransomware that's launched manually. But anyway, seems like a very exciting tool, something that should also be in EXE Radar, but then with some more control.

 

Really doesn't need more control than what is offered.
So far so good!

 

Very cool! so it seems like it's a stand-alone behavior blocker? This is a great little tool Andreas. Thanks The systray icon reminds me of MBAE

~ Removed VirusTotal Results per Policy ~

 

That's what I thought when I first saw this icon.

 

Why does it install to C:\?

 

" It is lightweight, zero-configuration and runs in the background "

How light is light what is everyone seeing?

 

Less than 5mb here

Why does it say blocked chrome.exe?


Can it run with sandboxie installed?

EDIT: I rebooted and the ram increased a tad...



it's blocking parts of chrome

Code:

Date/Time: 12/17/2017 5:03:47 PM
Process: [6576]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Parent: [6604]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Rule: BlockPowerShellEncodedCommands
Rule Name: Block execution of PowerShell encoded commands
Command Line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Mike\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Mike\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=63.0.3239.108 --initial-client-data=0x98,0x9c,0xa0,0x8c,0xa4,0x7fef10c5720,0x7fef10c5760,0x7fef10c5738
Signer: Google Inc
Parent Signer: Google Inc
 
Date/Time: 12/17/2017 5:27:54 PM
Process: [5048]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Parent: [4948]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Rule: BlockPowerShellEncodedCommands
Rule Name: Block execution of PowerShell encoded commands
Command Line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Mike\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Mike\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=63.0.3239.108 --initial-client-data=0xa8,0xac,0xb0,0xa4,0xb4,0x7fef4125720,0x7fef4125760,0x7fef4125738
Signer: Google Inc
Parent Signer: Google Inc
 

 

C:\Program Files\NoVirusThanks

rather than
C:\OSArmorDevSvc

 

Any ETA on when that will change?

 

@Overkill

Yes it is, and it uses pre-built rules (so no configuration needed).

For now we install it on C:\OSArmorDevSvc\, we may change it in next builds.

Thanks for reporting the FP about chrome.exe, we'll fix it asap.

Memory usage vary from 5 MB to 10 MB (approximately).

@Buddel

This is the icon in use by OSArmor:
https://www.iconfinder.com/icons/1034363/advantage_protect_protection_security_shield_icon#size=128



@Rasheed187

The primary objective of OSArmor is to be simple and zero configuration, for full control on processes\applications then there is ERP.

@Beyonder

Hope within one week or so, it doesn't depend on us but on how much it takes to receive the EV codesign.

 

I know it is but it did remind me of MBAE when I first saw the icon in your screenshot.

 

Is there any manual scan features or does it totally run quiet in the background? how does it do product updates/version/fixes?

 

I don't suppose you could add enable/disable buttons? Like in my case maybe i'd like to disable it until you fix the chrome FP, sure I know I could just exit the program, but would it completely exit or would it still be partially running?

 

@Overkill

Who said you have to wait for the fix?

I updated OSArmor with these changes:

- Fixed FP with chrome.exe
- Block flag TESTSIGNING on Bcdedit.exe
- Allow PortableApps (.paf.exe) by Rare Ideas, LLC
- Minor improvements

Please just uninstall it from Control Panel and then download and install it again from:
http://www.novirusthanks.org/products/osarmor/

Let me know if the chrome.exe FP is gone for you.

We'll add a enable\disable option soon.

@daman1

OSArmor uses internal rules to analyze processes behaviors and block suspicious processes.

There is no option to scan an executable or a file on disk.

We will think about adding a sort of auto-update feature.

 

So to update you need to uninstall then re-download?

 

For now yes, we'll add auto-update soon

 

Thanks for the quick fix

Yes FP with chrome is fixed!

 

@novirusthanks interesting, will have a look

 

You guys need to be patient. It's a brand new app, not everything is going to be perfect or be fixed immediately...

 

sure but some of us are used to do it with NVT.

btw @novirusthanks seems quite a while since we don't get a new ERP 4 build to beta test. seems you are putting lot of changes for the next one

 

Now I have an Anti-Executable and Behavior Blocker from NVT! along with my other security, I feel very safe.

 

+1

 

@guest

ERP fixes\additions took some more time than expected, but it is on its way, new beta will be uploaded asap

//Everyone

Here are two more videos that demonstrate OSArmor in action:

Block MS Word (DOC) Exploit Payload with OSArmor

* In the above case the DOC exploit payload executed (and blocked) is svchost.exe

Block MS Excel Exploit Payload with OSArmor