NoVirusThanks OSArmor: An Additional Layer of Defense

Thanks for your interesting post, @plat1098 Much appreciated.

 

The exclude/whitelist seems to be the most request feature...

I already disabled that rule to run that program.

 

When i reboot or start up my PC(windows xp pro)the icon is not in/on the taskbar
have to go to 'start/programs/locate the program and hit the windows for it to show and start??
any advise?

 

This is strange, G. Let me just reboot my machine to see whether I have the same issue. Will be back in a couple of minutes .... Stay tuned ...

 

OK, I'm back after a reboot. All icons are loaded in the taskbar. Hm... I'm using Win 10, so maybe it's an XP issue.

 

I loove OSa!!! It's running superbly on XP. On XP, by the way, installing OSa didn't start the tray icon. I had to do:
Start>Programs>NoVirusThanks>OsArmor>OSArmorDevUI

OSa won't let my ScreenSaver run. Will there eventually be capability for users to make exclusions?

If NVT decides it's to be free, I hope there will also be a paid (annual fee) version. I want NVT to be around for a good while, & freebies won't get that done.

 

Spoiler: Rule: BlockUnsignedProcessesAppDataLocal

Date/Time: 12/21/2017 1:44:28 PM
Process: [6028]C:\Users\bjms\AppData\Local\Temp\is-QAAKE.tmp\_isetup\_setup64.tmp
Parent: [1968]C:\Users\bjms\AppData\Local\Temp\is-J9PIJ.tmp\DrvRadarPro_Setup.tmp
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: helper 105 0x344
Signer:
Parent Signer: NoVirusThanks Company Srl

with all rules checked

 

OS Armor is working as expected (it is blocking unsigned processes in temporary folders)

While installing applications sometimes unsigned files are being launched in temporary folders. To be sure that OS Armor isn't blocking legitimate proecsses you have to uncheck the rule "Block execution of unsigned processes on Local AppData" prior installing of applications.

 

Yes, working as expected. Thanks

 

Yes still doing this??

 

Still doing what? Rebooting? No!

This is worth reading, Mr. G:

 

still not loading up in taskbar

 

Bummers, HayC. Sorry to hear that. Did you check Task Manager -- is OSArmorDevUI.exe running?

• If it is NOT running, you can goto C:\OSArmorDevSvc & find OSArmorDevUI.exe listed therein. Execute it & at least you have tray icon w/o a reboot.
• If it IS listed as running, then (maybe) kill it, then goto C:\OSArmorDevSvc & find OSArmorDevUI.exe listed therein. Execute it. If the tray icon still isn't there then .......... I am baffled.
• Another possibility. Try rt-click start>properties>select task bar tab>customize. Then: is OSa's yellow shield icon shown? If shown, is it set as Hide when inactive, OR always show, OR ...? If the yellow shield icon is NOT shown then ....... ??

 

A new release is ready (OS Armor v1.3) with a big changelog

 

Released a new version v1.3:
http://www.novirusthanks.org/products/osarmor/

[22-Dec-2017] v1.3.0.0

+ Block processes with known fake extensions (i.e .pdf.exe)
+ Prevent WMIC from using "process call create" via cmdline
+ Block command-lines that match *\Start Menu\Programs\Startup\*
+ Block command-lines that match shellcode-like patterns
+ Block execution of any process related to UltraVNC (unchecked by default)
+ Block execution of any process related to RealVNC (unchecked by default)
+ Block execution of any process related to Nir Sofer (unchecked by default)
+ Block execution of any process related to LogMeIn (unchecked by default)
+ Block known Bitcoin miners command-lines
+ Prevent wbadmin.exe from deleting backup catalog
+ Block unsigned processes located on root folder (i.e C:\) (unchecked by default)
+ Block SOAP WSDL requests via command-line
+ Block execution of syskey.exe
+ Block execution of cipher.exe
+ Number of pre-defined rules increased to 60
+ Do not delete the settings when the program is uninstalled
+ Improved showing of main window from tray icon
+ Fixed many false positives
+ Improved internal rules

All reported FPs should be fixed.

On the next version we will add support for exclusions and disable\enable protection via tray icon.

@bellgamin

Thansk for trying OSA

Can you try this new version to see if your screen saver is executed fine now?

In case it is not, please send me the log files so I can see why it is blocked.

@bjm_

I see it is blocked the .tmp setup file of Driver Radar Pro because it is unsigned.
I'll make sure it is digitally signed in the next version of DRP.

@hayc59

I could reproduce the issue of no icon in the tray on Windows XP, will try to see why it happens.

@Djigi

Strange that Firefox has not digitally signed its .tmp setup executable, but sometimes happens.

@rdsu

That FP with Veeam should be fixed in v1.3.

Let me know if it is gone if you'll test it.

@Sampei Nihira

Opening the Configutator works fine here on XP SP3, but will take a look at it.

@Overkill

I've added blocking of *keymaker* but blocking *patch* would generate many FPs.

Some legit apps use "patch" in the file name.

@mood

Great explaination indeed

 

Thanks for the new version, Andreas. Good to know that Voodooshield and OSA are compatible with each other (thanks for the brilliant explanation, @mood).

Edit: Looking forward to support for exclusions and to the option to disable/enable protection.

 

Hence removed waiting for version that starts when PC loads thank you Andreas.

 

Thank your for such a quick release of a new version Andreas! I'm upgrading on Windows 10 x64 Pro now.

 

Awesome Thanks! Love this app

 

The screen saver works fine now. Shazam! 10Q to the nth power. I deeply appreciate that you have included us XP die-hards in OSa-compatibles. XP FOREVER!!!

 

Sounds like it will be even more amazing once the signed driver version arrives.

 

V1.3 working very well here.

Seems very compatible with other security softwares.

Great program.... cheers

Regards Eck

 

V1.3 working surprisingly well on this PC for a new prog.
The only issue I have is with the LastPass extension in Opera that seems not to log in every time I start Opera because it creates a new and different numbered file (marked in bold) when it starts. Here is the log:

Process: [2004]C:\Windows\System32\cmd.exe
Parent: [6516]C:\Program Files\Opera\49.0.2725.64\opera.exe
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\LastPass\nplastpass.exe" chrome-extension://hnjalnkldgigidggphhmacmimbdlafdo/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.6985ed9e95e77c1c > \\.\pipe\chrome.nativeMessaging.out.6985ed9e95e77c1c
Signer:
Parent Signer: Opera Software AS

Regards

 

It's fixed! Thanks

 

Hi all

Here are the answers of it

Hi Mops,

1. No I do not need the blocked files, I just need the log file.

2. We may add support for multilingual soon.

3. On next versions we will make it install on C:\Program Files\ folder.

If you have other questions just ask.

Thank you,

With best Regards
Mops21