NoVirusThanks OSArmor: An Additional Layer of Defense

Doesn't ERP block process execution and OSA specific actions of processes already allowed to run?

 

ERP will not be redundant, it will alert you on all unknown process executions. And the user can do a lot with it (configuration, etc.) and has more power (if properly configured)
OS Armor is designed to be as simple as possible for the user (right after installation of OS Armor the user is protected) and is trained to "detect suspicious processes/actions" (and OS Armor might block processes which ERP might have allowed - for example processes in the whitelist of ERP [but especially this can be mitigated in the new beta of ERP and the new rule editor]) and is blocking without prompt.

OS Armor can be installed in addition. Now the user has for example parent-child process protection without the need to write complex rules.

 

Thanks for the explanation, @mood . Looking forward to ERP 4.

 

Andreas, ignore this post. The problem has been resolved. I did not realize you added support to disable protection from the tray icon.

I've run into a big problem with OsArmor version 1.4 on Windows 10 x64 version 1709. Closing OsArmor tray icon/GUI does not disable OsArmor protection like someone suggested in this thread (they did inform me they was not sure that would work). I tried uninstalling Postgre SQL 10 twice, and it would not uninstall. I checked the OsArmor Log file to find out that OsAmor is blocking the uninstall. I'm not sure I will be able to uninstall Postgre SQL at all now due to this. I may have to role my computer back if the installation has become corrupted. I want know until I can disable OsArmor protection to try uninstalling Postgre SQL again.

Below is the blocks that occurred from OsArmor when trying to uninstall Postgre SQL 10. Can I use net stop, and the OsArmor driver name to disable OsArmor protection? What is the driver name for OsArmor? Do I have to disable the service also? I highly recommend giving an option to disable OsArmor from the tray icon for installing, and uninstalling software. I could untick the mitigation that is blocking the uninstall, but another mitigation from OsArmor may also block the uninstall, and I will be stuck with the same problem. I may run into the same problem when installing, or uninstalling other software, and I will have no way of knowing if OsArmor is going to sabotage the install, or uninstall so manually unticking certain mitigations is not a good solution.

Date/Time: 12/27/2017 9:47:49 AM
Process: [6244]C:\Users\achilles\AppData\Local\Temp\_uninstall\_uninstall6340
Parent: [6340]C:\Program Files\PostgreSQL\10\uninstall-postgresql.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: C:\Users\achilles\AppData\Local\Temp\_uninstall\_uninstall6340
Signer:
Parent Signer:
Date/Time: 12/27/2017 9:48:54 AM
Process: [2800]C:\Users\achilles\AppData\Local\Temp\_uninstall\_uninstall11104
Parent: [11104]C:\Program Files\PostgreSQL\10\uninstall-postgresql.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: C:\Users\achilles\AppData\Local\Temp\_uninstall\_uninstall11104
Signer:
Parent Signer:

edited: 12/27 @ 10:12 am

 

@Cutting_Edgetech

Why not just use the tray icon menu?

 

Good Lord, I didn't realize he added support to disable protection from the tray icon. I could have sworn I checked for that after installing 1.4. I guess I somehow overlooked it. My long post above will now only confuse Andreas since I was asking for the very option he added in 1.4. Thanks for pointing that out!

 

I think I just experienced a false positive. I just tried using HashMyFiles from Nirsoft, and it was blocked by OsArmor 1.4. It says the mitigation that blocked it was "Block execution of any process related to Nir Sofer". HashMyFiles is from Nirsoft, not Nir Sofer. I'm not familiar with Nir Sofer. I run HashMyFiles (it's a portable app) from a shortcut I created on the desktop, but I installed it in Program Files (x86). I'm using Windows 10 x64 version 1709. You can download the application from here http://www.nirsoft.net/utils/hash_my_files.html

Date/Time: 12/27/2017 12:08:11 PM
Process: [6028]C:\Program Files (x86)\Hash My Files\HashMyFiles.exe
Parent: [6012]C:\Windows\explorer.exe
Rule: BlockProcessesReatedToNirSofer
Rule Name: Block execution of any process related to Nir Sofer
Command Line: "C:\Program Files (x86)\Hash My Files\HashMyFiles.exe"
Signer: Nir Sofer
Parent Signer: Microsoft Windows

 

Nir Sofer is the person behind Nirsoft:

My name is Nir Sofer, and I'm experienced developer with extensive knowledge in C++, .NET Framework, Windows API, and Reverse Engineering of undocumented binary formats and encryption algorithms.
NirSoft is a Web site of one man. [...]

http://www.nirsoft.net/about_nirsoft_freeware.html

OSA Block rule: + Block execution of any process related to Nir Sofer (unchecked by default)

Edit: I also use some of his apps, which is the reason why I leave the Nir Sofer block unchecked.

 

Ok, thanks guys. I did not know that. I think it may be better to change the language of the mitigation feature to Nirsoft.

 

Hmm magnetic links dont launch anymore.
Windows XP comes up with a permissions error.

Working my way through the configuration switching on and off but got about half way down without success.
Can more knowledgeable users suggestion which options to try.

BTW no blocked process shown in home screen.

 

@trott3r Does it work if you temporarily disable OSA protection?

 

No it doesnt work with OSA disabled but it does work when OSA has been exited although the service is still working.

At least it did for the first try after coming back after an hour,
Now i get the same error as before.

Maybe there is a conflict with OPFW or zemana antilogger since it is erratic?

 

I also think there is a conflict somewhere. Maybe you can find the "culprit" by disabling one app after another.

 

Have a look at the digital signature of these utilities - Digital Signature: "Nir Sofer"
I assume OS Armor is checking digital signatures and if it detects "Nir Sofer" the process is blocked (#257 - Rule Name: Block execution of any process related to Nir Sofer - Signer: Nir Sofer)

 

Nirsoft are well known useful tool, however they can be used maliciously like all tools.

 

I agree. This is why the checkbox is unchecked by default I guess.

 

Hi all

I have a new question for you

1. When will you add an Updatefunction to it

2. Can I install a new Version about the last one

With best Regards
Mops21

And here are the answers of it

1. Soon, I can't say exactly the date yet.

2. Yes, before installing the new version you should uninstall the old version installed.

Regards,

 

@Krusty

We've received today the EV certificate to support Secure Boot, we will update the driver asap.

@anon

We'll try to resubmit the FP to Avira, hope they'll fix it.

Thanks for reporting it.

@Cutting_Edgetech

We'll renamed the rule to "Block execution of any process related to Nir Sofer (Nirsoft)"

As @guest said, some programs of Nirsoft are misused by malware to steal passwords, so I added that rule.

 

Good News. Thanks Andreas.

 

Watching the detectives.... The Wilders' ones.

 

You may want to add a similar rule for the (securityxploded) tools as well.

 

Great!

 

Ok, thank you. I use several Nirsoft products. I discovered one recently that really helps with trouble shooting when you have some unknown executables that runs at random times, and your Anti-exec is blocking it, but only shows a process ID. That's a big problem with AppGuard users, but I have not ran into that with ERP. They have a Utility called TaskSchedule Rview that will list all scheduled task, and even task that are not showing up in the task scheduler. You can order them by time, and date of last execution. This usually allows you to find what has been executing almost immediately. I wish I had found this utility a lot sooner.

 

Great news. Makes it a candidate for my new laptop.

No big deal, but I thought over the top installs were OK?