NoVirusThanks OSArmor: An Additional Layer of Defense

Just a quick update, new v1.4 (pre-release) (test11):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test11.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Added buttons to save\load protection options to\from a file
+ Some improvements on internal rules
+ Fixed all reported false positives

@Rainwalker

The FP you reported should be fixed on this new test11.

The next time you find a FP please post also the content of the log file.

@rdsu

Yes, we'll group rules on next versions.

@plat1098

We should add an updater on next versions.

@Overkill

Will check it.

 

Great! Thanks N.

 

Thanks Andreas

 

Uploaded another video on YouTube (4 mins):
Prevent Emotet Infection by Blocking Office Maldoc Payload with OSArmor

 

I think I'll have to wait to use this until there is some sort of auto-rule-creator. I run a lot of scripts for automation, and it's too difficult to exclude them; it's seems to be more than just coping the log file into the template.

 

When a legitimate program gets blocked there should be a allow button to click to allow that program to run. Also when you click the allow button it should remember your decision to allow the program so it won't block it next time.

 

Agreed!

 

Agree HOWEVER --- there should be options to (a) allow once, & (b) allow permanently.

 

Yeah, good idea bellgamin.

 

Brilliant idea, bellgamin.

 

If I remember well, the great and late firewall Online Armor had such feature...

 

+1!

 

Here is a new video of OSArmor in action:
Block MS Office CVE-2017-11-882 Exploit Payload with OSArmor

@bellgamin @jimb949

We will discuss about the possibility to automate exclusions (i.e with a single button), a sort of internal learning mode and about a GUI to create exclusions.

 

You did, will, won't, accepted, or rejected the idea? The post wasn't clear.

 

"Will", post corrected

 

Sweet! Fingers crossed. Thx!

 

I somehow convinced OSArmor & my other security stuff to allow a reboot which still loads the task bar & all related icons. I changed FWs & did a MANUAL job of making sure that the FW & ERP recognized OSArmor. As to which of these actions brought about the fix, I do not know. Also, it may be that NONE of these actions caused the fix,whereas test 11 alone might have done it. Who nose?

 

Has anyone written any custom block rules for OSA? I'd always appreciate seeing them, if anyone cares to share?

 

In my XP, even with test 11, there are still problems with loading.
I have sent a MP to the developer.

 

Are you using ERP? If so, I suggest you check the whitelist thoroughly to ensure that ALL OSArmor executables are listed. I had told ERP to whitelist all running processes after I installed OSa. Later, when trying to get xp to load correctly, I went to the whitelist, right clicked, then clicked "Add New." I then instructed ERP to whitelist OSa's entire file folder. To my surprise, this added 2 more OSA executables to the whitelist. After that, xp loaded okay. Did this action fix the problem? I hope so. Was this a permanent fix or did I just get lucky? Time will tell.

As OSa gets more & more powerful, & with ERP soon to be improved, I am thinking that the only real time security I need consists solely of OSa, ERP, & Private FW (with HIPS disabled). No antivirus! I image weekly & retain 7 weeks of images - FIFO. IMO, imaging is the ultimate capstone of reasonably adequate security. Agree?

 

I've been using 1.4 (test 11) on Windows 10 x64 Pro since yesterday. I have not run into any problems.

 

I do not use ERP.

 

Good luck. Keep us posted. Your set up is XP?

I still run Private Firewall on an old XP that I need for certain things. Just wondering - why you turn its HIPS off? You feel that ERP & OSA provide more than adequate alternative to its HIPS? TIA

 

Here is a new v1.4 (pre-release) (test12):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test12.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved the "anti-exploit" module used to block payloads
+ You can now check\uncheck the apps monitored with "anti-exploit" module
+ Created 3 tabs for grouping of rules
+ Added %PROCESSSIGNER% and %PARENTSIGNER% vars for exclusions and custom-block rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

New video of OSArmor tested against 30 doc\xls\swf\pdf exploits:
Block Exploit Payloads with OSArmor

Here are the two new tabs on the Configurator: