NoVirusThanks OSArmor: An Additional Layer of Defense

Same problems blocking system32 folder it's harder and not everybody has the same files, but just shown it can be done! I think patching the UAC exploits is the right security solution here?

 

Verdict: OSArmor does not need updating to block 'Windows' or the 'System32' folder, instead fixing all the UAC exploits should be done!

Code:

//Block a specific file
; [%FILEPATH%: *:\WINDOWS\AntiTest*]
[%PROCESSCMDLINE%: *nc.exe*]

//Prevent commonly exploited processes from executing processes
[%PARENTPROCESS%: *\javaw.exe]

//Block execution of 16-bit processes
[%FILEPATH%: *:\WINDOWS\System32\NTVDM*]

//Block command-line strings used by Cryptolocker family
[%PROCESSCMDLINE%: *rundll32*Shell32.dll*Control_RunDLL*\*.exe*]
[%PROCESSCMDLINE%: *rundll32*javascript:*]
[%PROCESSCMDLINE%: *rundll32*;*eval*(*]
[%PROCESSCMDLINE%: *vssadmin*Delete*Shadows*/All*/Quiet*]
[%PROCESSCMDLINE%: *bcdedit*/set*recoveryenabled* No*]
[%PROCESSCMDLINE%: *bcdedit*/set*bootstatuspolicy*ignoreallfailures*]
[%PROCESSCMDLINE%: *bcdedit*-set*loadoptions*DDISABLE_INTEGRITY_CHECKS*]
[%PROCESSCMDLINE%: *bcdedit*/deletevalue*safeboot*/set*safebootalternateshell*false*]

//Block commonly exploited processes to execute processes signed by the same vendor
; [%FILESIGNER%: Mozilla Corporation] [%PARENTPROCESS%: *\firefox.exe]
; [%FILESIGNER%: Adobe Systems] [%PARENTPROCESS%: *\AcroRd32.exe]
; [%FILESIGNER%: Google Inc] [%PARENTPROCESS%: *\chrome.exe]

I can also block nearly every UAC exploit which is also missing from OSArmor very cool! But must say to novirusthanks what a really good attempt in blocking malware.

 

Thanks, that helped.

 

NVT- You may want to check on the OSA preclusions for apps needing msiexec.exe to install (like MS Network Monitor).

 

Here is a new v1.4 (pre-release) (test26):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test26.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ On Configurator -> Advanced -> Block unknown processes on Windows folder (unchecked)
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 26.

@BlackBox Hacker

Try to enable "Block unknown processes on Windows folder" on "Advanced" tab:



Then reset\empty your exclusions related to C:\WINDOWS\* exclusions.

It should not generate false positives and should work fine also with Windows Updates.

@AeroFit

Related to the 30000 ms timeout on OSArmorDevSvc?

"Timeout (30000 ms) waiting for service connection NoVirusThanks OSArmorDevSvc."
"After logon In Services.msc OSArmorDevSvc service is not running"

Are you still having the issue "Configurator doesn't start if opened via GUI or tray-icon"?
It doesn't work if you right-click the tray icon -> Open Configurator?
In case I'll need to investigate it deeper.

@cruelsister

Tried with MS Network Monitor and it should be fixed now (test 26), thanks.

@askmark

Ok, please let me know if the issue with OSArmorDevCfg comes back again.

 

I also did last night windows folder and system32 folder blocking is it also possible to do the same with the system32 folder and also what rule did you use for this windows folder blocking and exclusions? I've also noticed you have used my default rules very cool! And it definitely shows that you know your exploit hacking.

 

@BlackBox Hacker

That rule uses more than 50 checks to allow known and safe processes from Windows and its subfolders (can't be created with Custom Block-Rules).

It also blocks processes in subfolders of C:\WINDOWS\*, for example C:\WINDOWS\System32\* or C:\WINDOWS\SysWOW64\* etc.

I've tested it with Windows Updates now (Windows 10) and it worked without issues.

 

WOW, so that is really fantastic even if UAC gets bypassed it's still is blocked, thanks mate! Just confirming your security fixes. This means you don't have to know all the missing UAC exploits.

Log:

Code:

Date/Time: 18/01/2018 16:11:41
Process: [684]C:\Windows\AntiTest.exe
Parent: [1908]C:\Windows\explorer.exe
Rule: BlockUnknownProcessesOnWindowsFolder
Rule Name: Block unknown processes on Windows folder
Command Line: "C:\Windows\AntiTest.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 16:12:00
Process: [5200]C:\Windows\System32\AntiTest.exe
Parent: [1908]C:\Windows\explorer.exe
Rule: BlockUnknownProcessesOnWindowsFolder
Rule Name: Block unknown processes on Windows folder
Command Line: "C:\Windows\System32\AntiTest.exe"
Signer:
Parent Signer:

I also liked the rule for the 'public' folder blocking!

 

This means 64 bit Operating System as well?

 

No Software bugs with rule 'system32' folder and 'windows' folder rules and all the other bugs fixed in whitelisting.

Fixed Logoff
Fixed Sound

etc.

 

Well it seems novirusthanks have done it, I have also bypassed AppGuard on request, but that same exploit has been patched on OSArmor! It would be great if this Software was released as freeware instead of paid, I also do the same with my software. But this is worth paying for and stuff, but I hate paying for security software etc. lol. I'm not going back to Privatefirewall 7.0 or any other software now.

AppGuard Bypass Video: https://www.youtube.com/watch?v=-2QyCORzG60&t=10s
EXE Radar Pro Bypass Video: https://www.youtube.com/watch?v=djcNfENdoME

 

NVT has made a software much safer than AppLocker.

Even experts wouldn't try to configure it... too many things can go wrong.

OSArmor is a lot safer and it works in all editions of Windows 10 and AppLocker is found only in Enterprise, Education and Server.

 

Yep, I might of made it that way? After using basic block rules last night to try and block both 'Windows' and 'system32' folder successfully with bugs! I could of really damaged my Computer, great job NVT in implementing security policies and can also confirm software working 100% on my Windows 7 Operating System!

 

Changes to OSA are easily reversible. With AL, you can find yourself locked out of Windows if
you don't know what processes to deny or allow.

 

Sanity Check - Configurator Advanced Tab

Installed Test 26 and looking around. I would have sworn that I had some settings checked in this Tab. Moreover, I thought that Reset to Defaults had some checked by default. After reviewing, I see nothing checked. Hmmmm So I clicked Reset and nothing is checked. Unfortunately, it has been several revisions since I Saved my settings - silly me.

Am I mis-remembering? Or is it just a manifestation of my brain-age?

 

I've done this with security Software before using command lines or script can't remember and had to hack or bypass my way back into my on Computer system this was very funny!

Yep, it was Applocker powershell command lines blog post here! https://blackboxhcker.blogspot.co.uk/2016/10/windows-applocker-remote-powershell.html

 

I like this post lol.

 

More Brain Fog.

When Save to File/Load from File, saved location is not remembered? Is there a Setting for this location that I am mis-remembering?

[I gave up trying to resurrect brain synapses and ran Everything to locate my .rules file]

 

Novirusthanks very and truly sorry about EXE Radar Pro Bypass Video, but your OSArmor Build 26 it's much better piece of Software I've ever seen! I can now do a Video on blocking methods.

 

I've just been seeing new novirusthanks projects video here: https://www.youtube.com/watch?v=e2ATIFcMAas

 

This is no problem for OSArmor, but just keeping users informed that if you want to block UAC exploits and still use Windows Firewall?

Use this exclude policy:

Code:

// Windows Firewall GUI
[%PROCESS%: C:\Windows\System32\mmc.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\mmc.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\wf.msc"] [%PARENTPROCESS%: C:\Windows\System32\dllhost.exe] [%PARENTFILEPATH%: C:\Windows\System32\]

My security pentest video for OSArmor Build 26 is on it's way!

 

Things are back to normal (test build 26). CPU is constantly below 1 per cent. Good job! Thank you so much!

 

Sounds like even more great work from NoVirusThanks!

 

They say hackers are making the Software industry even more securer, I have to agree with this statement!

 

OSArmor Security POC Video! https://www.youtube.com/watch?v=EIdJi0g9GpM