NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    OSA + ERP + AdInf + Imager = ENUF :isay:
     
  2. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    What is "Adinf"?

    Agree on the OSA + ERP - part of my layers.

    And I agree that OSA should NOT be klutzed up! Seen this happen to too many Security softs.
     
  3. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    novirusthanks, would it be possible to add exploit protection for keepass2?
     
  4. topguynow

    topguynow Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    61
    Any overlap between NVT OSArmor and Malwarebytes Anti-Exploit? Are both needed? I am also using Avast free in Aggressive Hardened Mode-all shields enabled and Zemana Antilogger in real time Thanks
     
  5. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Yes. In my opinion there is tons of overlap in that setup that is not needed? Avast free and Zemana? Pick one. (Zemana >AVAST) OSA and malwarebytes? Pick one. (OSA>malwarebytes) There are too many scanner there. Why not add virtualization/isolation instead?
     
  6. topguynow

    topguynow Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    61
    Thanks for the info. Yes I have both Sandboxie and Shadow Defender but like to "juggle" my security setup at times.
     
  7. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    As you can tell from my signature, I think that's a much better combo than any scanner! I very much like the niche that OSA fills in that combo as well.
     
  8. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    It is a file integrity checker. Read about it &/or get it at HERE.
     
  9. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    TY. Never heard of it. Looks like a really cool app!
     
  10. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    It's been around since 1991. But, it's rare to hear of it these days. I have used at some point in time, a very long time ago.
     
  11. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    201
    Location:
    Wigan
    A user guide would be helpful to get the best and the most out of OSArmor. I am one of those people who needs to read The Manual before getting my feet wet. A user guide would hopefully describe the scope of OSArmor and such things as the syntax rules for specifying exceptions.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    All you really need to do is install it. That's it.
     
  13. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v1.4 (pre-release) (test27):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test27.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved support for Fast User Switching and Logouts
    + Many internal improvements
    + Integrated a smart caching mechanism
    + Prevent flooding of the notification dialog
    + Fixed opening of the Configurator in certain situations
    + Fixed some false positives
    + Block execution of unsigned processes on Downloads folder
    + Added Tor Brower, Comodo Dragon and MSPub on Anti-Exploit tab
    + Block execution of Sysprep.exe (UAC Bypass)
    + The alert icon on Configurator is red for some options

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 27.

    @AeroFit

    The timeout issues and the "Configurator not showing up" should be gone now, please confirm.

    @JoWazzoo

    Not yet, but will add that on next build.

    @Buddel

    Now we have integrated a caching mechanism, let me know how it works for you about CPU usage.

    The FP about the EPSON printer should be fixed.

    @Elwe Singollo

    Should be fixed on build 27.

    @rdsu

    The FP you reported should be fixed.

    @bjm_

    Using this exclusion:

    Code:
    [%PROCESSCMDLINE%: *E_FAMTCDE.EXE*]
    
    Is unsafe, because it would allow any process that has the string *E_FAMTCDE.EXE* in the command-line.

    Matching also the process responsible for the command-line would be better:

    Code:
    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat"]
    
    Parent Process Path and Process Path are in real not needed for most cases, I'll probably remove them from Exclusions Helper.

    @Charyb

    OSArmor uses its own kernel-mode driver to monitor process executions, so it would not interfere with SRP policies.

    @cruelsister

    Totally agree on this.

    @Rebsat

    I believe you just need to exclude OSArmor .exe files on Avast HIPS and other exclusions.

    I'll check it and make a video or tutorial for it.

    @n8chavez

    Will check it and should add it on next build in case.

    @loungehake

    After v1.4 will be released officially, we plan to create OSArmor own website with many guides, faqs, and such.
     
    Last edited: Jan 25, 2018
  14. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    WooHoo - TY sir [Note that I also use ERP and sometimes get confused as to what is where :) ]

    This App is really coming together and shows that NVT is going above and beyond what many developers do. Thanks again!
     
  15. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    with 1.4 test27:

    Date/Time: 25/01/2018 16:14:00
    Process: [1968]C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    Parent: [1788]C:\Windows\System32\svchost.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    Signer: Adobe Systems Incorporated
    Parent Signer: Microsoft Windows Publisher
     
  16. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    Epson Printer/Scanner

    Date/Time: 1/25/2018 10:26:18 AM
    Process: [6468]C:\Windows\twain_32\escndv\escndv.exe
    Parent: [5576]C:\Windows\explorer.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Windows\twain_32\escndv\escndv.exe"
    Signer: SEIKO EPSON CORPORATION
    Parent Signer: Microsoft Windows
     
  17. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Thanks for reporting the FPs, will be fixed in the next build.

    I've uploaded two video tutorials to exclude OSArmor on Avast and ESET HIPS:

    How to Exclude OSArmor on Avast Antivirus
    https://www.youtube.com/watch?v=nQCMcu1_G2s

    How to Exclude OSArmor on ESET HIPS
    https://www.youtube.com/watch?v=vy45AmALLbQ

    NOTE:

    In my case OSArmor worked fine even without excluding it, but since users have asked for these guides, I've made them.
     
  18. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    Thank you for your work. Maybe protection for Thunderbird?
     
  19. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    The printing problem seems to be gone, but I still use an exception rule, just to be on the safe side.
    CPU usage also seems to be back to normal. I'll get back to you if problems come up again.
    Thank you very much for a great security app and your top-notch support.:thumb:
     
  20. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Thanks
     
  21. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Flash Player false positive?

    Date/Time: 25.01.2018 20:57:53
    Process: [4220]C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_28_0_0_137.exe
    Parent: [3524]C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_28_0_0_137.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: "C:\WINDOWS\system32\Macromed\Flash\FlashPlayerPlugin_28_0_0_137.exe" --channel=3524.0034F310.1934851348 --proxy-stub-channel=Flash5196.12ACE2A8.9422 --plugin-path="C:\WINDOWS\system32\Macromed\Flash\NPSWF32_28_0_0_137.dll" --host-npapi-version=29 --type=renderer
    Signer: Adobe Systems Incorporated
    Parent Signer: Adobe Systems Incorporated

    PS: Adding this to exclusions doesn't fix the problem. Whenever I clear "recent history" in Firefox, I get a popup from OSArmor with the above-mentioned entry in the log file. This also happens when I close Firefox.

    Log file attached.
     

    Attached Files:

    Last edited: Jan 25, 2018
  22. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    I get this when I go into Chrome advanced settings and select printer.

    Date/Time: 1/25/2018 3:18:50 PM
    Process: [2312]C:\Windows\System32\rundll32.exe
    Parent: [9928]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Rule: AntiExploitChrome
    Rule Name: (Anti-Exploit) Protect Google Chrome
    Command Line: "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder
    Signer:
    Parent Signer: Google Inc
     
  23. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v1.4 (pre-release) test28:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test28.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 28.

    @Buddel @Charyb @rdsu

    All reported FPs should be fixed, please confirm.

    @Rainwalker

    I'll discuss about Thunderbird (not sure if is really needed).
     
  24. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    @Rainwalker

    I'll discuss about Thunderbird (not sure if is really needed).[/QUOTE]
    OK....You would know. I would be interested in a brief explanation. Thank you again.
     
  25. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    False positives are fixed here. Thanks

    After uninstalling the program is it expected to have the OSA database files and log file remain?
     
    Last edited: Jan 25, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.