NoVirusThanks OSArmor: An Additional Layer of Defense

THANKS shmu26.

 

I am trying to exclude a 16-bit program dating from 1996 (the New Oxford Shorter Dictionary with 500,000 definitions). This runs in Windows XP from an exe file.

The exclusion rule that Test28 version1.4 OSArmor has created is : -
[%PROCESS%: C:\WINDOWS\system32\ntvdm.exe] [%PROCESSFILEPATH%: C:\WINDOWS\system32\] [%PROCESSCMDLINE%: "C:\WINDOWS\system32\ntvdm.exe" -f -i8 -ws -a C:\WINDOWS\system32\krnl386.exe] [%PARENTPROCESS%: C:\WINDOWS\explorer.exe] [%PARENTFILEPATH%: C:\WINDOWS\]

This failed to work so I have at present unchecked "Block execution of 16-bit (NTVDM) processes." I do not understand the mechanism underpinning NTVDM processes. Should it be possible to selectively permit the use of individual 16-bit programs?

 

The test27 build successfully resolved two issues for me: presence of four DCOM permissions-related errors @startup plus a Service Container error (failure of OSArmor to start) AND the failure of the Configurator to open while a games app was on the desktop. Those DCOM errors were present when HitmanPro.Alert was on here and to date, that has not been resolved though there's a registry workaround. So, I'm very good with OSArmor and its anti-exploit rules and a hardened OS/Windows Defender.

FYI: SmartScreen blocks the download of test28 via Edge browser. Since the changelog is specific for some false positives, I'll keep the test27 for now.

 

I have OSA + HMPA but I am not seeing any DCOM errors.
@plat1098, based on your signature, it looks like you were running HMPA + SBIE. Maybe this combo is responsible for the errors, I mean, after you added OSA into the mix? Do you still get errors if OSA+HMPA but no SBIE?

 

I don't want to go off-topic but I can only go by simple cause/effect on here and OSArmor-related errors at startup were cleared with test27 to date. I was one of the few who experienced the frozen Start menu/taskbar problem when HitmanPro.Alert was on the system, persisting with Sandboxie's outright removal. There is a registry workaround but haven't tried it. If you're not getting any errors with both Alert and OSArmor installed, then in theory, it can be done. So, I'm encouraged by this. Just to mention: this machine (main)--with fast startup and BIOS quick-boot disabled (so I can hear the POST)-- boots in 10 seconds. So maybe the timing at startup was involved? It's OK, sometimes software issues clear up later rather than sooner, right?

 

hmm why would OSarmor try to open opera.exe

 

I have OSArmor with Sophos Home Premium (which has HMPA) and have not had any problems at all.

 

Similar here - OSA with HMPA. No sign of any issues thus far.

 

Here is a new v1.4 (pre-release) (test29):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test29.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Categorized options in Anti-Exploit tab and sorted them alphabetically (per category)
+ When on Passive Logging, the text on the notification window is "Passive Logging Enabled"
+ On Configurator -> Settings -> Passive Logging changed the text to "You will still receive notification dialogs while in Passive Logging."
+ Added Thunderbird on Anti-Exploit tab
+ Removed "Process Path" and "Parent Process Path" from Exclusions Helper GUI
+ Option to disable protection temporarily, for 10 minutes, 30 minutes, 1 hour
+ Option to not display alerts when an application is in full-screen mode
+ Improved "Block execution of .vbs scripts"
+ Improved "Block execution of .js scripts"
+ Tray icon becomes red when Passive Logging is enabled
+ Option to play beep sound when notification is displayed
+ Fixed a false positive with "Block processes executed from javaw.exe"
+ Improved detection of PowerShell encoded commands
+ Improved detection of PowerShell malformed commands
+ Improved detection of suspicious processes
+ Block processes executed from USB
+ Block processes executed from RAM Disk
+ Block processes executed from Network Drive
+ Block processes executed from CD-ROM
+ Block execution of Internet Explorer
+ Block execution of Microsoft Edge
+ OSArmor 64-bit now supports Secure Boot
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 29.

@Sampei Nihira

Can you try this new build 29? Please try to do as follow:

Uninstall the previous OSA version, reboot, delete the folder C:\Program Files\NoVirusThanks\OSArmorDevSvc\ and then install build 29.

@loungehake

What is the name of the 16-bit process you need to run?

@lucd

When you install OSArmor, by default, it opens our website page. There is a checkbox "Open NoVirusThansk Website" (checked) at end of installation.

@UnderwaterBG

FP on Flash Player should be fixed.

@guest

Yes, we'll work on a better Configurator UI later in the next versions.

@Baldrick

64-bit driver is now co-signed by Microsoft and supports Secure Boot (build 29).

We are waiting for the 32-bit driver to be co-signed (should not take much).

 

If you are running a 64-bit OS, you can try OS Armor now.

 

Thank you sir for adding Thunderbird

 

Protection in this version refuses to stay on. I have tried completely uninstalling the previous version and rebooting before installing and still, no protection enabled. I went back to the previous version and that one will work.

 

(test29)....lots of new stuff.
Disable Protection survive Restart?
Thanks

 

v1.4 (pre-release) (test29)

Uninstalled the previous version and runs fine on a Legacy System (MBR) Win10X64 FCU fully updated.

Using another system Win10X64 FCU fully updated (Secure Boot), Osarmor's "Protection Status" is always "Protection Disabled". I'm not able to set protection to enable.

 

Same here.

 

Same here, DISABLED. Some icons in the system tray takes looong time to load and problem with internet connection.

 

OS Armor v1.4 (pre-release) (test29)
(1)
Each time the notification appears, there is a CPU load of ~25% for 5-6 seconds (OSArmorDevUI.exe)
a) I quickly closed the window as soon as it appears, but nevertheless after some seconds there is a CPU Load.
b) After disabling of the notification window the problem is gone (no CPU Load)



(2)
[X] Block execution of any process related to Nirsoft
I can run any Nirsoft related utility without problems (digitally signed by "Nir Sofer"), nothing is blocked

And:
I have SecureBoot disabled and i can enable/disable OS Armor correctly. Perhaps there seems to be a problem with the new co-signed driver on SecureBoot enabled systems:

 

(3) The main window looses the focus (OSArmorDevUI.exe)
I have opened the GUI but it always looses the focus. I can't click on anything in the "File"-menu, because the menu always "disappears".

 

Win 10 Pro 1703 x64: running HMP.A, EAM, OSA with no problems.

 

Here is a new v1.4 (pre-release) (test30):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test30.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Both 32-bit and 64-bit drivers are now co-signed by Microsoft
+ Removed option "Set notification window always on top" (it is done by default now)
+ Fixed CPU spikes when the notification dialog disappears
+ Fixed "can't open menu in OSArmorDevUI because it loses focus"

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Secure Boot should be now fully supported in both 32 & 64-bit W10 OS.

@bjm_

Disable Protection does not survive to reboot.

You can enable Passive Logging (from Configurator), it survives to reboot.

@mood

Issue 1) and 3) should be fixed on build 30, thank you for reporting them.

About issue 2), can you retry now? It works fine on my end, here is what I do:

- I install OSA build 30
- Then I download a NirSoft exe
- I enable on OSA Configurator "Block processes related to NirSoft"
- Then when I run NirSoft exe, it is blocked by OSA

@pb1 @IvoShoen @ronald739

That behavior you reported is very strange, and is the same reported also by @Sampei Nihira

I would like to ask to all of you more information:

- Can you include the exact Windows version (including build and bitness 32 or 64-bit)?
- What other security software do you have installed?
- Can you try to first disable other security software and then install OSA?
- Can you try to use our free tool "Kernel Mode Drivers Manager" to check if OSArmorDevDrv.sys is actually loaded?
Please post a screenshot that highlights OSArmorDevDrv if possible:
http://www.novirusthanks.org/products/kernel-mode-drivers-manager/
- After you install OSA, can you send me the MD5 hash of C:\WINDOWS\System32\drivers\OSArmorDevDrv.sys?
You can use our other free tool "MD5 Checksum Tool" to compute the file MD5 hash:
http://www.novirusthanks.org/products/md5-checksum-tool/

Thank you for the help!

 

Ahh,... okay. Thanks

 

@novirusthanks

Test 29 is OK for me.

There is this problem:

http://sendvid.com/3vhr01in

 

Beginning w/test27, the info icon next to certain advanced rules is orange or red. Curious: what is the significance of the color? Haven't seen any hint in the changelogs, just the info in test27 w/download. Test30 is good so far, and Secure Boot is once again enabled.

 

Build 30 running great on three machine here, all 1703 x64 W10.