NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Hi Guys,

    This is the first build I've installed and I see it is quite light on CPU / RAM usage, so that's cool. I guess it is normal for all under the Advanced tab to be disabled by default?

    Would it be worth adding Windows Live Mail to the protected applications?

    Thanks. :thumb:
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Hi.
    With the introduction of this mitigation:

    "Prevent reg.exe from hijacking OSArmor settings"

    Which of the mitigations below do you consider necessary or complementary?


    1000.jpg 1001.jpg 1002.jpg

    TH.:)

    P.S.

    For me the following rules are to be enabled:

    a) Block execution of .Reg Scripts
    b) Prevent Reg.exe from importing reg Files
     
    Last edited: Feb 21, 2018
  3. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Hello Noviruthanks,

    First thanks for your hard work! But no in my case it did not fix the problem. Made a clean install last night but this morning the problem is back. A restart usually
    fix the problem. But again, just 10 minutes ago, I had to reboot twice to fix it.
     
  4. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Sampei Nihira

    This rule is more "generic" but can also prevent reg.exe from modifying OSArmor settings by importing .reg files:

    This rule filters the command-line of reg.exe searching for the presence of *\OSArmorDev*:

    This rule prevents regedit.exe from importing .reg scripts:

    This rule prevents reg.exe from modifying common Registry startup entries (i.e HKCU\Run, HKLM\Run, etc):

    All these 4 rules can be enabled without problems.

    The rules that can help protect OSArmor settings are:

    @Krusty

    Yes, correct.

    Will check it and will add it in case.

    @Antarctica

    I've sent you a PM.
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Problem solved by the Developer.
    TH.;)


    ________________________________________________
    For the other question, I still decide whether to activate the rule:

    "Block reg.exe from hijacking Registry startup entries".

    The others are already active.
     
    Last edited: Feb 21, 2018
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    @novirusthanks

    Andreas could you add Wireshark (specially the portable one) and it's components (exes). CPU becomes like a crazy when I run it.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Arrg. I can not get build 35 to install. I've tried several things but there is no service running.
     
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Stop OSA with Powershell from Administrator Account:

    step 1 - Search for the OSA Service if present.
    step 2 - Service stop.

    A rule to prevent the shutdown of the OSA Service with Powershell is desirable.
    ;):):thumb:


    http://sendvid.com/xfcwor4g
     
    Last edited by a moderator: Feb 21, 2018
  9. guest

    guest Guest

    I think this could be implemented as part of a "OS Armor Self-Protection":
     
  10. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Good.:thumb:
    Also desirable enable/disable protection of the GUI only from Administrator account.
    In test 35 it is possible from Standard account.


     
  11. guest

    guest Guest

    The GUI is automatically started by the service of OS Armor and is running with limited rights.
    In this case a password protection is a better choice, which will be implemented soon:
     
  12. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Confirmed! The new build works great here and yes, the "30000 timeout" issue is fixed here as well. Thank you very much, Andreas.:thumb:
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    :thumb:
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Tried again. Followed exact uninstall, and even downloaded a fresh copy. But the service doesn't start and that's it. This try HMPA was uninstalled.
     
  15. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,841
    Location:
    KEEP USA GREAT
    I cannot get latest build to download just freezes??
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v1.4 (pre-release) (test36):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test36.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved detection of suspicious folders
    + Improved detection of suspicious command-lines
    + Block execution of processes on All Users folder
    + Prevent attrib.exe from setting +h or +s attributes
    + Exclude "/a" execution for "Block execution of Shutdown.exe"
    + Renamed "Block execution of PsExec.exe from Sysinternals" to "Block execution of PsTools Suite from Sysinternals"
    + Block execution of PsTools Suite from Sysinternals
    + Renamed "Prevent reg.exe from hijacking OSArmor settings" to "Enable OSArmor self defense (basic)"
    + Enable OSArmor self defense (basic) -> Moved on Settings
    + Improved detection of known fake file extensions
    + User must be in the Administrators Group to change protection
    + Block execution of taskkill.exe
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    The basic self defense now blocks net.exe, net1.exe, taskkill.exe, sc.exe, reg.exe, pskill.exe, etc from terminating\hijacking OSArmorDevSvc.

    It also prevents silent uninstallation via /VERYSILENT and /SILENT (unins000.exe).

    We'll add better self defense via kernel-mode driver in the next version.

    @Peter2150

    We've created a debug-version of OSA that can help us understand what happens.

    I'll send it via PM in a few minutes.

    @Sampei Nihira


    Added on test 36 (on Configurator -> Settings) and disabled by default.

    It disables the Tray Icon -> Protection option(s) if the user is not in the Administrators group.

    Let me know if it works fine for you.

    @hayc59

    Do you have problems downloading the latest build from our website or is it freezing after you installed it?
     
  17. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Test build 36 also works fine for me. Thank you.
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    In the Configurator when I grab the scroll bar on any tab and drag it up or down the list doesn't move until I release the scroll bar. I can simply scroll with the scroll wheel on my mouse and it works.
    Thanks.
     
  19. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    A member of Malwaretips posted how OSarmor protected his son's computer. Thought it would be nice for people here to read of a real life situation where the product managed to protect a user

    https://malwaretips.com/threads/novirusthanks-osarmor.78195/page-38#post-712780
    "Well the bad news is, my son almost got infected. The good news is, OSArmor was the only thing that prevented it from taking hold.

    A bit of background first.. My son is 'reckless' with his system. He's a gamer, he goes to shady sites and he downloads almost anything that is shiny and new without too much regard. To combat issues I put his system on a PHYSICALLY segregated port on my Fortinet with it's own VDOM. So whatever he does is totally isolated to his system. I put F-Secure Safe on it, along with Heimdal and OSArmor with HitmanPro on-demand.

    Over the weekend I decided to 'check' on his computer. Upon boot (immediately) something tried to execute and was picked up and blocked by OSArmor. Further investigation revealed a Netsupport RAT Variant. The trojan was on his system but unable to properly set itself up to execute or cause damage. F-Secure was quiet. Heimdal was quiet. Hitmanpro scanned showed no issues. I installed and ran Malwarebytes 2X and it found and removed it. Based on what it found it failed to properly setup itself to run and only was able to leave it's primary script trigger and an exe in a hidden directory. So basically, without OSArmor, he'd of been infected.. Even with my massive security, OSArmor was the missing piece of the puzzle that was required to protect him. F-Secure was a total letdown in this respect and Deepguard did nothing. But I suspect products with really strong BB might have nixed it... This is why I believe in layered security."
     
  20. plat1098

    plat1098 Guest

    Hmm, on test36, I see this, too. If I scroll regularly, the sidebar moves with the scrolling. I do notice that the machine shut down more quickly than with the past several builds, like it did with test27. :thumb:
     
  21. guest

    guest Guest

    First i have thought the protection is gone if the GUI (OSArmorDevUI.exe) is closed, but no... ;)
    The protection of OS Armor is enforced by the service (OSArmorDevSvc.exe) and even if the GUI is closed, the system stays protected and the service is still writing blocked processes to the .log-file (but the alerts are now missing)
    Opening of cmd.exe with administrator privileges and execution of "sc stop osarmordevsvc":
    OS Armor_Self defense.png
    Code:
    Process: [10852]C:\Windows\System32\sc.exe
    Parent: [5080]C:\Windows\System32\cmd.exe
    Rule: EnableOSArmorSelfDefense
    Rule Name: Enable OSArmor self defense (basic)
    Command Line: sc  stop osarmordevsvc
    
    [X] User must be in the Administrators Group to change protection
    This also looks good (without / with administrator privileges):
    OS Armor_user-rights__.png
    OS Armor_admin-rights__.png
     
    Last edited by a moderator: Feb 21, 2018
  22. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,841
    Location:
    KEEP USA GREAT
    Dan its from your server..I got this one ok though all is good on the well
     
  23. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,841
    Location:
    KEEP USA GREAT
    well spoke to soon..lol spoketosoon.jpg
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    While running PrivaZer:
    Code:
    Date/Time: 22/02/2018 10:04:40 PM
    Process: [8272]C:\Windows\SysWOW64\taskkill.exe
    Parent: [8344]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockTaskkillExecution
    Rule Name: Block execution of taskkill.exe
    Command Line: C:\WINDOWS\\System32\TASKKILL.exe  /F /PID 10124
    Signer:
    Parent Signer:
     
    Date/Time: 22/02/2018 10:04:44 PM
    Process: [9452]C:\Windows\SysWOW64\taskkill.exe
    Parent: [1856]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockTaskkillExecution
    Rule Name: Block execution of taskkill.exe
    Command Line: C:\WINDOWS\\System32\TASKKILL.exe  /F /IM SCserver.exe
    Signer:
    Parent Signer:
     
    Date/Time: 22/02/2018 10:04:48 PM
    Process: [5140]C:\Windows\SysWOW64\taskkill.exe
    Parent: [7328]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockTaskkillExecution
    Rule Name: Block execution of taskkill.exe
    Command Line: C:\WINDOWS\\System32\TASKKILL.exe  /F /IM SCserver.exe
    Signer:
    Parent Signer:
     
    Date/Time: 22/02/2018 10:04:58 PM
    Process: [6876]C:\Windows\SysWOW64\taskkill.exe
    Parent: [1420]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockTaskkillExecution
    Rule Name: Block execution of taskkill.exe
    Command Line: C:\WINDOWS\\System32\TASKKILL.exe  /F /PID 10124
    Signer:
    Parent Signer:
     
    Date/Time: 22/02/2018 10:05:03 PM
    Process: [7448]C:\Windows\SysWOW64\taskkill.exe
    Parent: [9208]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockTaskkillExecution
    Rule Name: Block execution of taskkill.exe
    Command Line: C:\WINDOWS\\System32\TASKKILL.exe  /F /PID 10124
    Signer:
    Parent Signer:
     
    Date/Time: 22/02/2018 10:05:08 PM
    Process: [576]C:\Windows\SysWOW64\taskkill.exe
    Parent: [164]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockTaskkillExecution
    Rule Name: Block execution of taskkill.exe
    Command Line: C:\WINDOWS\\System32\TASKKILL.exe  /F /PID 10124
    Signer:
    Parent Signer:
     
    Date/Time: 22/02/2018 10:05:12 PM
    Process: [5484]C:\Windows\SysWOW64\taskkill.exe
    Parent: [7932]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockTaskkillExecution
    Rule Name: Block execution of taskkill.exe
    Command Line: C:\WINDOWS\\System32\TASKKILL.exe  /F /PID 10124
    Signer:
    Parent Signer:
     
    
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    It's OK.
    You are a Dragon !!
    :thumb::):)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.