NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Just installed. Will keep an eye on it to see if it becomes disabled again. Thanks.
     
  2. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Well,unfortunately it just happend to me. So this particular problem is not fixed yet...
     
  3. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Did not think it would be since Andreas did not mention it. Just installed it to test. What AV are you using it with?
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Correct.
    I do not install unsigned softwares.
    I wonder if, in this case, also enabling the other rules there may be FP.
    And of course if this is necessary.
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Some rules in orange I think it is necessary to enable.
     
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    :thumb:

    Immagine.jpg
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    test41: all rules checked

    Date/Time: 3/12/2018 2:54:54 PM
    Process: [7280]C:\Windows\System32\sc.exe
    Parent: [1316]C:\Windows\System32\svchost.exe
    Rule: BlockScExecution
    Rule Name: Block execution of sc.exe
    Command Line: C:\WINDOWS\system32\sc.exe start w32time task_started
    Signer:
    Parent Signer: Microsoft Windows Publisher

    3.1: sc.exe start w32time task_started
    [Date/Time: 12/03/2018 14:54:51] [Action: Allowed [System File]] [Bitness: 64] [Process: [8336]c:\windows\system32\taskhostw.exe] [MD5 Hash: 802F044589D1D0657F4A12B13AFFFAE4] [Publisher: Microsoft Corporation] [Parent: [1316]c:\windows\system32\svchost.exe] [Command-Line: taskhostw.exe]
    [Date/Time: 12/03/2018 14:54:53] [Action: Allowed [System File]] [Bitness: 64] [Process: [5868]C:\WINDOWS\system32\lpremove.exe] [MD5 Hash: 6DD9AF279A732A49C0DDC497AC8CE5B1] [Publisher: Microsoft Corporation] [Parent: [1316]c:\windows\system32\svchost.exe] [Command-Line: C:\WINDOWS\system32\lpremove.exe]
    [Date/Time: 12/03/2018 14:54:54] [Action: Allowed [Whitelist Commandline]] [Bitness: 64] [Process: [7280]C:\WINDOWS\system32\sc.exe] [MD5 Hash: F748D08636254B03CEE8577168C00772] [Publisher: Microsoft Corporation] [Parent: [1316]c:\windows\system32\svchost.exe] [Command-Line: C:\WINDOWS\system32\sc.exe start w32time task_started]
    [Date/Time: 12/03/2018 14:54:54] [Action: Allowed [System File]] [Bitness: 64] [Process: [6196]C:\WINDOWS\system32\conhost.exe] [MD5 Hash: 9D6E324F3F64EBB93A6D3592DCD478FF] [Publisher: Microsoft Corporation] [Parent: [5868]C:\WINDOWS\system32\lpremove.exe] [Command-Line: \??\C:\WINDOWS\system32\conhost.exe 0x4]
    [Date/Time: 12/03/2018 14:54:54] [Action: Allowed [System File]] [Bitness: 64] [Process: [7052]c:\windows\system32\taskhostw.exe] [MD5 Hash: 802F044589D1D0657F4A12B13AFFFAE4] [Publisher: Microsoft Corporation] [Parent: [1316]c:\windows\system32\svchost.exe] [Command-Line: taskhostw.exe /RuntimeWide]
    [Date/Time: 12/03/2018 14:54:54] [Action: Allowed [System File]] [Bitness: 64] [Process: [6376]C:\WINDOWS\system32\dstokenclean.exe] [MD5 Hash: DE0B39FF1ABEBAB878D9BCDFCEFB5F89] [Publisher: Microsoft Corporation] [Parent: [1316]c:\windows\system32\svchost.exe] [Command-Line: C:\WINDOWS\system32\dstokenclean.exe]
    [Date/Time: 12/03/2018 14:54:54] [Action: Allowed [System File]] [Bitness: 64] [Process: [1368]C:\WINDOWS\system32\disksnapshot.exe] [MD5 Hash: 3EA758F681252B21250866C4D6EC2319] [Publisher: Microsoft Corporation] [Parent: [1316]c:\windows\system32\svchost.exe] [Command-Line: C:\WINDOWS\system32\disksnapshot.exe -z]
    [Date/Time: 12/03/2018 14:54:55] [Action: Allowed [System File]] [Bitness: 64] [Process: [8972]C:\WINDOWS\system32\conhost.exe] [MD5 Hash: 9D6E324F3F64EBB93A6D3592DCD478FF] [Publisher: Microsoft Corporation] [Parent: [6376]C:\WINDOWS\system32\dstokenclean.exe] [Command-Line: \??\C:\WINDOWS\system32\conhost.exe 0x4]
     
    Last edited: Mar 13, 2018
  8. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    I know but I don't want to break normal windows functionality where it forces me to disable OSArmor to achieve something, so I slowly testing them out. Example these settings....
     

    Attached Files:

    Last edited: Mar 12, 2018
  9. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    I tried the "BlockJavaExecution" and get an alert windows when use it...

    With "BlockTeamViewerProcesses" enabled, OSArmor block TeamViewer, but it doesn't show any alert window.

    Date/Time: 12/03/2018 19:41:44
    Process: [3892]C:\Program Files (x86)\TeamViewer\TeamViewer.exe
    Parent: [2540]D:\PortableApps\Quick Access Popup\QuickAccessPopup-64-bit.exe
    Rule: BlockTeamViewerProcesses
    Rule Name: Block execution of any process related to TeamViewer
    Command Line: "C:\Program Files (x86)\TeamViewer\TeamViewer.exe"
    Signer: TeamViewer GmbH
    Parent Signer: Jean Lalonde
     
  10. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Why wouldn't you? Malware might force shutdown and when you boot again you're screwed. Checking the box doesn't prevent you from being able to shutdown computer the normal way (i.e. alt + F4).
     
  11. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Sometimes, OSA starts with protection disabled on boot. I try to enable protection but it won't. This down below is the only OSA-process running. The OSA service is not running on boot. This happens in around 50% of the boots. Known issue? I'm on Win 10 x64 and Windows Defender for protection along with NVT SysHardener and OSA.

    Namnlös.png
     
    Last edited: Mar 13, 2018
  12. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Using Kaspersky. All processes ave been excluded in KIS
     
  13. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    I am using Eset Internet Security and so far it has not become disabled. But, in the past it would take a few days for it to start happening so we shall see.
     
  14. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    Installed test build 41 last night and OSArmor is disabled at start up today. First time ever.
    Win 10 home 1709x64 running as Admin
    EAM
    AdGuard
    Glasswire
    SysHardener
    Heimdal

    Edit: Enabled after reboot
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I had assumed this could be some interaction with EAM, as Peter2150 and I have experienced this.

    But then shadek #1286 does not have EAM ...
     
  16. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    I have been running with this set up apart from SysHardener (which I installed when it was first released) for over a year and have been running OSArmor since build 3 and this is the first sign of any problems so maybe there was an EAM update that has caused the blip. Will see when I switch on tomorrow.
     
  17. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Sampei Nihira

    Great :)

    @bjm_

    That FP will be fixed in next build.

    @shadek @Antarctica @Trooper @Dark Star 72 @Charyb @IvoShoen

    We're investigating the "protection is disabled at startup" issues on OSA.

    I found an useful article that may be related to OSA issues:

    https://www.codetwo.com/kb/how-to-extend-the-timeout-for-services-if-they-do-fail-to-start/

    I would like to ask you guys if you can make two tests:

    Test 1 - Set OSArmorDevSvc to "Automatic (Delayed Start)"

    Set the "Startup Type" of OSArmorDevSvc to "Automatic (Delayed Start)".

    Then reboot the PC and see if the issue is gone.

    * Test a few reboots, just to be sure *

    Test 2 - Tweak Windows Registry value ServicesPipeTimeout

    Add or edit the ServicesPipeTimeout registry value on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control:

    Go to Start > Run > and type regedit.
    Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
    With the control folder selected, right-click in the pane on the right and select new DWORD Value.
    Name the new DWORD: ServicesPipeTimeout.
    Right-click ServicesPipeTimeout, and then click Modify.
    Click Decimal, type '180000', and then click OK.
    Restart the computer.

    That would increase the timeout for "ServicesPipeTimeout" value.

    Then reboot the PC and see if the issue is gone.

    * Test a few reboots, just to be sure *

    Let me know the results.
     
    Last edited: Mar 13, 2018
  18. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Seems to work now!!!
     
    Last edited: Mar 13, 2018
  19. Lorina

    Lorina Registered Member

    Joined:
    Mar 13, 2018
    Posts:
    13
    Location:
    EU
    Hi there - thanks for this amazing tool! I've added it to my "install on every new PC" list. :)
    I've just wanted to mention these alerts - the first one seems to be false, as it popped up after I ran the Flash Beta installer from labs.adobe.com:

    Date/Time: 3/13/2018 9:43:14 PM
    Process: [1876]C:\Windows\SysWOW64\Macromed\Temp\{40C291C1-5489-4B96-8074-FB6F066BB16A}\InstallFlashPlayer.exe
    Parent: [15572]C:\DOSPROGS\install_flash_player_ppapi.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: "C:\WINDOWS\system32\Macromed\Temp\{40C291C1-5489-4B96-8074-FB6F066BB16A}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 1 -au 4294967295
    Signer:
    Parent Signer: Adobe Systems Incorporated



    I'm not sure about this second one. This one appears after every startup on a fresh Asus system:

    Date/Time: 3/13/2018 9:40:37 PM
    Process: [15260]C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Parent: [15044]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockPowerShellMalformedCommands
    Rule Name: Block execution of PowerShell malformed commands
    Command Line: powershell $packages = Get-AppxPackage; $result = @(); foreach ($package in $packages) { try { $manifest = Get-AppxPackageManifest $package; $applications = @(); foreach ($app in $manifest.Package.Applications.childNodes) { if ($app.Id) { $applications += @{ Id=$app.Id; StartPage=$app.StartPage; DisplayName=$app.Properties.DisplayName; Description=$app.Properties.Description; PublisherDisplayName=$app.Properties.PublisherDisplayName; Logo=$app.Properties.Logo; OSMinVersion=$app.Prerequisites.OSMinVersion; OSMaxVersionTested=$app.Prerequisites.OSMaxVersionTested; }; }; }; Add-Member -InputObject $package -NotePropertyName "Applications" -NotePropertyValue $applications; $result += $package; } catch {}; }; ConvertTo-JSON $result -depth 10;
    Signer:
    Parent Signer:
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    The second one looks safe to me
    https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage?view=win10-ps
     
  21. plat1098

    plat1098 Guest

    I'm often wrangling with this machine at startup and due to problematic hardware, the Internet connection isn't always established when it boots. At times, I discover by accident that OSArmor isn't enabled. Is there any consideration for some sort of notification to tell you OSArmor is disabled? When you've disabled it yourself without the timer also, you can forget these things if you're busy. Is making its startup Automatic-Delayed feasible?
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    The tray icon changes colour when protection is disabled.
     
  23. plat1098

    plat1098 Guest

    Yes, I know, but I've hidden the taskbar. OK, just wondering. I'll have to keep an eye on it then.
     
  24. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Antarctica

    Great, thanks for testing.

    @Lorina

    Glad you like our software :)

    The 2 alerts you reported seem to be safe, I will fix them on the next build.

    Thank you for reporting them.

    //Comment about the first alert:

    Would have been awesome if also this Adobe Flash executable file could be signed by Adobe Systems Incorporated:

    Code:
    Process: [1876]C:\Windows\SysWOW64\Macromed\Temp\{40C291C1-5489-4B96-8074-FB6F066BB16A}\InstallFlashPlayer.exe
    Signer:
    
    Unfortunately it is not.

    @plat1098

    We can discuss about adding additional popups to remind you the protection is disabled.

    I wrote that in the "todo" list so we'll see.
     
  25. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Got these in the log today after enabling Block execution of netsh.exe on the advanced settings. Most likely a false positive from Heimdal Pro.

    ++== Passive Logging ==++

    Date/Time: 3/13/2018 1:54:26 PM
    Process: [8004]C:\Windows\SysWOW64\netsh.exe
    Parent: [6332]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockNetshExecution
    Rule Name: Block execution of netsh.exe
    Command Line: netsh interface ipv4 set dns "Wi-Fi" static 127.7.7.8 validate=no
    Signer:
    Parent Signer:

    ++== Passive Logging ==++

    Date/Time: 3/13/2018 1:54:27 PM
    Process: [7752]C:\Windows\SysWOW64\netsh.exe
    Parent: [7324]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockNetshExecution
    Rule Name: Block execution of netsh.exe
    Command Line: netsh interface ipv6 set dns "Wi-Fi" static fe80::314d:63ca:314e:7335 validate=no
    Signer:
    Parent Signer:

    ++== Passive Logging ==++

    Date/Time: 3/13/2018 1:54:31 PM
    Process: [8996]C:\Windows\SysWOW64\netsh.exe
    Parent: [8944]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockNetshExecution
    Rule Name: Block execution of netsh.exe
    Command Line: netsh http delete iplisten ipaddress=
    Signer:
    Parent Signer:

    ++== Passive Logging ==++

    Date/Time: 3/13/2018 1:54:32 PM
    Process: [9192]C:\Windows\SysWOW64\netsh.exe
    Parent: [9088]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockNetshExecution
    Rule Name: Block execution of netsh.exe
    Command Line: netsh http delete sslcert ipport=:443
    Signer:
    Parent Signer:

    ++== Passive Logging ==++

    Date/Time: 3/13/2018 1:54:33 PM
    Process: [7236]C:\Windows\SysWOW64\netsh.exe
    Parent: [8308]C:\Windows\SysWOW64\cmd.exe
    Rule: BlockNetshExecution
    Rule Name: Block execution of netsh.exe
    Command Line: netsh http delete iplisten ipaddress=127.0.0.1
    Signer:
    Parent Signer:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.