NoVirusThanks OSArmor: An Additional Layer of Defense

Thanks @askmark . Maybe @novirusthanks can whitelist it.

 

Glad to be of help

 

Only got one alert for the UAC known bypass setting.

Date/Time: 3/19/2018 6:31:33 PM
Process: [5148]C:\Windows\System32\rundll32.exe
Parent: [12836]C:\Windows\System32\dllhost.exe
Rule: BlockKnownUACBypassAttempts
Rule Name: Block known UAC-bypass attempts
Command Line: "C:\Windows\System32\rundll32.exe" devmgr.dll,DeviceProperties_RunDLL /DeviceId "PCI\VEN_10EC&DEV_D723&SUBSYS_8319103C&REV_00\00E04C000000000000"
Signer:
Parent Signer: Microsoft Windows

 

This is what I got today. Hm...

Date/Time: 20.03.2018 22:37:54
Process: [196]C:\Windows\System32\WinSAT.exe
Parent: [4332]C:\Windows\System32\rundll32.exe
Rule: BlockKnownSysProcsUsedForUACBypass
Rule Name: Block known system processes used for UAC-bypass
Command Line: "C:\WINDOWS\system32\winsat.exe" disk -wsswap
Signer:
Parent Signer:

Date/Time: 20.03.2018 22:39:03
Process: [4276]C:\Windows\System32\WinSAT.exe
Parent: [2408]C:\Windows\System32\rundll32.exe
Rule: BlockKnownSysProcsUsedForUACBypass
Rule Name: Block known system processes used for UAC-bypass
Command Line: "C:\WINDOWS\system32\winsat.exe" disk -wsswap
Signer:
Parent Signer:

 

is osa redundant along with erp and vice versa?if yes, which one should be our first choice?

 

Later on, ERP might make OSA redundant, but right now, it makes sense to use both.
My first choice would be OSA.

 

how about osa + erp vs "locked down" cfw?it's not an a vs b,i'm just asking for your opinion.

 

Sorry, but I don't know what is locked down comodo firewall. Do you mean proactive mode with alerts suppressed?

 

you got that right.

 

Comodo Firewall is much easier to just install and use.
ERP has more of a learning curve, and requires more configuring and answering to alerts.

 

alrite, thank you.

 

Here is a new v1.4 (pre-release) test44:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test44.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed blocking of .cpl applets
+ Block execution of wscript\cscript.exe
+ Improved blocking of vbs\js\vbe\etc scripts
+ Block execution of .cpl applets outside System folder
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@Buddel @Azure Phoenix

Thanks for reporting that FPs about the new UAC-bypass rules.

Will think on these days about improving them to reduce FPs.

@askmark @Krusty

The reported FPs are fixed, thanks for sharing them.

@Sampei Nihira

The .cpl applets are now blocked correctly:

Code:

Date/Time: 21/03/2018 17:37:12
Process: [4972]C:\Windows\System32\rundll32.exe
Parent: [3788]C:\Windows\System32\control.exe
Rule: BlockCPLApplets
Rule Name: Block execution of .cpl applets outside System folder
Command Line: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\1w.cpl
Signer:
Parent Signer:

Date/Time: 21/03/2018 17:37:43
Process: [1424]C:\Windows\System32\rundll32.exe
Parent: [5944]C:\Windows\System32\cmd.exe
Rule: BlockCPLApplets
Rule Name: Block execution of .cpl applets outside System folder
Command Line: rundll32.exe  shell32.dll,Control_RunDLL C:\1w.cpl
Signer:
Parent Signer:

No alerts for these two commands:

rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl
control.exe appwiz.cpl

@shmu26

Not for now, DLL monitoring is not present.

 

Right, but maybe you can write a rule to block any command line containing
"system.management.automation.dll"
Just an idea from an amateur, I don't know if this is possible or practical.

 

Good show ole boy.

Thanks as always. OSA is growing magnificently! by leaps and bounds.

 

My limited knowledge means I can only be a passive observer in the development of OSArmor although I have enjoyed reading many of the comments in this forum,at least those which I actually understood. However I can say that this software is becoming increasingly well-behaved and it seems that I am now able to run it reliably under Windows 7 as well as Windows XP with which it has been well-behaved since very early beta releases of OSArmor 1.4. I appreciate having the benefit of the expertise of Andreas and colleagues to develop what seems to be a powerful and effective tool in keeping Windows PCs secure and private.

I will be restricting my use of settings to those which are enabled by default.

 

Well - they do different things, though there is a wee bit of overlap. Many of us here run both. ERP needs more attention than OSA.
Between the two, there is little that gets past em.

At this point, they are both in Beta and the author - NoVirusThanks is very active here and eagerly accepts suggestions and input.

 

With ERP 4 seemingly backburner or at the very least different priority to OSA, i been using the always superior ERP 3 (i say that coz it's flawless on my 10/8.1 systems), and could not be more satisfied with the combo in tandem. The resource usage is nill consistently, and while what overlap does raise, serves efficiently enough IMO as a secondary prevent feature in the event of whatever.

Looking forward to the new ETP 4 version but as is can honestly say i'm gonna miss it once ERP 4 fine tunes for prime time. But as in everything, we learn to adapt and favor improved features and new security.

 

Great! Thanks.

 

Okay, now I realize that it is not as simple as I made it sound. In Excubits MemProtect, I made a rule to block any process from loading *System.Management.Automation*.dll

Later, I saw in the log that a valid process, mscorsvw.exe, was blocked from loading it:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe > C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7f06bbe7908fb8d914459155ec6219e7\System.Management.Automation.ni.dll

 

Also the commands:

ipconfig
netstat

show output with dangerous information.

 

Explained in the article below:

https://www.wilderssecurity.com/threads/ransomware-and-recent-variants.384890/page-17#post-2746440

why it is better to enable some rules in the "Advanced" section of OSA.

 

Here is a new v1.4 (pre-release) test45:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test45.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious command-lines
+ Show process username/domain and integrity level on the log file of blocked processes
+ Improved Block execution of syskey.exe\cipher.exe
+ Improved Block execution of .vbs\.vbe\.js\.jse\etc scripts
+ Improved Block execution of .hta scripts
+ Improved Block suspicious processes
+ Improved rules related to blocking UAC-bypass behaviors
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.