NoVirusThanks OSArmor: An Additional Layer of Defense

Event viewer blocked.

Date/Time: 4/14/2018 11:46:43 AM
Process: [10024]C:\Windows\System32\mmc.exe
Process MD5 Hash: 25A01E7B77B696693957812508D7F55D
Parent: [5320]C:\Windows\explorer.exe
Rule: BlockMSCScripts
Rule Name: Block execution of .msc scripts
Command Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\eventvwr.msc" /s
Signer:
Parent Signer: Microsoft Windows
User/Domain: -----/DESKTOP-5XXTJTA
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: Medium

 

That is normal.You block execution of .msc

 

I wasn't aware it was supposed to block legitimate Windows processes.

Enable internal rules for allowing safe behaviors should take care of this.

 

So, the anti-exploit rule for Chrome doesn't cover Chromium? In MBAE it does.
What about if the browser is portable? Does the rule cover only C:\Program Files ?

 

Any interest in Statistics info maintained thru machine restart?

 

From what i understand, it takes precedence because this is not a default option. If you want keep using it and allow MS processes, you have to make exclusions.

 

Thanks to everyone, I understood a lot, but not all

 

Ok, thanks. Still learning this program.

 

Here is a new v1.4 (pre-release) test59:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test59.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Added "Windows Live Mail" on Anti-Exploit tab
+ Added "PotPlayer" on Anti-Exploit tab
+ Added an Help\FAQs file (tray-icon -> Help\FAQs, Main menu -> Help -> Help\FAQs, GUI "?" top-right border icon)
+ Renamed Block system processes from cleaning Windows Eventlog
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

@Charyb

You should uncheck "Block execution of .msc scripts" and check "Block execution of .msc scripts outside system folder", it will not generate FPs.

Probably the option "Block execution of .msc scripts" may be removed, leaving only "Block execution of .msc scripts outside system folder".

@imuade

Chromium is not supported because unsigned, Google Chrome monitors only Chrome by Google.

Will take a look at Chromium later, but I would prefer to support only digitally-signed apps.

It supports also portable versions, here is a screenshot with LibreOffice portable (the exploit payload has been blocked):



@bjm_

Stats on GUI are reset when GUI app is restarted, you can check the .log file for historical of blocked events.

Personally I don't need them to be remembered on the GUI.

 

I like the new FAQ. Well done, Andreas.

 

The limited response time allowed by the dialog box for excluding blocking of suspicious processes is too short for proper user consideration, especially if you are away from computer at the time.

 

It would be great if you could add it, i agree with the idea to support only digitally-signed apps, but Chromium is widely used, so it could be an understandable exception

 

Ok let's discuss if it's ok.

Highly respect your personal preference on the log display sequence however there are some user's of this great program who have also weighed in their support of the (last blocked event) who seem to share the suggestion of having the most recent blocked event show up first, and at the top squarely in front of them first on log open

It's (OSA) pop up alert dialog is first to indicate a blocked event was engaged and logged and it just seemed fluid to also have that same logged event in front of the user when they Open Logs Folder.

A proposition. Not a request. How about an option? OSA is a program of myriad options already. Does this make sense?

At any rate keep up the fantastic work and effort. It's easy to see that more and more users are really warming up fast in what OSA offers for solid protection and needless to say it's a very convincing piece of excellent work.

 

This is also my preference - last blocked event shown at the bottom of the log file.

 

+ Added "PotPlayer" on Anti-Exploit tab

Good.
I use Potplayer on Windows XP.

 

Would be nice to see SMPlayer on it also.

 

I respect that, honestly do, but for the life of me can't understand a purpose in doing what Windows for years have always made users do and that is go hunting for something "most recent" that could easily be brought to the front first.

 

Agree. Whether here or in other apps, scrolling to the bottom to see what is new is illogical for me. The stuff above is of little interest.

I like the suggestion of an option to show eithe way, but at some point Andreas will likely say ENUFF!!

 

In case you aren't aware, there are shortcuts you can use to get to the bottom of a text file very quickly. You can either press CTRL + END on the keyboard, or right-click on the scroll-bar and select "Bottom" from the menu. Apologies if you knew this already, just trying to be helpful.

 

Appreciate the workaround for a roundabout search, still another extra step to have to take just to find most recent.

Not wanting to make too much out of this, it's just simpler and more immediate IMHO for a logged event to show itself up front and center.

This is a cutting edge creation with outstanding protection and that's really what counts most.

 

D'oh! I am suitably embarrassed.

 

I think the best idea would be to keep the log files as they are, but also add a "events" tab to the gui, just like ERP 4 has, that shows all the events as they happen.

 

@EASTER

I'll see if we can add an option in Settings tab like this (only one option will be checkable):

[X] Append events to the log file (as is now, checked by default)
[ ] Insert events to the log file (this will insert the event, so the last event will be always on first line)

What do you think?

 

I think the best idea would be most recent up first since it is an immediate alert. But we all have our own opinions on that.

As already mentioned this interest is way far from anything that actual matters to the program's core function.

Merely a proposition that seemed might be useful to share to the developer with some others who agree, that's all.