NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Brocke

    Brocke Registered Member

    Joined:
    Mar 16, 2008
    Posts:
    2,306
    Location:
    USA,IA
    Has there been program updating from version to version ?
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Not yet. The betas need to be manually downloaded.
     
  3. Brocke

    Brocke Registered Member

    Joined:
    Mar 16, 2008
    Posts:
    2,306
    Location:
    USA,IA
    Darn thought so. Thank you
     
  4. Lorina

    Lorina Registered Member

    Joined:
    Mar 13, 2018
    Posts:
    13
    Location:
    EU
    Here's something: Corel Video Studio Pro installation results in this:


    Date/Time: 6/1/2018 3:44:10 AM
    Process: [10380]C:\Temp\NewBlue\Install\install_util\InstallUtility.exe
    Process MD5 Hash: 58C45B36B17FAF79C2A37E1E1469C131
    Parent: [7668]C:\VideoStudio2018\64bit\BonusFeature\PlugIns_X64\NewBlueTitlerPro5ForCorel.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: "C:\Temp\NewBlue\Install\install_util\InstallUtility.exe" "C:\Temp\NewBlue\Install" "C:\Temp\NewBlue\Install\install_util\sku.xml" "C:\Temp\NewBlue\Install\install_util\target_path.xml"
    Signer:
    Parent Signer: NewBlue, Inc.
    System File: False
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High
     
  5. Lorina

    Lorina Registered Member

    Joined:
    Mar 13, 2018
    Posts:
    13
    Location:
    EU
    Just a quick finding, nothing important - a batch called Microsoft's robocopy to process files, and resulted in:


    Date/Time: 2018-06-01 15:00:59
    Process: [8660]C:\Tools\robocopy.exe
    Process MD5 Hash: 592BE1AD0ED83C36D5E68CA7A014A510
    Parent: [3268]C:\Windows\System32\cmd.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: E:\Soft\robocopy.exe T:\TR\ D:\Pro\ /MIR
    Signer:
    Parent Signer:
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  6. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v1.4 (pre-release) test69:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test69.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed some false positives
    + Removed "Block execution of IQY Excel Web Query files" (executed directly via excel /dde, can't be filtered)
    + Added numbering of questions (Q) and answers (A) on Help\FAQs file, e.g. Q1 A1, Q16 A16, Q21 A21
    + New option: Prevent explorer.exe from executing exes with /c
    + Improved Block suspicious command-lines

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    If you find any false positive or issue please let me know.

    All reported FPs should be fixed.

    @mood @EASTER

    Added on the todo list for v1.5

    @bellgamin

    LoL You made my day :D

    @Lorina

    OSA blocks system processes executed from non-system folders, hence why robocopy.exe was blocked when started from C:\Tools\ folder.

    OSA does this because some malware is known to, for example, copy powershell.exe on Temp folder and run it from there.

    In your case, you should exclude that event via exclusions.

    The other reported FP should be fixed.

    @Sampei Nihira

    FP related to uTorrent should be fixed.

    @Overkill

    A few more days, just fixing FPs at the moment.

    //Everyone

    Summary of important features not yet added (scheduled for next version):

    - Automatic update
    - Button to manually check for updates
    - Maybe encrypt the CustomBlock.db/Exclusions.db files so they are not in plain-text and create a GUI-helper to edit them
    - Move all protection options in a ListView so they can be easily sorted/categorized/searchable/enabled/disabled
    - Create pre-defined protection modes: Basic/Medium/Advanced/Custom
    - Add possibility to add custom apps in Anti-Exploit tab
    - Possibility to exclude a specific blocked event from being shown via the notification dialog
     
    Last edited: Jun 5, 2018
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    @novirusthanks

    Immagine.jpg


    Date/Time: 05/06/2018 16:44:25
    Process: [948]F:\HiSuiteDownLoader.exe
    Process MD5 Hash: 15BF24FB9C9B2FA2A8B38009A33B4E86
    Parent: [8136]C:\Windows\explorer.exe
    Rule: BlockUSBAutorun
    Rule Name: Block USB-spreading malware (autorun.inf executions)
    Command Line: "F:\HiSuiteDownLoader.exe"
    Signer: Huawei Software Technologies Co., LTD.
    Parent Signer: Microsoft Windows
    User/Domain: XXXXXXXXXXX
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Sure! :thumb:
    It is however good that the developer takes note of it.
    ;):)
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  10. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  11. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    Try downloading and not running. Then execute from File Explorer. I had the same problem this AM. Are you running WD CFA? If so, turn off CFA and try. I finally got it to run, just not from Edge.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    @Sampei Nihira - :thumb: All my Smartphones are Huawei too-Phablets- Various androids/JellyB/Lollipop
    Plug In main active system is 8.1 so haven't seen issue but is good you raise this that dev. can cover all bases if needs be. :)
     
    Last edited: Jun 5, 2018
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  14. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    I want to find the best protection to use along with avast so I don't know which one I should choose OSA or VS? They both seem to do the same thing. The way OSA is improving I might just use that one.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Do it! OSA is knocking it out and with it's rapid paced developments, new additions, also ALL bug reports are promptly and swiftly swooped in on and ironed straight out.

    Pretty much seals Windows system tight as an alligator's snap of the jaws :p

    The exclusions plus custom block rules zip things up very nicely and tight.
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Just a quick update:

    Here is a new v1.4 (pre-release) test70:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test70.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed some false positives
    + Improved Block suspicious command-lines
    + Improved Block processes located in suspicious folders

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    If you find any false positive or issue please let me know.

    @Sampei Nihira

    FP related to Huawei should be fixed, thanks for sharing
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Both Smart Screen and Norton complained about this build.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Smartscreen (dumbscreen) was whining here too. I just ignore it and snuff it.
     
  19. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    It's new. So, it makes sense for the file to have low reputation.
     
  20. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Smart Screen & Norton often forget the axiom "Never bring a knife to a gun fight." :mad:
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    The way the show is run on this end smarty pants screen is the only thing that raises a fuss lately and of all things just NVT OSA downloading :D
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    +1. Still.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Yup. I'm still not really sold on that Windows feature, wasn't then or new Windows 10 although the latter is a bit more formidable.

    I've run ransomware tests that poked right through smartyscreen before. Scary stuff.

    Not happening with NVT Security there clamping things down tight.
     
  24. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    I confirm it is fixed.:thumb:;):)
     
  25. jks52

    jks52 Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    12
    Andreas - this is a wonderful program. Just curious, some months back you had indicated that password protection of OSA was coming soon. Is it still on the horizon?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.