NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Date/Time: 6/8/2018 7:12:37 PM
    Process: [7596]C:\Users\User\AppData\Local\inspect64.exe
    Parent: [2272]C:\Users\User\Downloads\InSpectre.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: C:\Users\User\AppData\Local\inspect64.exe
    Signer:
    Parent Signer: Gibson Research Corporation
     
    Last edited: Jun 8, 2018
  2. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Date/Time: 6/12/2018 4:13:14 AM
    Process: [2456]C:\Windows\System32\MicrosoftEdgeSH.exe
    Process MD5 Hash: 2A1EBE505EC133BFBBFEB1C92FB55CB1
    Parent: [11596]C:\Windows\System32\RuntimeBroker.exe
    Rule: BlockProcessesFromRuntimeBroker
    Rule Name: Block processes executed from RuntimeBroker
    Command Line: C:\WINDOWS\system32\MicrosoftEdgeSH.exe SCODEF:10700 CREDAT:75342 SERVICEWORKERHOST /prefetch:2
    Signer:
    Parent Signer: Microsoft Windows
    System File: True
    Parent System File: True
    Integrity Level: Low
    Parent Integrity Level: Medium

    Keep getting RuntimeBroker process blocks on sites like YouTube and Twitter.
     
  3. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    Date/Time: 14/06/2018 7:24:04 AM
    Process: [11184]C:\Windows\SysWOW64\net1.exe
    Process MD5 Hash: 9C911EE188F19891CD6BFFB67D0E3904
    Parent: [10656]C:\Windows\SysWOW64\net.exe
    Rule: BlockNetNet1Execution
    Rule Name: Block execution of net\net1.exe
    Command Line: C:\Windows\system32\net1 start HPWMISVC
    Signer:
    Parent Signer:
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System

    I've already added it in exclusion but still keeps popping up from time to time...
     
  4. Tunerz

    Tunerz Registered Member

    Joined:
    Jun 12, 2007
    Posts:
    110
    Location:
    Philippines
    I'd like to ask if the latest OSArmor still doesn't support Secure Boot?
     
  5. guest

    guest Guest

    OS Armor is supporting Secure Boot since Build 29:
     
  6. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    @novirusthanks
    Can OSArmor protect from bashwares?
    https://avlab.pl/en/best-antivirus-software-2018-based-three-security-tests
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I block WSL via a Eset HIPS rule.
     
  8. guest

    guest Guest

  9. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    There is already a specific block for the Bash terminal applicaton. You will find it listed as "Block execution of bash.exe" under the section "Advanced->Block Specific System Processes"
     
  10. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Ah, OK, I missed it :thumb:
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    From the comments in this article: https://blogs.msdn.microsoft.com/po...its-awesome-and-what-it-means-for-powershell/
     
  12. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Easily done, especially when there are so many options. A search function would be helpful IMHO.
     
  13. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Date/Time: 6/16/2018 6:53:54 PM
    Process: [4924]C:\Users\User\AppData\Local\Temp\Temp1_tdsskiller (2).zip\TDSSKiller.exe
    Parent: [4420]C:\Windows\explorer.exe
    Rule: BlockDirectProcessesExecZip
    Rule Name: Block direct execution of .exe files from .zip\.rar\.7z archives
    Command Line: "C:\Users\User\AppData\Local\Temp\Temp1_tdsskiller (2).zip\TDSSKiller.exe"
    Signer: Kaspersky Lab
    Parent Signer:
     
  14. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    @novirusthanks

    OSA blocks the direct execution of VBscript:

    500.JPG

    but it does not block a VBscript test stopped by MBAE:

    400.JPG
     
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    All FPs will be fixed, thanks for sharing.

    @imuade

    Yes, just check these two options to bloxk lxrun.exe and bash.exe:

    bashware.png

    Bashware may use also lxrun.exe to download Linux File System from MS servers.

    @askmark

    Search functionality will be added on v1.5

    @Sampei Nihira

    It should be normal, in that case I think the exploit is first loading the VBScript engine/modules "inside" the browser, and then it would execute the VBScript code from the browser. MBAE is blocking the exploit in the first stage, OSA would have blocked the payload execution (post-exploitation stage).
     
  16. rethink

    rethink Registered Member

    Joined:
    Jan 13, 2015
    Posts:
    75
    @novirusthanks: Can we get a rule to block everythinng that tries to create a scheduled task?
     
  17. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,102
    Location:
    Lunar module
    @novirusthanks
    There are a lot of rules, they are difficult to navigate. Is it possible to add a search function? For example
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    We've released the official OSArmor v1.4 (final) version:

    * Make sure to first uninstall v1.3 and then install the new version

    You can download it from our website:
    http://www.novirusthanks.org/products/osarmor/

    We'll start to work on v1.5 from middle of July * See post #1831 for important features in the todo list *

    Thanks everyone for the help, suggestions and testing!

    If you find any FP or issue please share them here.
     
    Last edited: Jun 20, 2018
  20. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    Much appreciated.
     
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    Thank you so much.:thumb::)
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Congrats Andreas
     
  23. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,933
    Location:
    UK
    Installing now :thumb:
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks Andreas! I reckon this guy is pretty well tested :thumb:.
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I guess that means if we are running 1.4 beta we can over-install?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.