NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Because it didn't support it on 2017. The latest version should be fine now.
     
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    The release notes for v1.4 in post #1870 state Secure Boot is supported. (It wasn't at the time the original post was made in December 2017 but the product has undergone many test builds since then until the final release of version 1.4 on 20 June.)
     
  3. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi @ Wilders

    Needs some help with using OSArmor.

    On Win 10 x64 latest update.

    I use Epson SX400 printer and when I print from Notepad.exe up pops a message from OSArmor "Suspicious Process Blocked" also offering to exclude the warning. Most of the information is pre-filled in the exclusion form. I should add, nothing was blocked and the info was printed out.

    However, even though I excluded it, I am still getting the warning "Suspicious Process Blocked" . This has happened four times now. Yet printing wasn't blocked and it appears exclusion has not occurred.

    Questions:

    1) Why was the process not blocked?

    2) Why is the process "E_IAMTEGE.EXE" not "excluded" when added to the exclusion list.

    3) Am I doing something wrong?

    I show below the exclusion list from OSArmor:

    ; Write rules to exclude a process from being blocked
    ; Available variables to use are %PROCESS%, %PROCESSFILEPATH%, %PARENTPROCESS%, %PARENTFILEPATH%, %PROCESSCMDLINE%, %FILESIGNER%, %PARENTSIGNER%
    ; Here is an example rule to exclude process C:\Path\To\abc.exe with parent process C:\Path\To\parent.exe and command-line /param1 /param2
    ; [%PROCESS%: C:\Path\To\abc.exe] [%PARENTPROCESS%: C:\Path\To\parent.exe] [%PROCESSCMDLINE%: /param1 /param2]
    ; You can use wildcards pattern * to match any character of any length and ? to match a single character, example [%PROCESS%: *\abc.exe]
    ; You can also use regular expressions (PCRE) like this: [REGEX:%PROCESS%: \\abc[0-9]*\.exe]
    ; To comment a line you can use ; character, you can comment multi-lines with {}

    [%PROCESS%: C:\Windows\System32\spool\drivers\x64\3\E_IAMTEGE.EXE] [%PROCESSCMDLINE%: C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_IAMTEGE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\epi9ACB.tmp"] [%PARENTPROCESS%: C:\Windows\System32\notepad.exe]
    [%PROCESS%: C:\Windows\System32\spool\drivers\x64\3\E_IAMTEGE.EXE] [%PROCESSCMDLINE%: C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_IAMTEGE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\epiA9DA.tmp"] [%PARENTPROCESS%: C:\Windows\System32\notepad.exe]
    [%PROCESS%: C:\Windows\System32\spool\drivers\x64\3\E_IAMTEGE.EXE] [%PROCESSCMDLINE%: C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_IAMTEGE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\epi7954.tmp"] [%PARENTPROCESS%: C:\Windows\System32\notepad.exe]
    [%PROCESS%: C:\Windows\System32\spool\drivers\x64\3\E_IAMTEGE.EXE] [%PROCESSCMDLINE%: C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_IAMTEGE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\epiC0.tmp"] [%PARENTPROCESS%: C:\Windows\System32\notepad.exe]
     
  4. guest

    guest Guest

    Look closely at your exclusions, a part of it is changing each time. You should exchange the part which is changing with a wildcard:
    Code:
    [%PROCESS%: C:\Windows\System32\spool\drivers\x64\3\E_IAMTEGE.EXE] [%PROCESSCMDLINE%: C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_IAMTEGE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\epi*.tmp"] [%PARENTPROCESS%: C:\Windows\System32\notepad.exe]
    
    The above line is solving it for printing within notepad. Other programs might still be affected. In this case leave PARENTPROCESS empty:
    [%PROCESS%: C:\Windows\System32\spool\drivers\x64\3\E_IAMTEGE.EXE] [%PROCESSCMDLINE%: C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_IAMTEGE.EXE /FU "C:\Users\Terry\AppData\Local\Temp\epi*.tmp"]
    
    Other users might still be affected, in this case the username should be replaced with a wildcard:
    [%PROCESS%: C:\Windows\System32\spool\drivers\x64\3\E_IAMTEGE.EXE] [%PROCESSCMDLINE%: C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_IAMTEGE.EXE /FU "C:\Users\*\AppData\Local\Temp\epi*.tmp"]
    
     
  5. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi Mood

    Thanks a lot. Great help & service.

    Terry
     
  6. guest

    guest Guest

    You're welcome :)
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    This behavior is pretty similar to that of a HP printer. There is a certain command line(s) that even if blocked, the print job still works. Apparently, the printer is trying to record info about the print job that it wants to do or just did.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Awesome stuff especially Custom Block Rules. Locks things down tight.

    I have some useful common basic ones applied but would anyone like to share some Custom Block Rules that might be of additional good use?

    In tandem with ERP v4 it's almost as OSA is the chief sentry (stopper) since even if you allow something in ERP v4, if it's addressed already in OSA the thing is going to get stopped cold.
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I have experimented with custom block rules, but a lot of the time, I later discovered that it was already covered somewhere by OSA.

    If you are not using ERP or the equivalent, you might consider adding rundll32.exe. This will almost surely generate some prompts, so you will need to do some exclusions. But after the first reboot, it is pretty quiet.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks @shmu26- rundll32.exe is one of those already set plus some same exclusions for allowing safe passage.
     
  11. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Look here, but some rules already exist in the OSA.
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Right. I later discovered that Andreas already covered many of the things I thought to add.
    I would be interested to hear what @guest has to say about custom block list?
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    That's the post I gleaned from. Always seems useful to keep a copy of them though for referencing later when or if needed again.
     
  14. guest

    guest Guest

    nothing much to say, custom lists are based of the user system and behavior; it is unique, dumbly copying a list from another user is the best way to wreck your system.
    OSA has a quite good list, main reason i use it, it helps me to lighten the rules/policy implementation on other softs.
     
  15. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    No, no and NO! I'm writing from the system, "which should have been wreck". But in any case, something rules from the list should be removed, something rules added.
     
  16. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    In my opinion, the best way is to wait for OSArmor popup when something is blocked and make an exclusion from there
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    guest, so let me put the question a little differently. What, if anything, do you think that Andreas should add to OSA?
     
  18. guest

    guest Guest

    Nothing, OSA is for beginners. It offers enough protection for them.
    You want more, use ERP, it was made for more skilled users.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Allow me to better clarify for logical purposes.

    Custom Lists indeed "are" geared per the individual user's own local machine-preferences and not recommended to blindly copy to your own list, there are always some useful filepaths-file-file types that one might could use from data/entries to adding within their own provided it's done with care.

    As is OSA is already well supplied to address just about if not all, sections that afford users the best possible protection they could ever expect.
     
  20. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    @novirusthanks

    https://www.wilderssecurity.com/threads/eopradar-privilege-escalation-vulnerability-scanner.406671/

    EOPRadar.exe

    Date/Time: 01/08/2018 17:43:51
    Process: [7992]C:\Windows\System32\whoami.exe
    Process MD5 Hash: AA18BE1AD24DE09417C1A7459F5C1701
    Parent: [8032]C:\Windows\System32\cmd.exe
    Rule: BlockWhoamiExecution
    Rule Name: Block execution of whoami.exe
    Command Line: whoami /groups
    Signer:
    Parent Signer:
    User/Domain:***********************
    System File: True
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Just want to air the satisfaction over OSA's Manage Exclusions-Open Exclusions feature. Was going thru a dickens of a time trying to exclude a portable video converter (FaasoftVideoConverterPortable) and due to OSA's excellent blocking I eventually found that the WILDCARD* applied after a certain process name avoids Alerts to all this below (SAFE), which if you use portables, already know they sometimes write extras and activate other processes-in this case ffmpeg.exe.

     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Sampei Nihira

    Thanks for sharing it.

    Not easy to exclude that event of whoami.exe because the parent process is cmd.exe and not EOPRadar.exe

    Since whoami.exe is very rarely used by users we may not include that exclusion in OSA for now.

    Can be of course excluded by adding this line to exclusions.db file:

    Code:
    [%PROCESS%: C:\Windows\System32\whoami.exe] [%PROCESSCMDLINE%: whoami /groups] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe]
    
    Not tested but should work fine.

    @EASTER

    That's good =)
     
  23. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Here's my situation. I'm running OSA along with Shadow Defender and SBIE. There are exclusions in Shadow Defender to allow for frequently used directories; My Documents and Emby library. My question is this, would OSA be able to prevent and infection on the rare chance that malware can infect on of these excluded directories or would I be safer to add HMP.A to my config?
     
  24. guest

    guest Guest

    yes. In addition, you can create a custom rule to block execution from those folders.

    P.s: personally, i will never exclude anything with SD, that defeats its whole purpose.
     
  25. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    201
    Location:
    Wigan
    Since just after OSArmor 1.4 appeared, I have submitted two or three gripes about it hanging Windows 7 on slower hardware. I followed up a couple of times with false dawn revelations that the problem had been fixed.

    I want to float the idea that the problem might be a conflict between OSArmor Anti-Exploit and MBAE. A few days ago, I unchecked all anti-exploit enablements in OSArmor and have since enjoyed a freedom from hangs. No doubt as soon as I post this they will re-emerge from beneath their stones and I will once embarrass myself and further reduce my credubility in this forum

    I am only taking the trouble to raise this issue because of the possibility that it might be a sign of an otherwise hidden problem in OSArmor which only manifests itself in the rare circumstances of using OSArmor with Windows 7 running on very slow hardware. I don't mind being ignored. If I solve a problem and benefit myself in the process, that's good for me as I will have two much better protected Windows 7 systems on very inexpensive and otherwise satisfactory PCs.

    I assume that MBAE makes using OSArmor Anti-Exploit unnecessary. If they do similar things then it is probably better to disable one of them. I know what my choice is. The real value of OSArmor is in the Main and Advanced protections and these are what I have been seeking the benefit from for several months.

    I would be glad to know what others think.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.