NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Maybe I will tweak it a bit, but not more than is really necessary. Thanks for your help.
     
  2. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,157
    Location:
    Canada
    Not sure if this is a OSarmour related issue,going to post in the Sumo thread as well. When I try to download Sumo lite the Malwarebytes extension for Chrome pops up with a warning, no problem, I just click allow this file, however, as soon as I do this another webpage opens for OSarmpour and starts downloading it, very strange, tried twice and it happened both times. Anyone else see this?

    Edit: tried again, its the browser extension that is messing up.
     
    Last edited: Nov 8, 2018
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks for sharing it is found to be that the issue is related to browser extension situation.
     
  4. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    A few months ago when I was testing different extensions vs malware phishing etc. links, malwarebytes performed pretty poorly. There wasn't a single site that ublock origin / chrome safe filter / netcraft didn't block that malwarebytes extension blocked. Not to mention, I've heard it's not that light on the performance side
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Yep, that certainly is been a same experience once or twice before on this end. MalBytes is not quite been compatible to expectations on this end but it can happen with any security software when teamed with others together. After uninstalling it for a different program got performance back full force again.
     
  6. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    To follow up on @digmor crusher post

    MBAM extension is blocking downloads from NoVirusThanks website

    It shows the following:

    Download blocked due
    to reputation

    We strongly recommend you do not download this file.
    File blocked: https://www.novirusthanks.org/

    Obviously a false positive

    There's a user on Malwaretips that has been testing various extension for a while. And in them Malwarebytes extension has been very good.
    https://malwaretips.com/threads/upd...sion-comparison-malwares-and-phishings.80915/
     
  7. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Just uploaded a new short video (OSArmor v1.4.1 with default settings):

    PowerShell is dropped to Temp folder and executed by a Maldoc (Blocked by OSArmor)
    https://www.youtube.com/watch?v=Am83NLNIrA0

    Windows PowerShell is dropped to Temp folder and executed by a Maldoc to download and execute the Malware payload.
    OSArmor blocked the execution of the PowerShell executable and thus it kept the PC safe.
     
  8. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Thanks for the interesting video. Good to know that even OSA default settings are enough to proect users' machines from this sort of malware. I'm currently using default settings myself (with two or three minor "tweaks"). No false positives so far. Thanks for such a wonderful program, NVT.:thumb:
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Great example of what I showed is possible in this thread: https://www.wilderssecurity.com/thr...-malicious-powershell-script-blocking.395997/ . More so since PowerShell was renamed.
     
  10. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Obviously you haven't read anything in the thread.:rolleyes:
     
  12. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    Idk, I don't read anything in the anti-virus software section, I call it "the useless software forum". You tell me, is there anything in that thread that can bypass an anti-exe or SRP or something like that?

    OSArmor is pretty damn strong, when configured with all options enabled, including the red and orange ! ones in advanced, it's probably way better than AVs which mainly rely on signatures. OSArmor just stops so many things by itself. And it's free and lightweight.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks for the video giving undeniable evidence showing the workings of OSArmor vs. such as those short cut tricks from their hat o' plenty of bypass attempts. :thumb:
     
  14. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    I just realized: I used WinSCP without issues yesterday, but in OSAmor I checked a rule called "Block execution of scp/ssh/sftp.exe" and ftp/tftp/telnet. Are they some windows internal files?
     
  15. guest

    guest Guest

    I guess he meant that Anti-exe a la ERP, are limited to exe. They can't stop dll and drivers often used by advanced malware. Use NVT SOB, strongest NVT soft, for such case.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    SOB courtesy NVT has a whole lot of useful potential and especially when combined with other of their PC security inventions.
     
  17. guest

    guest Guest

    It depends, by what program the "blocked application" will be launched.
    If you are using a "trusted application" to launch it, it will not be blocked.

    For testing, tick for example: "Block execution of any process related to NirSoft" and launch one of these tools with "explorer" and you'll see that it will be blocked.
    Launch an installed file manager, let's say "Total Commander" and you can launch NirSoft utilities with it.
    Except if you put it into "Custom Block-Rules". In this case Nirsoft utilities will also be blocked if they are launched by Total Commander.

    Or try to untick "Enable internal rules for allowing save behaviors". Now Total Commander isn't a "trusted application" anymore and these tools cannot be launched with it.
    But it is highly recommended to leave it enabled.

    Edit: I assumed it was launched by a trusted application but in this case the real reason why it wasn't blocked (#2194):
     
    Last edited by a moderator: Nov 14, 2018
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @__Nikopol

    That option blocks the following Windows built-in executables:

    C:\Windows\System32\OpenSSH\scp.exe
    C:\Windows\System32\OpenSSH\sftp.exe
    C:\Windows\System32\OpenSSH\ssh.exe

    They are built-in on Windows 10 1809 and can be abused by malware to upload/download files to/from remote hosts.

    openssh.png

    Hence why we added that particular rule.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, they exist in 1803 also.
     
  20. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Oh thank you.
    Is there somewhere a full documentation available about the advanced rules? They are sometimes ambiguous.
     
  21. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    Yes, on the dev's desktop :D
     
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I agree with Floyd on this one. If NVT would give us full documentation, he would in effect be giving us the secret recipe of his software, which rightfully belongs only to him.
    Nevertheless, I am always eager to hear whatever info Andreas is willing to share :)
     
  23. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    I just want to know what all these settings do when I click them or why I should click them. That shouldn't be secret. Leave the techniques out if you must... *puppy*:eek:
     
  24. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    I mean, you can already understand what they do by their name, although some are indeed slightly ambiguous like you said

    But, lemme give you a detailed guide on which ones to enable or disable:
    Step 1: Enable literally everything
    Step 2: Every time you're doing something, like installing new software, or using various tools like sysinternals', that is very likely to trigger some rule, just disable OSArmor for the time being (won't be often for average users)
    Step 3: If you're getting more than 2-3 false positives for something that you use extremely often, like hourly, disable the rule, otherwise make an exclusion

    Personally, I have every single rule enabled, including in Advanced tab, except block execution of net/net1.exe, for when I want to quickly restart excubits' software. This covers about half of my time spent on my PC, which is playing games, watching youtube, browsing, etc. activities not requiring OSArmor to be Off. The rest of the time, I put OSArmor Off. But for average users, whose job is not related to computers, you can leave OSArmor On like 98% of the time
     
    Last edited: Nov 14, 2018
  25. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Makes sense... Does it not cause issues with windows updates that then in turn brick your installation?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.