NoVirusThanks OSArmor: An Additional Layer of Defense

Just asking why are we in February looking at a test made in December.( This report is generated from a file or URL submitted to this webservice on December 15th 2018 20:05:20 ).
Just asking is that valid?

 

For those concerned and using OSArmor, just submit your version of OSArmorDevSvc.exe to Hybrid-Analysis for a scan. I assume it already has been scanned once and a report is available.

 

just for fun

https://www.hybrid-analysis.com/sam...03426abf431debc1900158350e238e658a03b9edbb980
--
https://www.hybrid-analysis.com/sam...e238e658a03b9edbb980/5c6478137ca3e10b3b057b64
--
are hybrid-analysis links okay to post?

 

This result is the same as my prior version posting; zip network traffic observed.

 

As far as the Fort Knox firewall goes, no one tests third party stand-alone firewalls anymore. In the last matousec.com test dating to 2015 or so, Fort Knox was listed with a 4% effectiveness score: http://www.matousec.com/projects/proactive-security-challenge-64/results.php .

 

With statements like that, I don't think anyone here can take anything you say seriously. Do you have a list of these "spyware executables?"

 

Understand that statement wasn't directed this way however...

No one including yourself can deny that they have raised the highest of suspicions surpassing their own bar of aggression by forcing things onto users (or else stance they took).

It would indeed serve all of us very well to substantiate those hidden intrusions even beyond their common telemetry which for many crossed a line that set off a massive alarm with their once dedicated users.

 

In my opinion, it has a lot more to do with wanting people to be using the latest OS than spying on people. That's why I've been using 10 since it was released, on multiple computers.

 

@Wolfram I don't care much what is going out my system because nothing suspicious is going in.
I don't waste my time getting paranoid because an app is connecting out especially one I installed myself...

Not saying I don't use my Win FW like average joe, I set it to block all outgoing connections unless I create the rule personally or if I use binisoft WFC, it prompted me for it; and I didn't make one for OSA. So basically I don't mind much of this issue of yours.

And if I was you, I would try to replicate the issue as I told you with another setup on a VM.
(I didn't force you to do it on real machine)...

Until then, I wont take your previous observations seriously.
And I won't waste anymore my time on paranoia issues.

Don't trust, don't like, don't use.

 

As far as the Win 10 firewall goes, it will auto create rules for all Win Store apps. If one doesn't like that, uninstall the apps via System Settings -> Apps and Features. You can also control App and Windows connections via Privacy options and disable Apps to run in the background essentially blocking their startup. Or simple use software like O&O ShutUp 10 to control what Win 10 can do.

 

@Wolfram
I've just tested this on an old XP VM. I can confirm that OSArmor running on xp does indeed attempt to connect out as the developer acknowledged. I've attached a screenshot showing some of the DNS queries made by OSA before connecting out to the addresses. The hosts were all legitimate certificate authorities which included Verisign, DigiCert, GlobalSign etc.
I also tested on win7x64 and can confirm no such outbound connections occured in the time that I tested.

I assume the difference is simply a change in how the API/s in use function between WinXP and Win7. I see Win7 cryptographic services include extra functionality that XP misses like 'Automatic Root Certificate Update Service'; so perhaps it's svchost that connects out on Win7 onwards and a call to the API by user applications queries a local database instead of the certificate authorities directly.

It's worth noting that as the developer pointed out, these connections are initiated via an API call and therefore it's Microsoft code connecting out. It appears to be OSArmor itself making the connection because OSArmor loads a system DLL into it's process space and calls functions from it, as all applications do.

 

That seems more plausible, thanks for testing.
As I always say, people shouldn't draw quick conclusions without proper knowledge/understanding on how things works.

 

Okay, my dumb question of the month. I just upgraded to Win 10 (Pro). It's a clean machine right now. Nothing but my word processor and related software on board. I want to stay lean as far as security goes. Would OSarmor and NVT Syshardener be enough along with Win 10's own security? Should I add something else, like Comodo Cloud AV? All that assumes of course the software between my ears is working too.

 

Nothing else to add, just take time to learn about the various LOLbins blocks repercussions of the Advanced Settings and consider to create Custom Blocks (which is an important feature).
If you plan to use Windows Firewall, unless you like to block all outgoing connections and create your own rules, consider the use of some front-end GUI like Binisoft WFC.

 

Well said, itman!!!

 

@guest

"Besides, this OS is still supported: for Windows Embedded POSReady 2009, Extended support will end on April 9, 2019. Microsoft ditto."

In August 2018, Microsoft ignored its specification that Windows XP was intended to run on pre-SSE2 processors with the result that older PCs reported illegal instructions on restarting after patching. Uninstalling the offending patches and reinstating the previous software restored order. It bodes ill for the future of Windows that Microsoft's use of its own standards is so sloppy. Curiously, the team responsible for Internet Explorer continued to maintain pre-SSE2 compatibility for IE8.

 

OSArmor continues to cause system hangs. It seems to help if the final section (Microsoft Processes, Java, etc.) of anti-exploits is unchecked and the advanced settings are at default. Also only selecting anti-exploits for those applications actually in use also seems to help. I regret the need to mention this but that is what happens.

 

Sometimes when I'm using a weaker laptop for one reason or another, or I don't feel like dealing with that, I just go on without any security software as that not only speeds up the system, even when talking about light software, but also saves really A LOT of time (it adds up) when dealing with all that software. Just keep your OS and programs updated and you're done, I've said this many times, malware is not going to suddenly appear on your PC. Even on my main one, I have not blocked a single malware with memprotect, pumpernickel or NVT ERP. They were all there for peace of mind and following processes and what they do. But I would have been (and am) completely fine without them. Ofc make sure you know what you're doing My gigantic bat with custom tweaks also helps a ton

 

os armor makes some connections (I've seen it making a connect in older versions) and apparently uses werfault.exe according to spy shelter, but I trust NVT and I spotted this some time ago and not seeing it anymore. Notice it also goes to its site since its opted by default
@andrea
windows 1809 latest update as of today
a problem: now with latest update when in rules adjustment mode I am getting this error:

os armor version 1.4.2.
access violation at address 0000000000000595F96 in module OSarmordevcfg.exe read of address 00000000000000706FF360

same exact issue with sys hardener at main GUI
sys hardener version 1.5
access violation at address 0000000000000005AD7A6 in module syshardener.exe. read of address 00000000007CD5F5C0

probably some admin priviledge issue or windows exploit protection?

as posted above also there are system freezes if the system is configured in a particular way but there are usually gone in a particular setup, in my case I got freezes when I tweaked change behavior of Uac prompt for administrators in sys hardener (thicked square, better don't change anything), ran HD cleaner with all cleaning settings (maybe because it clears log files and perhaps some rules) on and rebooted or enabled secure desktop with tight security settings: better to have it off or don't touch UAC from defualt. Anyway I think the problems is with UAC settings and OS armor. Also I don't like how OS armor interacts with ERP, first wait for one then another then wait for Uac etc: it means I have to accept a program I don't want to run just to be able to get to the next prompt: not so secure. All this jumping between ERP, OS armor and UAC takes alot of time (prompts look like stuck) and I have fast hardware, I think OS armor ERP should be one program (NVT could add that registry blocker and system process blocker - anti rootkit - added on top, one big behaviour blocker) and better integrated with UAC
best
Lucid

 

@lucd OSA isn't supposed to be used with ERP (it was clearly said by the dev right from the start) , OSA is meant to be a beginner hassle free program, while ERP is for "advanced" users who want more control. So obviously there won't be a fusion between the two (unless the devs change their mind), ERP already does what OSA does and with much more control over processes.

 

thanks for your informative reply @guest
there are some default block options in ERP, like block processes executed from usb, I'd personally like to see more ,,automatic noob-friendly rules" in that section (maybe from os armor too), and in doing so ERP would resemble more a os armor/ERP hybrid so I could ditch os armor and cut in half wait time

 

Actually, the purpose of Automatic Root Certificate Update Service is:

https://social.technet.microsoft.co...ic-root-certificates-update?forum=winserverDS

Since XP is not longer a supported OS, it is not receiving Win Updates. Therefore the Windows Root CA store is never updated. So any responsible security software current supporting XP; there aren't many that do so, will have to verify software code signing certs. via manual lookup to the issuing root CA server.

Again, this whole discussion of OSArmor "dialing out" has progressed from the ridiculous to the sublime.

 

I love OSA. Can't wait to test v 1.5 which will be even better.

 

Hmm, me run ERP 3.1 with OSA.

 

Yes, I did too. "Not supposed" doesn't mean you are forbidden to do so.