NoVirusThanks OSArmor: An Additional Layer of Defense

I installed it on top of v1.4.3 Beta build 2 - no problems so far.

PS: Thanks for the update, Andreas.

 

Updated release working great as usual. Thanks again, Andreas!

 

Hello, On my laptop I have windows 7 and the only defense program I use is Emsisoft Anti-Malware
will this enhance everything and are there any conflicts? thank you

 

No conflicts.

 

v.1.4.3 b. 2 since past Sunday afternoon running like a charm. Installed after deletion of prev. build and imported saved rules with lightning speed. Thanks for latest build.

 

Installed on top. NP!

 

I too am pleased with OSArmor 1.4.3. I do have a few qualifications to that comment. They concern my now successful attempts to overcome my previously commented tendency for OSArmor to cause Windows 7 to hang when OSArmor is used on slow hardware. I only tick Anti-Exploit options for software which is actually installed but have found that all the items in the section headed 'Microsoft processes, Java, etc.' can be ticked. I am still still not completely sure about which Advanced options can be ticked. However, using the default options PLUS ticking the UAC related options and the option to 'Block suspicious process elevation attempts' seem to be trouble free.

With regard to Windows XP, my experience has been the above comments hold true but no Advanced UAC related options should be ticked as they create a tendency to make Windows XP hang. I guess that this mechanism does not exist in Windows XP. However, the option to 'Block suspicious process elevation attempts' seems to be trouble free with Windows XP.

I hope that these remarks might provide helpful evidence about what goes on inside OSArmor.

 

When you use Microsoft RDP to log into a computer and install OS Armor 1.4.3, OS Armor will block itself from opening the "Configurator" or "Exclusions" tab. After you have logged into the computer locally and open those options then they will open when the computer is accessed by RDP. I would like to install your software into about 40 computers by remote desktop and it is inconvenient to go in person to each customer location to configure it.

Date/Time: 3/27/2019 8:41:11 PM
Process: [4992]C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorExcHlp.exe
Process MD5 Hash: 59689B14A803CD6459F1D84C1ADDD135
Parent: [2848]C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevUI.exe
Rule: EnableOSArmorSelfDefense
Rule Name: Enable OSArmor self defense (basic)
Command Line: "C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorExcHlp.exe" {{{%PROCESS_START%}}}C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevCfg.exe{{{%PROCESS_END%}}}{{{%PARENT_START%}}}C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevUI.exe{{{%PARENT_END%}}}{{{%CMDLINE_START%}}}"C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevCfg.exe"{{{%CMDLINE_END%}}}{{{%SIGNER_START%}}}NoVirusThanks Company Srl{{{%SIGNER_END%}}}{{{%PARENTSIGNER_START%}}}NoVirusThanks Company Srl{{{%PARENTSIGNER_END%}}}
Signer: NoVirusThanks Company Srl
Parent Signer: NoVirusThanks Company Srl
User/Domain:..........
System File: False
Parent System File: False
Integrity Level: High
Parent Integrity Level: Medium


Date/Time: 3/27/2019 8:41:05 PM
Process: [3456]C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevCfg.exe
Process MD5 Hash: FFC25B45A5251AE5CF05B3B1DC14DDE1
Parent: [2848]C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevUI.exe
Rule: EnableOSArmorSelfDefense
Rule Name: Enable OSArmor self defense (basic)
Command Line: "C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevCfg.exe"
Signer: NoVirusThanks Company Srl
Parent Signer: NoVirusThanks Company Srl
User/Domain: ...........
System File: False
Parent System File: False
Integrity Level: High
Parent Integrity Level: Medium

 

problem with block processes executed from suspicious folders
with Jupiter notebook, exclusions won't work have to edit REGEX (ruls is on the 4th or 5th row in the main menu, but I think this important process should be carefully excluded)
@andrea plz add exclusion for jupiter notebook and python modules, ppl can't work with their computers and this is very important and famous process, anaconda installs in C:\user\ so no wonder its blocked, python is the best language (lol) and more ppl will use it in future



@loungehake
I confirm, on any Windows with UAC there is hang
try to mess with UAC, I have 2 slow pcs that I left for sentiment and OS armor is fast as a rocket, if the UAC is too restrictive it will hang, I suspect secure desktop+something else, reset UAC to default and don't mess with it after, some rules need editing with regex otherwise they never work properly

best

 

Note: The dev is @novirusthanks, not 'andrea' ...

 

Andreas is his nickname...but not his forum handle.

 

The attached screenshot shows my OSArmor Advanced Settings for UAC on Windows 7/10 computers. The hanging issue seems to have greatly improved as OSArmor has progressed from version 1.4 through version 1.4.3. I no longer anticipate the issue happening, even with the WIndows 7(64bit) system running on the prehistoric AMD Sempron 3000+ single core 64bit processor.

 

previous info on memory error related to adopting some policy measures that then caused an error, it wasn't fault of os armor and other no virus thanks products, but bad user interaction

that said, I was curious if no virus thanks would help against malware penetrating VMs (hyperjacking), ie transferable memory from host to guest, if any process is at the centre of the set of policies adopted by NoVirusthanks

 

NVT products like most anti-exe don't have memory protection.

 

Hi,

A user in our forum has problems when trying to run SoftEther VPN. Until this is fixed how should the exclusion look like to get it to work?

Here are the logs:

https://justpaste.it/4udb7

Probably for this one:

it should be something like this?

[%PROCESS%: C:\Windows\SysWOW64\cscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cscript.exe "C:\Users\gangosan\AppData\Local\Temp\*\*.vbs"] [%PARENTPROCESS%: C:\Users\gangosan\AppData\Local\Temp\*\*.exe]

Thanks!

 

Please implement very usefull function - indication of the initial state

 

It can be a little bit more strict else you are allowing "too much":

Code:

Parent Signer is mentioned in each alert so we add it here too:
[%PROCESS%: C:\Windows\SysWOW64\cscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cscript.exe "C:\Users\gangosan\AppData\Local\Temp\*\*.vbs"] [%PARENTPROCESS%: C:\Users\gangosan\AppData\Local\Temp\*\*.exe] [%PARENTSIGNER%: SoftEther Corporation]

The path in the command-line of the alert is always "VPN_" + "4 random characters" / "winfire" + "12 random characters". We change the exclusion accordingly:
[%PROCESS%: C:\Windows\SysWOW64\cscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cscript.exe "C:\Users\gangosan\AppData\Local\Temp\VPN_????\winfire_????????????.vbs"] [%PARENTPROCESS%: C:\Users\gangosan\AppData\Local\Temp\*\*.exe] [%PARENTSIGNER%: SoftEther Corporation]

Now the path of the Parent Process. "VPN" + "4 random characters" + "vpnsetup.exe":
[%PROCESS%: C:\Windows\SysWOW64\cscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cscript.exe "C:\Users\gangosan\AppData\Local\Temp\VPN_????\winfire_????????????.vbs"] [%PARENTPROCESS%: C:\Users\gangosan\AppData\Local\Temp\VPN_????\vpnsetup.exe] [%PARENTSIGNER%: SoftEther Corporation]

If other users are launching the software too, we exchange the name of the user with a wildcard:
[%PROCESS%: C:\Windows\SysWOW64\cscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cscript.exe "C:\Users\*\AppData\Local\Temp\VPN_????\winfire_????????????.vbs"] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\VPN_????\vpnsetup.exe] [%PARENTSIGNER%: SoftEther Corporation]

 

Thanks for the replay. Yes I am aware that my rule was a bit "lazy" but since I didn't use the program so far I didn't know how the syntax should look like.

Thanks again! I will forward your solution to the user.

Edit: The topic is here but (in Bulgarian language):

https://www.kaldata.com/forums/topi...sthanks-osarmor/?tab=comments#comment-4233780

 

by accident I found that changing screen display's hertz (nvidia) rate causes os armor, exe radar pro and simple wall to silently stop working 100% (do nothing but run in memory), although the programs appear to work perfectly fine. On os armor and exe radar pro I receive one stream error prompt, but if you ignore this chances are you'll never know they don't work anymore. Had to do a full reinstall to make them work again

 

Nice bypass find.

 

no issues for OSA on 1903

 

they actually do but not directly, since you block an executable that has code caving or process hollowing (and similar in-memory operations). Wondering now what excubits memprotect and memory guard (appguard) can do for me, can I add them to NVT products?

 

No they don't, blocking an executable on disk isn't preventing process hollowing happening in memory.
It is not because you use a condom that you can prevent HIV to destroy your immune system.
The mechanism of blocking LOLbins to be executed isn't the same as blocking code injection. If it was, no one would need anti-exploits.
Don't mix mechanisms, after you will have some people that will believe diehard erroneous stuff, like considering that post-exploitation softs are same as anti-exploits softs...

Yes you can add them, If you use NVT softs, I would suggest you to use Memprotect rather than AppGuard, anyway AG isn't destined for home users anymore.

 

I said not directly haven't I? Maybe I have choosen word poorly, its not the program for that, it would make OS slow which is against what they promote - low system impact. NVT can be part of that mitigation as it stop execution tout court unless we are thinking about two different attacks (which can be considered an anti-exploit though it wouldn't be accurate, there are some options in osarmor which use this terminology and Andreas believes OSA or ERP can stop such malware or its execution chain, they just don't focus on it) and I wouldn't rely on it alone.

thanks

 

Some people are totally oblivious of the attack chain concept, it is not because you use a certain mechanism at step 1 that it is also effective at step 2.

Taking the analogy, if the condom (anti-exe) is faulty, you get HIV (code injection)
If you have a cure (memory protection soft) that prevent the destruction of the immune system (code injection) , you won't care much of using a condom.
Got it?

Not saying, if the attack is fileless, or don't use LOLbins, what your anti-exe can do? Nothing.