NoVirusThanks OSArmor: An Additional Layer of Defense

This makes perfect sense to me, but this would mean that this Simple Windows Hardening tool by Andy Ful is a real-time protection tool. I wasn't aware of that.

 

I haven't used that tool so can't comment. I know ConfigureDefender is just like SysHardener in that it runs. makes changes, then you close it, reboot and Configure Defender is no longer running. In fact CD is a portable program that doesn't install.

 

Simple Windows Hardening and Hard_Configurator are no real time protection tools, they use the Windows Event Log.

From the Simple Windows Hardening manual:

https://github.com/AndyFul/Hard_Configurator/tree/master/Simple Windows Hardening

 

Thanks. That's what I thought. So if Simple Windows Hardening and Hard_Configurator can produce logs by using Windows event logs, why shouldn't this be possible for SysHardener as well?

Later edit: I do realize that Windows tweaks (e.g. Show file extensions for known files etc.) cannot be logged, but maybe inbound and outbound connections and perhaps some other tweaks that are supposed to be blocked by SH could be logged.

Anyway, a block list for SH is not a must-have feature; it's a nice-to-have option at best. All in all, SH is fine as it is and I have always used it alongside OSA. I do hope it will still be possible to couple OSA with SH when the new versions are released.

Greetings to Italy from Buddel

 

Absolutely, SH + OSA is what we use here, they complement each other since SH has many system hardening rules (i.e disable SMB, unassociate file extensions, firewall hardening, etc) and OSA has powerful real-time protection to block processes executions that trigger OSA rules (plus you can write your own custom block rules).

Just a small update on OSA progress: we're finishing a few more tests with the activation system and it should then be completed, I confirm that there will be a 30-days trial version. So just some more days and should make the official announcement of the new version with the full changelog.

 

Thanks for your reply, @novirusthanks Looking forward to the new version of OSA.

 

And what about SH, will there be some info about its future at the same time of the release of OSA?

 

sounds good

 

+1. Will that also become, or part of, the subscription?

I believe I will end up with (possibly SH) and OSA on one Win 10, and probably Andy Ful's Hard_Configurator, or discrete H_C Hardening_Tools (Simple Windows Hardening with ConfigureDefender, maybe FirewallHardener) on another. Maybe I'll end up going one way or the other, depending on my experiences ...
I believe the approaches are slightly different?

Andy Ful's tools are free and he is very responsive and helpful on MT.

 

@pb1 @paulderdash

We haven't discussed that yet, all has to be decided about the other programs (SH included), for now we're only focused on OSA, but will share some more info soon.

Yes, after we've completed the release of OSA I'll write info about SH and the other programs.

Another small update for OSA:

We've finished the license activation system, here is a screenshot of the activator GUI:



We've added some new options on OSA Configurator to restrict Windows functionalities (asked by a few system administrators):



Now we're working in adding the trial mode (the only thing remained).

 

Sounds good. Thanks for the update.

 

thank yo for the info

 

When running this awesome program do you need or recommend Tiny Firewall
or is it overkill? thanks

 

If you need you can use Tiny Firewall to monitor Inet connections, they should work together without issues.

 

thank you so much

 

User reports test results

Is that how it should be?

 

@aldist

OSArmor should not be tested by copying a malware sample in the desktop folder and then double-clicking it, OSA focuses on preventing a malware/ransomware infection by blocking the first stages of the infection, example: an user receives a maldoc invoice.doc that once opened, it drops the payload of Petya and runs it without the user noticing anything, here it comes OSA that blocks the payload from running in the system, thus preventing Petya infection.

 

I wish I had a brain onehundredth as good as yours but would settle for knowing what you put in your coffee.

 

Sugar (a lot!), but will switch to honey Anyway, was in a hurry when replied and meant to include some more details, will do now below: OSA was created to prevent a malware infection and especially to block delivery methods used to install the malware. Ransomware and other pests are generally delivered in the system via "third-party" methods, such as via maldocs, scripts, exploit payloads, fileless attacks, emotet links, etc. They are not directly executed in the system by the user (except in some cases, for example if the user downloads a fake flash player installer that then drops and installs a ransomware, or a keygen/crack of a software that is bundled with the ransomware). Even in that cases, OSA uses specific rules to try to block that behaviors, it also blocks common ways used to delete the shadow copies of files that can be used in a post-infection to restore the encrypted files (the block-alerts reported in the @aldist's post may be related to blocking of these behaviors). Looks like strange that with all Advanced rules enabled OSA didn't block that samples, especially with the option to block unsigned processes executions in user space, already PMed aldist for the samples so I can run some local tests and see what happened. Other users have contacted us with similar questions/reports, I will add a detailed Q&A in the Help.txt that discusses about this, basically it is recommended to test OSA in a real-world scenario than by running directly the malware.exe, because by doing that it would ignore the initial infection chains/stages required to deliver and install the ransomware.

 

this is an awesome program and cant wait for 4.0 YAHOO

 

Block execution of MS Edge does not work for me.

 

Yes, same thing you said back here, in April. I suppose it's the same situation -- OSA blocks the legacy Edge, but not the Chrome-based Edge, as noted by DarkStar here, in response to your post. Reason, Edge went Chrome after OSA's latest update.

NVT is now working on an OSA update. Hopefully he will note this situation & fix it. If not, just write a Custom Block Rule.

 

@novirusthanks Maybe you can share now: will subscriber version need a clean install, or be OK over the top?

No doubt will take the place of AppGuard Solo on one of my machines.

 

@Dragon1952

The new OSA version will fix that.

As a workaround you can use these two Custom Block rules:

Code:

[%PROCESS%: *\MicrosoftEdge*.exe]
[%PROCESS%: *\Microsoft\*\Application\msedge.exe]

Let me know if they work fine for you.

@paulderdash

Installing over the top should work fine.

 

BTW, don't take this the wrong way, but I wonder if it makes sense for users to pay for a yearly fee when the software is developed by a small company. May I ask how many people are employed by NoVirusThanks? I mean what if something happens to the main developer, would this mean it's game over for tools like OSArmor? I was thinking about this subject because I will soon buy a new Windows 10 PC, and I'm trying to figure out what my new security setup will be. And I'm not sure if I want to pay yearly fees for apps that are not developed by big companies. I hope you can understand my concerns.