NoVirusThanks OSArmor: An Additional Layer of Defense

Nice

 

I think you can import an older RULES file into this new build and have them go into effect, right? It seemed to work when I tried it.

Personally, I don't use any Profile strategy. Just would rather scan thru all the rules and check off what seem most applicable and relevant. Then back it all up.

 

Profiles in ver. 1.5.2 Personal don't exist as far as I can determine. Is this correct?

 

@plat1098

Yes you can import old rules (CustomBlock.db and Exclusions.db files), they will work fine.

However, the old exported settings will not work since on v1.5.3 we changed completely the export/import of protections rules (checkboxes) and settings.

@itman

Yes correct, protections rules profiles are available only on v1.5.3

 

No, it's a Full HD screen with a 1920x1080 resolution. I didn't uninstall the older version though, perhaps I should try it again. However, I did notice that after Windows has booted, the OSA main window looks blurry and after restart it will look normal, this happens with all OSA versions. I wonder if other people have also noticed this.

 

Right! New Import/Export on new test build only, as the configurations have changed around. Got it.

Edit: no Rasheed, haven't noticed ths issue, not yet anyway. Just opened the main OSA window and it looks alright. I'd just restarted the machine to finish the cumulative Windows update as well.

 

Just applied latest Win 10 x(64) 20H2 cumulative update. Upon completion of update and system restart, OSA not running. Checked status and it showed protection was disabled. Tried to enable it via desktop toolbar OSA icon option. No go. Protection would not enable. Checking running services via Control Panel option showed OSArmorDevSvc service not running. Manually started the service which enabled OSA protection.

Is this normal OSA behavior after a Win Update? Does OSA protection need to be disabled prior to Win Updating?

 

I had a similar thing but it wasn't after a Windows Update.

#3273

 

Wonder if this might be related to auto updating? I had enabled that earlier today prior to the Win Update activity.

 

False Positive after running PrivaZer?

Code:

[%PROCESS%: [6588]C:\Windows\System32\vssadmin.exe]
[%PROCESS%: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe] [%PROCESSCMDLINE%: powershell  Optimize-Volume -DriveLetter C -ReTrim] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe] [%PARENTSIGNER%: <NULL>]

Medium Profile.

 

Indeed hello buddy

 

G'day Mate!

Not exactly sure it is a FP. OSA is probably doing exactly as it should.

 

OK, so no blurry looking GUI and no ''text looking too big'' problem? Then I wonder what the hell is going on, on my machine. For now I have downgraded to the old OSA freeware version.

 

My block rule for SCR files still works as expected, but blocking DOC, XLS and other documents does not work any more. It worked fine when I used OpenOffice until recently. However, now that I use Office 365 I can open old DOC files, even though they should be blocked by OSA.

 

We've released OSArmor v1.5.3, here is the changelog:

[14-Jan-2020] v1.5.3.0

+ Improved management of protections rules in OSArmor Configurator
+ Added option to export/import protections rules, settings, all
+ Use exported .ini files with "Automatically update OSArmor settings from a URL"
+ Improved method to auto-update OSArmor settings from a URL
+ Added option to reset protections rules, settings, all
+ Added option to select protections profile (right-click on Configurator->Protections tab)
+ Added option to easily search protections rules
+ Added option to check/uncheck all protections rules
+ Added option to select protections rules group via a drop-down box
+ Previously exported settings (OSArmor.rules) will not work on this version
+ Updated NVT License Manager with latest version
+ Do not recreate Desktop icon after product has been upgraded
+ Fixed session ID issue involving Remote Desktop Protocol (RDP)
+ Added Block any process executed from web browsers
+ Added Block execution of popular web browsers
+ Added Block processes located on C:\Windows\Microsoft.NET\Framework\*
+ Added Block execution of Resource File To COFF (cvtres.exe)
+ Merged many protections rules into single category-specific rules
+ Protections rules on Configurator have been reduced (merged) from 300 to 185
+ Improved automatic product update procedure
+ By default the setup creates a Desktop icon for all users on new installations
+ The desktop icon is not re-created in case it has been previously removed
+ Added /NODESKTOPICON parameter to use with setup.exe command-line
+ Various improvements in the installer script
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives
+ Minor improvements

IMPORTANT:

* When installing this version it is required an active Internet connection
* Everyone should update to this version, it fixes the fingerprint issue with NVT Activator caused when the BIOS is updated/flashed
* This version will automatically apply basic protections rules after installed
* You may require to enable again your custom protections rules (checkboxes) on Configurator

//Everyone

If you used the pre-release build please update to this new version.

You can install over-the-top, if you have enabled auto-updates it will upgrade automatically.

Some screenshots:





@Buddel

Looks like the command-lines changed with Office 365.

Don't have it installed here but you may try the following Custom Block rules:

Code:

[%PROCESSCMDLINE%: *.doc*] [%RULENAME%: Block opening of .doc files]
[%PROCESSCMDLINE%: *.docx*] [%RULENAME%: Block opening of .docx files]
[%PROCESSCMDLINE%: *.docm*] [%RULENAME%: Block opening of .docm files]
[%PROCESSCMDLINE%: *.xls*] [%RULENAME%: Block opening of .xls files]
[%PROCESSCMDLINE%: *.xlsx*] [%RULENAME%: Block opening of .xlsx files]
[%PROCESSCMDLINE%: *.xlsm*] [%RULENAME%: Block opening of .xlsm files]

@Krusty

Yes they are FPs, should be fixed now.

Anyway, couldn't reproduce the FP with vssadmin.exe, can you share the blocked event from the log file?

@itman @Krusty

Strange, are you using other security apps? Maybe they somehow blocked OSArmorDevSvc.exe or NVTLicenseManager.exe

 

Amazing work.what a beautifull software OSArmor is I love all this changes

 

@novirusthanks
Thanks for your help. Unfortunately, the rules you suggested above don't work the way I want. I want to block only DOC files, but I do NOT want to block DOCX files.

The rule [%PROCESSCMDLINE%: *.doc*] [%RULENAME%: Block opening of .doc files] blocks BOTH DOC and DOCX files (as expected). This is not what I want, however. I do NOT want to block DOCX files, as mentioned above.

The rule [%PROCESSCMDLINE%: *.doc] [%RULENAME%: Block opening of .doc files] (without the asterisk after the file extension) does NOT block anything. I thought it would just block DOC files (not DOCX files), but it doesn't seem to work at all.

 

@jmonge

Great glad you like OSA =)

@Buddel

Can you share the blocked event from the .log file? The one that blocked also .docx

 

@novirusthanks
Here is the log of a blocked .docx file:

Date/Time: 14.01.2021 21:13:24
Process: [7660]C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Process MD5 Hash: B7048CFFCE9D156C6FFED2C0AB14C079
Parent: [9204]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Block opening of .doc files
Command Line: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "D:\MYFILES\MYNAME\MYFOLDER\MYSUBFOLDER\MYFILE.docx" /o ""
Signer: Microsoft Corporation
Parent Signer: Microsoft Windows
User/Domain: User/USER-PC
System File: False
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

I get the same log for .doc files. It always looks like ...doc(x)" /o ""

 

Sure. Here you go.

Code:

Date/Time: 11/01/2021 5:36:41 PM
Process: [12052]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process MD5 Hash: 04029E121A0CFA5991749937DD22A1D9
Parent: [6680]C:\Windows\System32\cmd.exe
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell  Optimize-Volume -DriveLetter C -ReTrim
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: David/DAVID-HP
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High

As I mentioned, it was while running PrivaZer. I believe it runs "Trim" on SSDs as it finishes. It may not run on HDDs.

Edit: Here is the log from my second machine in case there's any difference.

Code:

Date/Time: 13/01/2021 4:04:17 PM
Process: [13752]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process MD5 Hash: 04029E121A0CFA5991749937DD22A1D9
Parent: [13600]C:\Windows\System32\cmd.exe
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell  Optimize-Volume -DriveLetter C -ReTrim
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: Dave/DAVE-PC
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High

Thanks.

 

I shall keep an eye on it. If it was blocked by another security app then it was silently blocked.

 

I cannot find my license key. Says "Machine fingerprint has changed since activation". Same machine. How to get my key?

Thanks,
Robert

 

@Buddel

This should work:

Code:

[%PROCESSCMDLINE%: *.docx" /o*][%RULENAME%: Block opening of .doc files]

Basically this is the wildcard to use: *.docx" /o*

Let me know if it works.

@Krusty

Thanks, it should be already fixed in latest v1.5.3 - try to remove the exclusion rule and run again PrivaZer.

@Roberteyewhy

To solve activation issues like:

Open the Customer Portal web page.

To login the first time you need to click on the "Forgot Password?" link, then enter your email used during the order and click on the "Recover Password" button. You will receive via email (check also the spam folder) a link to reset your password, make sure to use a 15+ chars strong password.

From the Customer Portal you can manage all your purchased licenses and activated devices, you need to deactivate the license in your device so then you can re-activate it again, follow this video: https://www.youtube.com/watch?v=FS7j276KCoA

Once done, reboot the system and you'll be prompted to enter your license key, make sure you have an Internet active and enter the key, click Activate and it should work.

* If you don't want to reboot the system, run cmd.exe as Administrator and enter in order:

Code:

sc stop osarmordevsvc
sc start osarmordevsvc

And you'll be prompted to enter the key.

Let me know.

 

The rule [%PROCESSCMDLINE%: *.doc" /o*][%RULENAME%: Block opening of .doc files] works as expected. It blocks DOC files, but it does not block DOCX files. Great. Thank you! BTW, this rule also works great for PPT files, which are successfully blocked (but not PPTX files).

Now I'm looking for a rule to block XLS files (but not XLSX files). Here's my log file:

Date/Time: 14.01.2021 22:17:06
Process: [6892]C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Process MD5 Hash: 87380EF311444F91F6C4A68DF698530F
Parent: [3944]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Block opening of .xls files
Command Line: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "D:\MYFILES\Mappe1.xlsx"
Signer: Microsoft Corporation
Parent Signer: Microsoft Windows
User/Domain: User/USER-PC
System File: False
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

I get the same log for XLS files. This log file is triggered by this rule:
[%PROCESSCMDLINE%: *.xls*] [%RULENAME%: Block opening of .xls files]
It blocks both XLS and XLSX files. However, I need a block rule that only blocks XLS files but NOT XLSX files. As mentioned above, the rule [%PROCESSCMDLINE%: *.xls] [%RULENAME%: Block opening of .xls files] (without the asterisk) does not work at all.

 

@novirusthanks ,

I just found this on my other machine. I believe it is the log you wanted.

Code:

Date/Time: 23/12/2020 7:18:41 PM
Process: [6588]C:\Windows\System32\vssadmin.exe
Process MD5 Hash: B58073DB8892B67A672906C9358020EC
Parent: [5456]C:\Windows\System32\cmd.exe
Rule: BlockDeletionOfShadowCopies
Rule Name: Block system processes from deleting shadow copies
Command Line: vssadmin  delete shadows /for=C: /QUIET
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: Dave/DAVE-PC
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High