NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Manually updated, thanks.

    Could you perhaps indicate (with a tick or whatever) which profile is currently active?
    I use 'Medium Protection' but it's not obvious when one Configurator>SelectProtections Profile which one has been (last) activated ... after an update such as this, for example.

    (I assume once this is selected it 'sticks' and does not go back to Basic Protection (default) after an update!).
     
  2. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @novirusthanks

    Checked NoVirusThanks OSArmor installer file and it's listed as 1.5.3.
    When installed the UI and under Help > About it's listed as version 1.5.4.

    Just wondering why the difference in version numbers?
     
  3. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @itman @wat0114

    Will try to replicate the issue on these days, thanks for including details.

    May be related to auto-updating somehow, probably it was auto-updating and the PC went to sleep mode (just guessing for now).

    @Compu KTed

    Thanks for reporting it, fixed now.

    @paulderdash

    Will see what can be done on next version.

    Correct.
     
  4. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Is a home user able to use custom rules in addition to OSA rules? I've added the below rules, yet OSA never prompts me for an exclusion and I can't figure out why.

    [%PROCESSCMDLINE%: *.doc"][%RULENAME%: Block opening of .doc files]

    [%PROCESSCMDLINE%: *.docx"][%RULENAME%: Block opening of .docx files]

    [%PROCESSCMDLINE%: *.xls"][%RULENAME%: Block opening of .xls files]

    [%PROCESSCMDLINE%: *.pdf"][%RULENAME%: Block opening of .pdf files]

    [%PROCESSCMDLINE%: *.ppt"][%RULENAME%: Block opening of .ppt files]

    [%PROCESSCMDLINE%: *.pptx"][%RULENAME%: Block opening of .pptx files]
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    @n8chavez

    you need to get rid of the " mark in your rules.
     
  6. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Thank you for that. Now I get prompted to add an exclusion for .pdf files but not for the other file types. Interesting...
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    I see what you're saying. No idea what's going on there o_O
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Incredibly frustrating. This finally worked for me to block *.docx files:
    Code:
    [%PROCESS%: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE]
    no other parameters added.

    Edit

    and for Powerpoint:

    Code:
    [%PROCESS%: C:\Program Files\Microsoft Office\root\Office16\powerpnt.exe]
    I need to retire for the night now.
     
  9. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    could you please see how spy shelter implements such rules and make it simpler than writing rules manually, work on the GUI and allow for a simpler modification of rules and quick edits
    I did not download commercial version yet so I dunno if that has been done already, you should allow for "adding" and whitelisting entire folders and programmes either via right click or the GUI, see how spy shelter does it: rules ---> create rule for component and voila', done, zero wildcards or "code", all done with buttons on the GUI

    sometimes not the protection is at the core but the implementation of it
     
    Last edited: Jan 22, 2021
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    All those rules are doing is blocking MS Office executable's startup. OSA is supposed to be able to block by file extension as I understand it.

    -EDIT- You have to use %PROCESSCMDLINE%: as noted in prior postings in this thread.
     
    Last edited: Jan 22, 2021
  11. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    @wat0114
    I have just tried the following rule to block a *.docx file:

    Code:
    [%PROCESSCMDLINE%: *.docx" /o*][%RULENAME%: Block opening of .docx files]
    Whether or not you need the /o* extension depends on the program you use for opening *.docx files. I need it for Office 365 but it was not necessary when I used LibeOffice.

    When I tried to open a *.docx file in Word (Office 365), the following OSA window popped up:

    osa-docx.png

    This is what I found in the log file:

    Date/Time: 22.01.2021 22:46:54
    Process: [7556]C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    Process MD5 Hash: 70CEA70E5BD4D5C397BAFCF221D5894B
    Parent: [5704]C:\Windows\explorer.exe
    Rule: CustomBlockRule
    Rule Name: Block opening of .docx files
    Command Line: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "D:\MYFILES\ME\1\2\file-name.docx" /o ""
    Signer: Microsoft Corporation
    Parent Signer: Microsoft Windows
    User/Domain: User/USER-PC
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium

    I use similar rules to block *.xls, *.doc and *.ppt files. It works. :)

    PS: There is also a neat rule for blocking *.xls files (see link below):
    https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-133#post-2982655
     
    Last edited: Jan 22, 2021
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Well I'll be darned, that works like a charm. Well done! It was actually @n8chavez who was trying to get this to work, so I'm sure he'll be interested. I was just experimenting, trying to use something obvious, but I could only succeed in blocking MS Word itself. How did you figure that out?

    Yeah, I realized that, but it was all I could come up with. Buddel has the correct syntax, as seen above.
     
  13. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Thank you, Andreas.

    This morning was the first time since installing v1.5.4 that the OSArmorDevSvc failed to start after bootup and login. I did notice that under the Recovery tab for the service, the actions are: "Take No Action" in all three fields, so as an experiment, I've set the first two to "Restart the Service". Not sure if this will help, but just wanted to try something. Hopefully you will find a fix. Thanks again.

    Screenshot 2021-01-23 072921.png
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I suspect this is by design. When there's a product update, OSA updating will stop the service so that it can be replaced.

    When most AV's update their main protection service, they will force a a reboot to complete the update installation processing.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Oh, okay, that makes sense. I'm just hoping for a fix that will prevent the OSArmorDevSvc from stopping for no apparent reasons. Today there was no upgrade when it failed to start after login.
     
  18. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Have another issues. Restored an image and get "The license has reached its allowed activations limit". Same PC when first bought your product.

    Nevermind, deleted my Activation's. Everything fine.

    Robert
     
    Last edited: Jan 24, 2021
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    FWIW, the same thing happened this morning after first bootup->login: OSArmorDevSvc failed to start. Nothing found under Event viewer either.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    So NVT License Manager needs further improvement ...
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    What would be causing these blocks below: Is it the 'Block LOLbins and other sophisticated attacks' rule? Medium Protection profile here.

    I had a couple of these yesterday (also another .Net version) that I suspect are due to Nettraffic (https://www.venea.net/web/nettraffic) that I am trying, which uses .Net - so I excluded them but wondering in retrospect if I should have ...

    Date/Time: 1/23/2021 5:32:09 PM
    Process: [14304]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    Process MD5 Hash: C877CBB966EA5939AA2A17B6A5160950
    Parent: [14220]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    Rule: BlockProcessesExecutedFromCSC
    Rule Name: Block processes executed from C Sharp compiler (csc.exe)
    Command Line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\pauld\AppData\Local\Temp\RES4AEE.tmp" "c:\Users\pauld\AppData\Local\Temp\t3uobd0x\CSCCB4E58BA9383430C9CE27D9AED7B6427.TMP"
    Signer: Microsoft Corporation
    Parent Signer: Microsoft Corporation
    User/Domain: pauld/LAPTOP-BFQLL77F
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
     
  22. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    No, it is the "Block processes executed from C Sharp compiler (csc.exe)" rule that blocked it, which is part of the NET Framework Restrictions.
     
  23. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    I think so. If on every restore of an Image, on the same computer that NVT was activated on, the user has to go online and delete their previous Activation's, then yeah.

    Do not have to do anything, with any other software I have purchased, on an Image restore.

    Robert
     
  24. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @wat0114 @itman

    I was not able to reproduce your issue yet (testing on 5 PCs and 2 VMs with just WD), may I ask what are your other security apps?

    Will try to install them here too to see if I can replicate it.

    @itman

    Yes that is correct.

    @Roberteyewhy

    What imaging software are you using?

    Did you install OSA after the image was restored?
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Hi Andreas,

    the only other security app I'm using is Malwarebybytes Windows Firewall Control, v6.4.0.0

    other than that, most of the Attack Surface Reduction rules under Group Policy (Windows 10 Pro, 1909 OS Build 18363.1316) found here:

    https://docs.microsoft.com/en-us/wi...crosoft-defender-atp/attack-surface-reduction
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.