NoVirusThanks OSArmor: An Additional Layer of Defense

hi again, Andreas,

I may have found the problem.

Three consecutive times today the OSArmorDevSvc failed to start after boot->login, so I decided to disable the Windows firewall control option: "Start automatically at user login", and now three consecutive reboots->login attempts and the OSArmorDevSvc starts as intended. It seems there is a conflict between the two programs only after bootup->login. once I start WFC after login and after OSArmor has already started, all is fine - no conflicts with OSArmor.

 

Good job buddy

 

Thanks but...5 consecutive times and OSArmorDevSvc started fine with WFC startup disabled, so things were looking up, but then on the 6th try it failed to start

 

Interesting! OSA just blocked SysHardener:

Code:

Date/Time: 25/01/2021 4:18:26 PM
Process: [10828]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process MD5 Hash: 04029E121A0CFA5991749937DD22A1D9
Parent: [5756]C:\Windows\System32\cmd.exe
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell.exe  -Command "Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: David/DAVID-HP
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High

 

Thanks @Buddel. I recently switched Protections Profile from Basic (Default) to Medium.

I excluded it with '*' for version and .tmp files as I am fairly sure it's benign in my particular case, but probably no different to just unticking that protection!

 

Macrium Reflect. No. Had the older non paid version.

Robert

 

@novirusthanks maybe it is by design but I had a similar issue (also Macrium). After a restore the licence system seems to think there has been a change to the machine. I can't remember the message but the gist of it was that while the computer name was the same it did not recognise the configuration so was counting it as a separate activation. Deactivating on the cryptex site fixed it.

Can you confirm that a licence needs to be deactivated for every uninstallation not just switching to different machine. I had thought it was an activation per machine not per install.

Thanks

 

I use Eset Internet Security. OSA .exe's excluded from HIPS processing. Also if Eset was detecting anything amiss w/OSA, I should have received an alert/log entry of the activity which I have not.

 

I wouldn't untick that protection. Just add your process to your list of exceptions and see what happens. That way, you are still protected from real, malicious processes.

 

@Elwe Singollo

The activation is per-machine, but on previous OSA version there was an issue in the NVT License Manager (fixed on v1.5.3).

There should be no issues with Macrium Reflect and our activation, I did this test on same machine:

1) Installed OSA v1.5.4 and activated it
2) Then I used Macrium Free to create a full system image
3) I rebooted the PC and I restored the previously created system image
4) Then when PC powered on I activated an Internet connection and opened OSA GUI
5) I clicked on Help -> License Status and noticed all is fine (product activated)

So at least in this case no issues, if you find activation issues with latest OSA version and a Macrium Reflect image please let me know.

As long as you don't change hardware components like RAM, Motherboard, etc (HDD can be changed) there should be no activation issues.

@Krusty

Thanks for reporting it, it is an FP and will be fixed on next version.

@itman @wat0114

Thanks for details, I'm investigating the issue to see if I can reproduce it.

//Everyone

We're discussing about adding support for Trusted Vendors List and add new rules like:
Block processes signed by non-Trusted Vendors List

 

@novirusthanks

Noticed 7 files present in AppData folder (NVT OSArmor 1.5.3)

dhsnoyhs.ctm
fqicoaaj.avl
gtxtxtup.cru
ibqnpsgs.ihi
rtmeslt
weewkkuq.wxc
wlidgpun.kvg

They are not present in for example in NVT OSArmor 1.4.3

Could you please explain their purpose?

 

I'm currently using NVT OSArmor 1.5.4. I tried to find these files here but I couldn't. I don't think they belong to OSA.

 

Hi @ Wilders

I have a copy of NVT OSArmor v1.43. Can I continue to use this as a free version without any adverse effects?

Thanks

Terry

 

Do you mean Program Data folder? I have nothing related to NoVirus Thanks folder-wise in either AppData Local or Roaming sub-directories. I do have these "mysterious" files in the Program Data root that were created all after the time OSArmor was installed on my device:



-EDIT- Three of these files have exact time and date OSA was originally installed. Therefore confident these are OSA related. Also two of these files were updated as recently as yesterday. Question is why?

 

Same here. I also found these files in Program Data. Hm...

 

Yes, as do I.

 

@Compu KTed

Those files are created by the package we use to add 30-days trial to the program.

They are innocuous text files, nothing to worry about.

//Everyone

Here is a pre-release (not final) version of OSArmor v1.5.5:
https://downloads.osarmor.com/osa-1.5.5-test1.exe

The changelog so far is this:

+ Improved handling of licensing errors
+ The service is not terminated in case of licensing errors
+ Improved analysis of digitally signed processes
+ Improved detection of revoked certificates (network check)
+ Added Block processes signed with a revoked certificate
+ Added Block processes signed with a invalid certificate
+ Added Block processes signed with a expired certificate
+ Import a custom .ini settings file via setup.exe /IMPORTSETTINGS=
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives
+ Minor improvements

We're working in adding Trusted Vendors.

If you find issues or false positives please let me know.

 

Hmm....not finding these files in my Program Data root -
1.5.4 1.5.5-test1

 

Can they be deleted w/o issue on paid version?

 

Hi @novirusthanks (Andreas),

could you possibly look into making it more efficient to add multiple, rapid-fire alerts to the Exclusions list? By this I mean I had two alerts at login at literally the same time as seen below, and to add each of them to the Exclusions list, I have to enter my credentials individually for each one I'm alerted to. Is it possible to make it so that once the Exclusions list is open, multiple entries can be added without having to enter credentials for each one? Or am I missing something, doing something wrong? Thanks if you can help.

BTW, the OSArmorDevSvc has been starting flawlessly for more than three days now, after bootup-login.

Code:

Date/Time: 1/29/2021 4:39:48 PM
Process: [9896]C:\Windows\System32\sc.exe
Process MD5 Hash: E46C638010C25479F66BACBE8596CA76
Parent: [4244]C:\Windows\System32\ImController.InfInstaller.exe
Rule: BlockScExecution
Rule Name: Block execution of sc.exe
Command Line: "C:\Windows\system32\sc.exe" start imcontrollerservice
Signer: <NULL>
Parent Signer: Lenovo
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: False
Integrity Level: System
Parent Integrity Level: System


Date/Time: 1/29/2021 4:39:48 PM
Process: [9720]C:\Windows\System32\schtasks.exe
Process MD5 Hash: A50ADB3775DB1BF3BC77CC598F68B57D
Parent: [4244]C:\Windows\System32\ImController.InfInstaller.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Windows\system32\schtasks.exe" /create /xml "C:\ProgramData\Lenovo\ImController\ImControllerMonitorTask.xml" /tn "Lenovo\ImController\Lenovo iM Controller Monitor"
Signer: <NULL>
Parent Signer: Lenovo
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: False
Integrity Level: System
Parent Integrity Level: System

 

Thanks for info.

 

@Buddel
@itman

Windows will redirect any program that tries to write to C:\Users\All Users\ to the
C:\ProgramData folder, too.
Most programs use this as a caching location for data that should be available
to all users, or to configure some basic settings.
Your most important application data, if you want to back it up, will likely
be stored under C:\Users\username\AppData\Roaming.

These files are indeed installed by NVT OSArmor. Names and location may differ
depending on OS version and free vs.paid versions of OSArmor.

 

Yes, I also struggle with multiple alerts (not uncommon) piling up one behind the other, and adding all to exclusions list.
I also wonder if that could be made easier or more intuitive. Maybe I am also doing something wrong, or there is some setting (I have 'Automatically close the notification window' unticked).
Sometimes I actually re-run the 'offending' software to auto-add exclusions, rather than cutting and pasting from logs, in these cases.

 

What's the update frequency checking in OSA?

I am seeing OSArmorDevSrv.exe outbound connections to IP address 212.47.232.234 as frequent as once an hour. This doesn't seem right to me for a product that is only updated via new release version.