NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    My "pet peeve" is the alert activity is already blocked even if the alert window doesn't auto close. It would be nice to not block for a certain period of time; e.g. 30 secs. or so. This would allow time for creation of the exclusion rule and allow the activity to proceed. That is HIPS ask rule capability.
     
  2. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    The audio of any WAV file in ProgramFiles/OSArmorDevScc stopped playing. All I'm getting is the block message without sound. My custom WAV is kaput. :'(

    I made a video clip and would be happy to post it somewhere if it helps. It's prob. something very simple. I rolled back to 1.5.4 and deleted all logs and settings--no sound. I cleanly installed 1.5.5, no import of settings-- and still no sound at all. This applies to the default 'loon" sound as well. Nothing.
     
  3. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    I enable the sound settings in OSA for testing purposes and did not encounter any problems. Hm...
     
  4. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Ah, poo, that setting got unchecked for some reason. Edit: Brought my custom WAV back in, made sure the Play custom sound..box was checked, restarted machine, and still no sound. This is mystifying. I'll keep working on it.

    Re-edit: It only plays the default "loon." If I click on my custom WAV in the DevSvc folder, Groove opens and plays it fine. But if I set my WAV as default and then block something, it's silent. Anyone else?
     
    Last edited: Jan 30, 2021
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    I just discovered "Passive Logging" today. Nice feature :thumb:
     
  6. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Same here. It works with the default "loon" WAV, but it doesn't work with any other WAV file. Strange.
     
  7. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Oh good, you confirmed this, Buddel, appreciate it.

    Hopefully, then, it's a bug and not a feature. I hope this wasn't deprecated somehow by the developer in build 1.5.5. I get a kick out of my custom WAV, lol. :)
     
  8. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Can confirm also a custom WAV sound file does not work.

    Looks like Changelog could be updated to 2021.

    [18-Jan-2020] v1.5.4.0
    [14-Jan-2020] v1.5.3.0
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I have 'Play custom sound ...' unchecked but TBH I can't actually remember if it makes any sound when there is a block alert ...
     
  10. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    can always test
     
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new pre-release (not final) version of OSArmor Personal 1.5.5 test2:
    https://downloads.osarmor.com/osa-1.5.5-test2.exe

    We've completed Trusted Vendors, here are a few screenshots:

    osa-new1.png

    You can see a new option "Block signers not present in Trusted Vendors".

    This option should help in blocking unknown vendors, and thus also malware signed with unknown vendors with not yet revoked certificate, that generally target companies or employees. By default the file TrustedVendors.db contains a list of 200 popular and well-known vendors, if you are extremely paranoid you can empty the file, then in Configurator -> Trusted Vendors there is a button "Scan System" that you can use to scan your system for signers that will be auto-added to Trusted Vendors.

    Will make a video later where I'll test various signed malware with these new protection rules.

    @plat1098

    Playing a custom WAV sound works fine for me, just make sure to use a small WAV of no more than 3 seconds, example:
    https://soundbible.com/1542-Air-Horn.html

    @Compu KTed

    Changelog dates fixed in this new pre-release version, thanks for reporting.

    @itman

    OSArmorDevSvc checks for product update every hour, for now we'd like to keep it as is so users will get the new version quickly.

    Later we may allow user to specify frequency.

    @wat0114 @paulderdash

    We'll see what we can do about handling multiple exclusions, maybe when you click on "Exclude" button it will show a new window where there are shown the last N blocked events and you can simply right-click on one or more events and select "Add to Exclusions", just a quick idea but we'll have to discuss about it.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
  13. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    imo, this is much too short. I was getting it playing successfully at 9 sec duration before v. 1.5.5.. I know I kvetched some time ago about the sound playing after the notification has gone back down but can't you compromise and make it a 5 or 6 sec limit? Pretty-please?!
     
  14. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Agreed. Thanks a lot for this useful addtion to the list of protections.:thumb:
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Please confirm > Export & Reset does not apply to Trusted Vendors List?
     
  16. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    You can export/import settings, protections or both combined in one file. As for the "Trusted Vendors list", you find the db file in the OSArmorDevSvc folder. Just copy it from there if needed.
     
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    I'm thinking = TrustedVendors.db is my edited List. Not OSA default Trusted Vendors List.
    I'm thinking = Export/Import & Reset does not apply to Trusted Vendors List.

    @Buddel
    Edit: I made copy of default list and my edited list.
    Thanks
     
    Last edited: Jan 31, 2021
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    After a quick look I didn't see Norton Lifelock. They are separate from Symantec these days.
     
  19. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    I C 'NortonLifeLock Inc' and 'Symantec Corporation' with my "Scan System" list after deleting default list.
     
    Last edited: Jan 31, 2021
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    I wanted to check this. It is the edited list, which includes the default entries plus anything added or removed by the user.
     
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Yeah, I deleted the default list thinking that Reset n'or Import would bring back the default list. Then, realized Import & Reset does not apply to Trusted Vendors List.
    I've since copied default list and my edited list...just to have.
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Good idea :thumb:

    I wonder if it's also possible to place a ";" in front of an entry the user doesn't want to use, instead of deleting it?
     
  23. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Yes, nice feature. I scanned my machine, added 11 more to the now-edited list and backed the whole thing up. :thumb:

    Is this like Whitelist Cloud, which, I notice VoodooShield is included in this Trusted Vendor List?
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    I'm not sure how exactly this feature works. As an experiment I opened a command prompt as administrator and tried to execute:

    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

    OSArmor alerted and blocked it:

    *
    Code:
    Process: [10380]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    
    Parent: [8620]C:\Windows\System32\cmd.exe
    Rule: PreventCmdFromExecutingPowerShell
    Rule Name: Prevent cmd.exe from executing powershell.exe
    Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    * I removed additional fluff from the above code. Both cmd.exe and powershell.exe are Microsoft-signed processes, so my take, could be wrong, is that any Protection measure enabled takes precedence over the signed vendors option.
     
  25. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    I mean frankly, if u want the signed vendors to take precedence over this rule, you can simply disable it. And if you don't want to, then it already doesn't. So I dont see why the dev has to change it, for this rule.

    I mean if you want microsoft-signed processes to take precedence, then you can pretty much uncheck a **** ton of rules since many of em are just microsoft processes (duh)

    And well, if u wanna trust microsoft-signed processes, then simply disable the rules that use em. But that disables the protection. So i fail to see why u want that.

    And I fail to see why should signed vendors take precedence over rules. If u dont want a rule to work, u can simply disable it. Adding an entire trusted vendors for a rule doesnt accomplish anything, other than maybe saving u a few clicks of disabling rules with ur mouse.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.