NoVirusThanks OSArmor: An Additional Layer of Defense

Hey Krusty, I noted the same in post 3442. I used this exe to test TVL only.

 

Updating to Test 3 enabled that setting where in Test 2 I had it disabled by choosing Medium Protection Profile. After choosing Medium again that setting is now disabled.

I have scanned my system and added another 20 vendors to the list in case that setting gets re-enabled.

 

Thanks plat. As above, I didn't manually enable the TVL setting.

 

Thank you for your plans to keep OSA simple.

 

Agree too buddy

 

Because it's a Chinese company, right?

 

We've released a new version of OSArmor v1.5.5:
https://www.osarmor.com/download/

Final changelog:

[02-Feb-2021] v1.5.5.0

+ Improved handling of licensing errors
+ The service is not terminated in case of licensing errors
+ Improved analysis of digitally signed processes
+ Improved detection of revoked certificates (network check)
+ Added tab "Trusted Vendors" in Configurator
+ Added button to scan system for vendors (signers)
+ Added button to open TrustedVendors.db file
+ Added button to reset Trusted Vendors to default list
+ Added Block signers not present in Trusted Vendors
+ Added Block processes signed with a revoked certificate
+ Added Block processes signed with an invalid certificate
+ Added Block processes signed with an expired certificate
+ Import a custom .ini settings file via setup.exe /IMPORTSETTINGS=
+ Added new internal rules to block suspicious behaviors
+ Improved installer and uninstaller scripts
+ Fixed all reported false positives
+ Minor improvements

User notice:

* You can install over-the-top
* If you installed test builds you should update to this final version

Screenshot of Trusted Vendors:


Recent video uploaded:

Block malware signed with valid or revoked certs with OSArmor
https://www.youtube.com/watch?v=XUStga9CX1A

 

Chrome has blocked the download from the link because it may be dangerous. A few minutes later i got the auto update which worked.

 

Got it. Thanks for the new version, Andreas.

 

Same with FireFox. Ditto for the main OSA web site: https://www.osarmor.com/. I assume the OSA IP address is being blocked.

No way I am turning on auto updating till this is resolved.

Scratch this. Forgot I created an Eset firewall rule to block OSArmor IP Address.

 

Strage. I used FireFox to download the latest version without any problems. No popups. No warnings. Nothing. Hm...

 

@Dragon1952

Thanks for reporting it, I tried with Chrome and indeed it doesn't allow to download OSArmor setup file, strange.

Maybe it reacts like this because the file is new? All our setups and exes are digitally signed, I will have to investigate on this tomorrow.

@itman

Thanks for the update about the Eset details, no issues with FF here.

 

Just tried now to download OSArmor setup file with Chrome and no issues.

I guess it was showing the warning yesterday because the file was new and/or not popular.

@Dragon1952 Can you confirm?

Thank you

 

Yes i can download OSA with chrome now.

 

I always get a Win 10 SmartScreen alert on the installer download. So its not passing its cert. validation. It's a Win Store non-download alert.

 

Ive literally downloaded malware with chrome and never said anything, other than this file is exe and might harm ur pc are u sure bla bla bla

perhaps u have safe browsing enabled?

in any case no reason to trust false positives

 

@novirusthanks

downloaded using latest Chrome beta and no alerts form chrome or smartscreen.

 

@novirusthanks

The Homepage Internet shortcut has an insecure URL address.(HTTP)
The Changelog file lists same URL, but has secure (HTTPS) URL for novirusthanks.org

 

Appears OSA added a new process, NVTHelperProcess.exe, in ver. 1.5.5. Any reason why this should be "dialing out" shortly after Win logon with auto update disabled? Also Trusted Publisher feature is not enabled. As such, no need to check certificates or the like.

NVTHelperProcess.exe 6952 TCPV6 [2600:1700:64c0:XXXX] 56921 [2606:4700:0:0:0:0:6812:15e2] http ESTABLISHED

-EDIT- Add to this the following IPv4 addresses; 104.18.20.226 and 104.18.21.226.

All the above IP Address are associated with Cloudflare and GlobalSign. This would be indicative of Trusted Publisher cert. validations and the like. However if this feature is not enabled, this dial-out activity should not be occurring.

 

I got this while running PrivaZer and attempting to delete a restore point.

Code:

Date/Time: 7/02/2021 2:02:08 PM
Process: [13768]C:\Windows\System32\vssadmin.exe
Process MD5 Hash: B58073DB8892B67A672906C9358020EC
Parent: [7768]C:\Windows\System32\cmd.exe
Rule: PreventImportantSystemModifications
Rule Name: Prevent important system modifications
Command Line: vssadmin  delete shadows /for=C: /QUIET
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: Dave/DAVE-PC
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High

 

Oh, I see I've reported this before.

#3300

 

Not quite.

The current detection you received originated from OSA Main Protections rule section. Assume this is a ransomware mitigation since it performs like activity.

The prior alert you received originated from Block Specific System processes optional rule for vssadmin. Assumed is you enabled this rule manually or via profile selection.

 

I am also questioning what PrivaZer is doing here.

To delete a specific restore point in Win 10, the specific Shadow Copy ID must be specified:

or, to delete the oldest restore point:

https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html

Using "vssadmin delete shadows /For=(drive letter): /quiet" that PrivaZer is doing appears to me to delete all restore points. This is most likely why OSA is alerting on this activity.

​

 

@itman

That connections are needed to validate if a certificate is revoked or invalid and for Trusted Vendors, they are performed by Windows APIs we use to verify a certificate.