NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yes, I already deduced that in my posting. My point is there is no need to perform this activity unless Trusted Publisher feature is enabled. I also see no reason that NVTHelperProcess.exe should be running unless Trusted Publisher feature settings are enabled.
     
    Last edited: Feb 7, 2021
  2. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    I would buy the software but I am not happy with the GUI and rule editing process
     
  3. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Yes, but what about being terminated other than by Windows Task Manager and
    other 3rd-party task managers?
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Try it with Process Explorer and see what happens.
     
  5. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Already tried that. Process Explorer along with Process Hacker was
    able to disable OSArmor protection.
    Also 'autoruns' (Sysinternals) was able to disable OSArmorDevSvc
    from startup and if the service entry was deleted then I received
    popup window that OSArmorDevSvc was marked for deletion. Trying to
    restart the service or stop it resulted in removal of OSArmorDevSvc
    and therfore protection was disabled in OSArmor.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Not on my Win 10 installation. It could not be suspended or terminated when PE was run w/admin privileges:

    OSA_Terminate.png

    Verify that you have OSA self-protection enabled in its settings:

    OSA_Protection.png

    Also and noted in the screen shot, apparently OSA will allow Win Task Manager to terminate it. This also stops OSArmorDevSvc. It must be manually restarted via services.msc. What I don't like is no alert is shown in this status. Only OSA icon on desktop toolbar is dimmed.
     
    Last edited: Feb 11, 2021
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I also verified that OSArmorDevSvc registry startup setting can be modified via Autoruns. Worse, the same can be done via regedit.exe. So this is a problem in regards to self-protection.

    Of note is I cannot modify Eset's kernel service doing the above.

    What I believe the problem here in regards registry settings modification is OSArmor has no way to monitor select registry changes. It does not have HIPS capability where such restrictions can be applied. OSArmor just monitors program execution. I will add a rule in Eset HIPS to monitor for this activity.

    -EDIT- Far far worse, OSA self-protect service can be disabled via registry modification.
     
    Last edited: Feb 11, 2021
  8. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    OSArmor.PNG

    OSArmor protection was enabled when PE disabled the service.

    OSArmor 2.PNG

    The Result from PE disabling OSArmor protection.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Are you running PE with System privileges?

    Also are you either terminating or suspending OSArmorDevSvc.exe?

    -EDIT- OK. I forgot you can stop a service using PE. Doing that totally stopped OSA and wiped its icon from the desktop toolbar.

    A better way to duplicate this test would be using "sc stop OSArmorDevSvc."

    Or, "sc delete OSArmorDevSvc" which will delete the service from the registry. Make sure you export the entire reg. key prior to attempting this.
     
    Last edited: Feb 11, 2021
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    You can achieve this running with user or admin privileges?
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    For Autoruns, I was running as Win 10 default limited admin. Since it does auto elevate via UAC, I assume I was running as a standard user. No, it will ask to elevate to Admin level within Autoruns itself.

    Regedit by default elevates for Admin privileges.

    In any case, it is trivial for malware to acquire admin privileges.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Another test someone could try is to run OSA's uninstaller via msiexec.exe as hidden and quiet.
     
  13. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Running PE with Admin/System privileges. Was able to suspend or kill/del
    OSArmorDevSvc.exe process.

    WARNING: Be careful about using PE Suspend & then closing
    PE. You may end up lock/freeze your OS. Also you may not be able to
    launch PE again if you close it. Need to be able to select resume from PE
    to what you had suspended.

    When in PE if I select Kill/Del OSArmorDevSvc.exe process which
    disables OSArmor protection I could restart the OSArmor service and protection
    would then again be enabled.

    If using PE in a restricted user account then of course I wasn't able
    to suspend or delete OSArmorDevSvc.exe process.
     
    Last edited: Feb 11, 2021
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    To be able to edit OSArmorDevSvc service/registry keys (are in HKLM) or terminate the process, a malware would require Admin privileges. The focus of OSA is to block all malware delivery methods and the first stages of the infection chain, thus blocking the malware payload execution or making sure it cannot reach the point of being executed in the system. OSA is focused in prevention other than remediation, for this reason we have not (yet) added more aggressive self-protections like registry protection - that can be done with Registry Guard technology easily - or more advanced process termination protection. We will evaluate these additions/self-protections with time, but at least for now they are not a priority.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    As a follow up to what @novirusthanks just posted, I created a .bat script to run this:

    sc stop OSArmorDevSvc
    and ran it with Admin privileges.This is a reasonable approximation on how malware would attempt to disable OSA; i.e. via script.

    OSA did stop it via self-protection detection:
    My assumption as to why OSA doesn't detect like activity via PE or PH is they are performing this via like Win API interface call. Again, OSA is not a HIPS and does not have the capability to do this type of monitoring.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I repeated the same, again, in PE running as Admin and got the same result:

    OSA_Kill_2.png

    Verify that OSArmorDevSvc.exe is running w/System privileges.
     
  17. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Did you have .bat script rule checked in OSArmor? I didn't check that rule and instead
    tested directly via Command Prompt.

    Result: An Sc stop command for OSArmorDevSvc will trigger
    OSArmor self-defense and block it.

    Result: An Sc delete command for OSArmorDevSvc will trigger
    OSArmor self-defense and block it.
     
  18. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Could you show me your admin/system permissions for OSArmorDevSvc.exe?
    Are they the same in PE and Windows OS itself?
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    No.
    As posted, I ran a .bat script as Admin. But the net effect is the same; cmd.exe runs.
     
    Last edited: Feb 12, 2021
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    As far as permissions shown for OSArmoDevSvc.exe in Programs Folder, Admin has full control.

    As far as what goes on via PE, it shows Admin permissions when process is running. It has special permissions. However, one of those is terminate:

    OSA_PE.png

    As far as testing OSA self-protection via PE and I assume the same for PH, forget using it.

    I created an Eset HIPS rule to monitor terminate and suspend attempts of OSArmoDevSvc.exe. I couldn't even start PE w/o getting an alert that PE was attempting to do one of these activities. Allowing the activity didn't help. Constant same alerts. In a few minutes of testing, I ended up with this same alert logged over 100 times.

    Bottom line - OSArmoDevSvc.exe using using packed binary code for self-protection activities. The unpacking of this code during execution appears to be screwing up normal PE monitoring of it.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I modified my .bat script to use taskill instead:

    taskkill /IM executablename OSArmorDevSvc
    Same result. OSA self-defense blocked it:
    I would say at this point, OSA is pretty well protected against being disabled excluding via registry modification.

    -EDIT- Also tried using WMIC. Same result; OSA self-defense block it.
     
    Last edited: Feb 13, 2021
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  23. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Interesting how you were denied access when terminating OSArmorDevSvc.exe in PE.
    My screenshot would show same thing. PE running as administrator on top heading
    indicated by your screenshot. No problem terminating or suspending OSArmor service.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It also appears this above behavior in regards to my HIPS rule is not unique to OSArmoDevSvc.exe as far as PE goes. When I used notepad.exe as a test, it opened fine. But when tried to terminate it via PE, I got the same behavior from the HIPS rule. Appears to me that PE does something to a process when terminate or suspend is attempted. The HIPS log entries tell me it is being triggered upon access to the process. It's as if PE was preventing the HIPS monitoring process activity in any way; perhaps it actually locks the process prior to actually terminating it.
     
    Last edited: Feb 14, 2021
  25. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Thank you for testing this feature. It's a pretty important one.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.