NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This was the other point I was going to mention. I use a DVI versus HDMI connection to the monitor. So everything shows in SD mode.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I have no idea what you mean with that. Because this would mean that you don't use the 1920x1080 resolution. And I still think it's weird that you don't seem to think your screenshot looks blurry. But I'm also not sure who to blame for this issue, apparently M$ is aware of the problem so why they didn't make a global "Override high DPI scaling behavior" setting is still a mystery to me.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Errr.......... I was referring to a device's external monitor connections via device installed graphics card or present on motherboard's w/intergrated graphics chip. These are some combination of the following connectors; VGA, DVI, or HDMI.

    Also most graphics adapters auto sense connected monitor's native resolution; e.g. 1920x1080, and will set by default their like resolution to the same. Changing the graphics adapter resolution from the monitor's native one can also be a factor in Win desktop display issues.
     
  4. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I have a DisplayPort connection to my monitor.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yeah, I forgot about that connector. I always use nVidia graphics cards and its use of the connector is relatively new. I also buy cheaper lower end cards that never include the connector.
     
  6. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I have a used Nvidia 2000 Quadro card that the computer repair store put in 6 months ago. They said it was out of a CAD workstation and only charged me $25.00 parts and labor.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The problem with that card is it is EOL with no further driver updates: https://nvidia.custhelp.com/app/ans...ol-windows-driver-support-for-legacy-products .

    This is why I recently updated my old GeForce GTS450 card. There are just to many vulnerabilities being discovered in nVidia drivers.
     
  8. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    I take it then one would have 3 processes running in the background with versions 1.5.5+?
    OSArmorDevSvc.exe
    OSArmorDevUI.exe
    NVTHelperProcess.exe

    NVTHelperProcess only connects out at Win logon?
    Where is the Trusted Publisher setting to enable/disable it?

    NOTE: CCleaner can also uninstall OSArmor through it's app using unins000.exe
    from NVT OSArmor.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Correct - plus NVTLicenseManager.exe.
    Correct. However, so does OSArmorDevSvc.exe even if auto updating is disabled.
    It along with various cert. blacklist checking are disabled by default. They all exist in section titled, "Digital Code Signature," in Protections tab.

    Also, there is the question as to why NVTHelperProcess.exe is dialing out when all Digital Code Signature settings are disabled?
     
    Last edited: Feb 28, 2021
  10. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    What if i enable the TP setting and i can't boot because a signer was not there in trusted vendors.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The only processes critical to a successful boot are Microsoft related. OSA by default includes Microsoft as a Trusted Publisher. Perhaps you are referring to Secure Boot option which checks driver signature status? I believe all OSA checks is process signature status.
     
  12. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I see the name Microsoft in there 5 times as trusted. What if Microsoft has a new 6th name and it is not known by OSA yet.
     
  13. SRT

    SRT Registered Member

    Joined:
    Feb 28, 2021
    Posts:
    70
    Location:
    USA

    Do you block all 3 with firewall?
     
  14. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Tested 2 apps not on OSA Trusted Vendors list. They were blocked by OSArmor when trying to
    execute them.
    When I added the 2 executables to Exclusions and then tried to run them again OSArmor
    allowed them both.
     
  15. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Think itman is correct. OSArmor is checking process signatures status and MS is trusted.

    If not present in Trusted Vendors list then I would assume you would get a notification
    if you have this rule checked: Block signers not present in Trusted Vendors.
     
  16. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    The Trusted Pub setting might be off by default because the dev wants you to do a scan first before trusted pub is enabled.
     
  17. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    I was intrigued by that so I re-downloaded PrivacyEraser. When I clicked on the .exe, OSA blocked it with the Trusted Vendor rule (PE's not on it). When I went to Exclude, I got an access violation. :cautious: It was repeatable.

    ...sorry for initially deleting my post, I had to edit the screen-snip.

    osa access violation.PNG
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The 5 listed listed should cover all critical system startup processes.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I monitored the connections for a while.

    NVTHelperProcess.exe just connects to Globalsign via Cloudflare which would be expected. I did see a few connections from OSArmorDevSvc.exe that were questionable. Again, this process should not be doing Internet activity when auto updating is disabled.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The scan is a "double edged sword" in my opinion. If you happen to have resident signed malware on your device, it will also be added to the list.:eek:
     
  21. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Microsoft could change a word or rename any of those 5 listed as Trusted. OSA would then block the new names.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    If they did this, Microsoft would have to replace all their existing certificates. That isn't going to happen "till hell freezes over."
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Since we are current on the topic of Digital Code Signature mitigations, appears NVT either needs to clarify mitigations in that section; or there are a few bugs in it.

    I enabled all the mitigations except for "Block signers not present in Trusted Vendors." In other words, all the certificate validations. My thinking here was I would use OSA to check process signature status only. I then ran a Seagate HDD utility I have that has an expired cert.. Not a peep from OSA. o_O I then found another old utility process with an expired cert.. OSA blocked it, but not with the alert I expected:
    First up is I didn't activate "Block signers not present in Trusted Vendors," so why any I getting a block on this rather than a block for an expired cert. which applied in this instance?

    Next, it appears that all these cert. validations only apply to publishers not listed in Trusted Vendors list. Note that Seagate is listed in the Trusted Vendors list, yet OSA didn't flag its expired cert.. However, A. & M. Neuber Software is not listed the Trusted Vendors list and OSA blocked it; but for the wrong reason. Finally, activating one or more or cert. mitigations is equivalent to activating Block signers not present in Trusted Vendors mitigation.

    Really appears to me NVT needs to do some further work with this feature or post detailed documentation on what it supposed to do and how its supposed to work.

    -EDIT- It turns out that neither of the above .exe's had expired certs.. So it appears that enabling any of the cert. status; expired, revoked, etc., mitigations is equivalent to enabling the Block signers not present in Trusted Vendors mitigation.
     
    Last edited: Mar 2, 2021
  24. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    (Testing OSArmor Trusted Vendors List)

    NVT OSArmor rule "Block signers not present in Trusted Vendors" is checked.
    Piriform Ltd removed from the Trusted Vendors list.
    Tried to install CCleaner executable on system & OSArmor blocked it.
    Added Piriform Ltd to Trusted Vendor list.
    Tried to install CCleaner executable and OSArmor blocked it.
    Removed Piriform Ltd from list and substituted Piriform Software Ltd
    OSArmor then allowed CCleaner to install.

    Looks like exact names do make a difference in OSArmor Trusted Vendors list.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What I meant is that when I say "full HD", I mean monitors with a 1920x1080 resolution. I don't see how you can run a full HD screen in SD mode. But anyway, that hasn't got anything to do with this problem. It's very simple, if you set your screen to a scale of 100%, OSArmor's GUI will look sharp but smalller. If you set it to a scale of 125% it will look blurry and you can fix it via the "Change high DPI settings" options. Did you try this and does it look sharper?

    I can't download the latest version, nothing happens when I click on the download button. Also, I have tested a couple of your other tools and all of them looked blurry on a 1920x1080 resolution with a scale of 150%. I suggest you read the article in my last post. In order to fix the problem, apps need to be DPI aware, if I understood correctly. I wonder if this is easy to fix?

     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.