NoVirusThanks OSArmor: An Additional Layer of Defense

New build test 5 can be downloaded here:

Code:

https://downloads.osarmor.com/osarmor_personal_1.5.9_test5.exe

@plat1098 @bjm_

The problem related to the message dialog that is displayed also if you don't click the "Save" button in the Configurator is fixed now.

The user still needs to type a custom file name when exporting its settings.

About the loon.wav file, nothing was changed and I can't reproduce the issue here.

I remember you sent me time ago your custom WAV file and here it worked fine (it played when something got blocked).

Will try to dig more but seems a very strange behavior.

 

Thanks for the new build, NVT-- installed cleanly--mainly for trying to get my WAV to work. Since it works fine for you and prob others, I will have to figure out what the deal is. That message box no longer appears after canceling the Export "operation," which is nice.

Thanks for giving the WAV thing some acknowledgement even though it's not something universal. I'm sure it'll work out one way or another eventually.

 

Thanks @novirusthanks for the explanations.

 

I get none of these results on these tests.

 

Didn’t see that @bjm_ , thanks!

 

We've released OSArmor v1.5.9:
https://www.osarmor.com/

This is the changelog:

If you find issues or FPs please let me know.

* You can install over-the-top of a previous version (reboot is not needed).
* If you have auto-update option enabled you should get the update automatically.

Thanks guys!

 

Thanks Andrea for your hard work

 

Thanks so much, Andreas!

This utility just gets better and better with each new release.

 

Gggrrrreeeeeat!

Booting back into Windows right now just for the update.

 

Thanks a lot for the update. Works great, as always. I still hope SysHardener will also be updated one day.

 

+1

 

Automatically updated

 

I saw the Twitter notification about the new build but I have to ask: is OSA officially supported for Windows 11 or is this still in the evaluation phase? In the announcement, it's Vista thru Windows 10. Or, does one have to wait until the Windows release is official?

No problems so far running on Windows 11 but nothing too in-depth. .

 

Congrats, I will soon give it a test drive.

 

I'm not sure if this was technically a false positive or not.

Spoiler: OSA Log

Date/Time: 9/08/2021 8:00:00 AM
Process: [14620]C:\Windows\System32\cmd.exe
Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
Parent: [1456]C:\Windows\System32\svchost.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block encoded and malformed PowerShell commands
Command Line: C:\WINDOWS\system32\cmd.EXE /c start hpdiags://SmartCheckTest
Signer: <NULL>
Parent Signer: Microsoft Windows Publisher
User/Domain: David/DAVID-HP
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: System

 

If you look at that command, it's an attempt to execute

start hpdiags://SmartCheckTest

If I try to do that here, Windows complains that (on my non-HP system) there is no application installed to process that sort of link. That is, it's interpreting the "hpdiags://" part in the same basic fashion as it would interpret something starting "http://" or "ftp://" etc. That implies that the HP diagnostics software has installed a protocol handler for their invented "hpdiags:" protocol. On your system that might well be legitimate, but on anyone-else's it's easy to see (in my opinion anyway) why it looks like a malformed command.

 

Got this flashing my Lenovo BIOS, with Medium Protection Profile ... but 'Prevent unsigned processes in user space from starting system processes' is not ticked? (under Lockdown & Experimental).

Code:

Date/Time: 8/9/2021 10:50:37 AM
Process: [14012]C:\Windows\TempInst\ExtactTemp\SctWinFlash64.exe
Process MD5 Hash: 5ED5158DEE32426640B151716BEE5360
Parent: [6864]C:\Drivers\Flash\20210908.10500715\CQCN34WW.exe
Rule: PreventUnsignedProcsInUserSpaceStartSystemProcs
Rule Name: Prevent unsigned processes in user space from starting system processes
Command Line: "c:\windows\TempInst\ExtactTemp\SctWinFlash64.exe"
Signer: Phoenix Technologies Ltd.
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System


Date/Time: 8/9/2021 10:44:31 AM
Process: [1368]C:\Drivers\Flash\20210908.10435955\CQCN34WW.exe
Process MD5 Hash: 6CBA94E34474777D2A0C17C22E79D00A
Parent: [6236]C:\Windows\TempInst\is-RV52M.tmp\cqcn34ww.tmp
Rule: BlockUnsignedProcsWithSystemIL
Rule Name: Block unsigned processes executed with system privileges
Command Line: "C:\Drivers\Flash\20210908.10435955\CQCN34WW.exe"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System

 

It must be HPs dodgy coding as I just got this one:

Spoiler: OSA Log 2

Date/Time: 10/08/2021 8:00:02 AM
Process: [3384]C:\Windows\System32\cmd.exe
Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
Parent: [1480]C:\Windows\System32\svchost.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block encoded and malformed PowerShell commands
Command Line: C:\WINDOWS\system32\cmd.EXE /c start hpdiags://BatteryStatusTest
Signer: <NULL>
Parent Signer: Microsoft Windows Publisher
User/Domain: David/DAVID-HP
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: System

It is interesting because my desktop PC doesn't have a battery.

 

FYI:

https://www.file.net/process/hpdiags.exe.html

Looks like HP telemetry activity to me. On the other hand, anything that runs a PowerShell script as a child process from cmd.exe that can establish a remote connection ....... well, I would view it with suspicion.

 

Yeah, I'm inclined to agree.

 

BTW, a technical question about the "Block Remote Scripts" and "Block Bitsadmin.exe" rules, does this mean that OSArmor will block outbound connections via the Win Firewall, or perhaps its own firewall?

 

Is it possible to get a license key purely for testing? I keep getting that my license has expired, but I never actually completed the trial.

 

Hello,
I'm not sure but I think these are false positives ?
____________________________________________________________________________________________________
Date/Time: 12/08/2021 16:01:39
Process: [11700]C:\Windows\SysWOW64\regedit.exe
Process MD5 Hash: BD63D72DB4FA96A1E0250B1D36B7A827
Parent: [11360]C:\Users\Robert\Downloads\euc_win_1_06_022.exe
Rule: PreventUnsignedProcsInUserSpaceStartSystemProcs
Rule Name: Prevent unsigned processes in user space from starting system processes
Command Line: regedit.exe /s bin\etn_ca.reg
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: ................................
System File: True
Parent System File: False
Integrity Level: High
Parent Integrity Level: High
________________________________________________________________________________________________________

Date/Time: 14/08/2021 09:52:39
Process: [11800]C:\Windows\System32\reg.exe
Process MD5 Hash: 227F63E1D9008B36BDBCC4B397780BE4
Parent: [11784]C:\Windows\System32\cmd.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: C:\WINDOWS\System32\reg.exe QUERY HKEY_USERS\S-1-5-21-1669281036-1562460724-2316969650-1001_Classes\Software\ESRV\ids
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: Système/AUTORITE NT
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System


Date/Time: 14/08/2021 09:52:39
Process: [11772]C:\Windows\System32\reg.exe
Process MD5 Hash: 227F63E1D9008B36BDBCC4B397780BE4
Parent: [11756]C:\Windows\System32\cmd.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: C:\WINDOWS\System32\reg.exe QUERY HKEY_USERS\S-1-5-21-1669281036-1562460724-2316969650-1001_Classes\Software\ESRV
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: Système/AUTORITE NT
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System


Date/Time: 14/08/2021 09:52:37
Process: [11272]C:\Windows\System32\reg.exe
Process MD5 Hash: 227F63E1D9008B36BDBCC4B397780BE4
Parent: [7304]C:\Windows\System32\cmd.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: C:\WINDOWS\System32\reg.exe QUERY HKEY_USERS\S-1-5-21-1669281036-1562460724-2316969650-1001_Classes\Software\ESRV\ids
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: Système/AUTORITE NT
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System

 

In my case I would consider OSA is working as intended and simply add those alerts to exceptions. Actually the last three are identical. Based on the Rule Names, the alerts are legitimate.