NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I have only had the standard account for 2 days. When i see high cpu i end it in task manager and then start OSA protection again only to see it go right to high cpu again. I also get high cpu in Kaspersky App Loader in the standard account. Unless both problems go away i can't use my standard account anymore.
     
  2. Richard981

    Richard981 Suspended Member

    Joined:
    Aug 21, 2020
    Posts:
    14
    Location:
    Canada
    I have had similar problems - i mean one avenue could be to uninstall both, then install kaspersky first again, do two restarts, and then NVT, and the same thing - now with that said kaspersky and NVT shouldn't conflict as in my case, but things can go south with kaspersky sometimes. that's what i can think of again.

    Or you can just uninstall kaspersky, do a restart see how NVT is doing - if still high cpu, something else in the system is causing this behavior.
     
  3. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I don't have high cpu problems with those 2 apps in my admin account.
     
  4. Richard981

    Richard981 Suspended Member

    Joined:
    Aug 21, 2020
    Posts:
    14
    Location:
    Canada
    I totally agree. But I don't think it is a drastically wrong testing step to do what I suggested but I get your point though completely, i guess we can wait for anyone else to help..
     
  5. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Well here's a nice example of OSArmor doing what I want it do and that's block things I specifically don't want running on here. This morning I had a Windows cumulative update along with another Razer one. I cancelled the Razer Synapse installation (and that script seems to confirm that but...:cautious:) however, OSA showed this notice a few minutes later.

    osarazer log.png

    Searched in File Explorer and my goodness, look at all the junk that got on here despite my cancellation of the process. :mad:

    razer junk.png

    So, thought I would mention that it's worth it to have software like this at times. :)
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Agreed, that’s why I run OSA along with Andy Fuls H_C.

    BTW, it looks like OSA might have blocked the vbs script responsible for the removal of all the Razer files?
     
  7. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    It looked like OSA blocked the script for additional installation of Razer junkware, I'm not sure. It definitely alerted me to some unwanted shenanigans after all indications were that the Razer install had been blocked already. :cautious:

    I may look around the OSA menu to see if there are additional rules that would be appropriate. Hesitating a little because false-positives are extremely low and it's nice to keep it that way. :)

    Edit: I see Razer is not on the Trusted Vendors list either.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Okay I was just curious, since maybe when it was blocked, the .vbs script, which going by its name: "RzInstallerDeletionS3.vbs" appears it could be a cleanup script, attempted to run but OSA blocked it, and could maybe be the reason for all those Razer file leftovers. I'm just speculating, of course, based on the attachments from your previous post ;)
     
  9. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Possibly you're right. Funny, this block never came up during other attempts by Razer to install its unwanted software on this machine. I have to admit: some of those remnants were from prev. attempts to clean up this mess. HiBit doesn't recognize it as an installed program, dang it.

    Blocked it w/wushowhide. Hope it works. :doubt:
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release test build of OSArmor Personal 1.6.1:

    Code:
    https://downloads.osarmor.com/osarmor-personal-setup-1.6.1-test2.exe
    
    Changelog so far:

    We will no longer sign our apps with SHA1 code signing certificate.

    If you use an old version of Windows OS, we recommend to read the following pages:
    https://www.sevenforums.com/news/42...gning-support-update-windows-7-sept-10-a.html
    https://docs.microsoft.com/en-us/archive/blogs/pki/sha2-and-windows

    Let me know if you find any issues.

    Thanks guys!
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I must have missed Test1. :)

    Downloaded and over-installed here without issue.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    No issues so far, and no complaints from Smartscreen this time :) Thanks Andreas!
     
  13. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    SmartScreen blocks new files with a low reputation, prevalence, etc. so, e.g. if you wait a few days it will normally be allowed.
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Yes, I know. My post was an explanation to an earlier post.
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Interesting. I was running an older version of Process Explorer, v16.23, and it was reporting the service utilizing ~ 0.90% CPU, then after installing the latest PE, v16.43, it now reports a paltry <0.01%. In both cases from my SUA. Are you using PE by any chance?
     
  16. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    No, i am don't have the PE App.
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Running PrivaZer 4.0.34 results in a constant barrage of pop ups. Hopefully they can be whitelisted internally without having to whitelist each alert. Otherwise I shall consider uninstalling OSA as I find it becoming far to annoying of late anyway.

    If and or when PrivaZer finishes on my laptop I shall attached the log just from today.
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Woops! I uninstalled OSA including logs. I guess either someone else will have to upload the logs after running PrivaZer, or @novirusthanks might have to run it himself.
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Krusty

    I tried PrivaZer and I got the following notifications from OSA with Extreme Protection profile set:

    The above command uses powershell.exe and wevtutil to clean Windows events logs. However, also ransomware use this technique to remove their traces:

    "In the Clop ransomware sample that was used in the Software AG case, there is something that if remember right, wasn't before: it uses wevtutil.exe to clear event logs..."
    https://twitter.com/malwrhunterteam/status/1314960487507951617

    "To remove its(or its component’s) execution traces from the infected system, KillDisk uses the Windows event utility (wevtutil)"
    https://www.mcafee.com/blogs/other-...zing-killdisk-ransomware-part-1-whitelisting/

    "The adversary used PsExec to invoke the "wevtutil.exe" utility. This utility cleared the contents of local security event logs on systems."
    https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html

    Would be better in my personal opinion if PrivaZer could use Windows APIs to do the job:
    https://docs.microsoft.com/en-us/windows/win32/wes/windows-event-log-functions?redirectedfrom=MSDN
    https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-functions?redirectedfrom=MSDN

    The above command uses system process cacls.exe to gain access to "System Volume Information", but unfortunately this technique is also used by malware.

    cacls.exe and xcacls.exe are other system processes commonly abused by malware and ransomware.

    The above command uses system process taskkill.exe to kill/terminate scserver.exe process. Malware also use taskkill.exe to kill Antivirus processes and other processes like MSSQL server, etc.

    The same can be done via Windows APIs, that would be better in my personal opinion since taskkill.exe is yet another system process abused by malware.

    From my personal point of view, the execution of system processes should be drastically limited (if possible of course) since malware and ransowmare are known to abuse them heavily (see certutil.exe, powershell.exe, etc). Many companies tend to block/restrict the execution of many system processes to block infection chains of malware/ransomware/exploits. This is unfortunate, because yes we have system processes that can help do amazing things and automate things easily via command-line, but at the same time this is true also for malware, ransomware, etc.

    A possible workaround for PrivaZer (and any other program) would be to directly execute the specific system processes so we know PrivaZer.exe is the parent process, example:

    Instead of using PrivaZer.exe -> cmd.exe -> taskkill.exe, it can be PrivaZer.exe -> taskkill.exe, same is for PrivaZer.exe -> cmd.exe -> cacls.exe that can be PrivaZer.exe -> cacls.exe

    Regarding wevtutil.exe, it can be done in the same way with PrivaZer.exe as parent process and executed for each system events log section.

    PrivaZer.exe -> taskkill.exe /F /IM SCserver.exe
    PrivaZer.exe -> cacls.exe "C:\System Volume Information\Chkdsk" /E /G Dev:F
    PrivaZer.exe -> wevtutil.exe clear-log application
    PrivaZer.exe -> wevtutil.exe clear-log security
    PrivaZer.exe -> wevtutil.exe clear-log setup
    PrivaZer.exe -> wevtutil.exe clear-log system

    In the above cases we can better write safe whitelist/exclusion rules by matching parent process PrivaZer.exe, parent signer Goversoft LLC, process and command-line.
     
    Last edited: Nov 12, 2021
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Hi NVT,

    Oh, I see. I only had OSA Medium Protection enabled but your post explains the issue pretty well that even I get the gist. I'm one of the slower members of class. :(

    As this is way above my pay grade, if it's OK with you I will invite @The_PrivaZer_Team to visit this thread, and your post, with hopes that a suitable alternative method can be found.

    I sincerely appreciate your time investigating this issue. :thumb:

    Thank you!
     
    Last edited: Nov 12, 2021
  21. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    1,077
    Location:
    France
    Hello here,
    We will try to find a way.
    We keep you posted.
     
  22. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Where are the protection profile settings in OSA.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Code:
    C:\Program Files\NoVirusThanks\OSArmorDevSvc\Profiles
     
  24. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    right click Main Protections view
    png_12544.png
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    bjm_'s makes more sense. I just posted where the settings profiles are stored.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.