NoVirusThanks OSArmor: An Additional Layer of Defense

It still happens for me with latest v1.7.1

 

We've released OSArmor v1.7.1:
https://www.osarmor.com/download/

Here is the changelog:

If you find false positives or issues please let me know.

Mainly, we've improved Follina detection, the AE module was missing the .DOC/DOCX variant that used msdt.exe without InvokeExpression.

Even if that variant was not detected by the AE module, the final payload should have been blocked by other rules depending on the payload type.

Here is the video where I tested OSA 1.7.1 with Follina and some other custom variants like a .CHM/LNK/CMD files:
https://www.youtube.com/watch?v=hNdQSH2y2JM

@plat1098

Yes I added the search issue on the todo list, thanks for reporting it and @Buddel for catching the issue more in details.

We're discussing about potentially making the Configurator UI rules management more modern and easier, so may not get fixed immediately.

 

Fantastic, thanks for acknowledging, and looking forward to the UI changes.

 

If you guys can do that it will be well worth the wait

 

@novirusthanks

May I know what is OSArmorDevSvc.exe in C:\Program Files\NoVirusThanks\OSArmorDevSvc?

Is the version 1.0.0.0 the latest?

SUMo Software Update Monitor keeps detecting v1.1.0.0 is available (although I am already on the latest OSArmor v1.7.1).

https://i.ibb.co/HFWW7GX/1.jpg

Thank you!

 

Yes, same here.

 

+1

 

Actually noticed it in SUMo before the release of OSArmor v1.7.1.

 

I had to reinstall OSA due to circumstances beyond my control, and had problems with activation.



"* If you don't want to reboot the system, run cmd.exe as Administrator and enter in order:"

Code:
sc stop osarmordevsvc
sc start osarmordevsvc

"And you'll be prompted to enter the key." - https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-132#post-2982645

It didn't work as per:

"Date/Time: 15/06/2022 8:46:47 PM
Process: [13364]C:\Windows\System32\sc.exe
Process Size: 70.5 KB (72,192 bytes)
Process MD5 Hash: 3FB5CF71F7E7EB49790CB0E663434D80
Parent: [16484]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: EnableOSArmorSelfDefense
Rule Name: Enable OSArmor self defense (basic)
Command Line: sc start osarmordevsvc
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: YYYYYYY/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High"


"Date/Time: 15/06/2022 8:45:13 PM
Process: [14568]C:\Windows\System32\sc.exe
Process Size: 70.5 KB (72,192 bytes)
Process MD5 Hash: 3FB5CF71F7E7EB49790CB0E663434D80
Parent: [16484]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: EnableOSArmorSelfDefense
Rule Name: Enable OSArmor self defense (basic)
Command Line: sc stop osarmordevsvc
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: YYYYYYY/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High"

 

Disable OSArmor self-defense and, if necessary, protection, then try again.

 

I just put OS Armor back on after a long break, now my memory may not be as good as it used to be but was there not an option for different levels of security without individually selecting boxes? Not sure of the exact wording but something like low, med, high and it would select the appropriate boxes for each level.

 

Laptop not with me right now.

If remember correctly, click or right click on any blank space in 'Main protections', the options will appear.

Also took me awhile to figure out, was using default before changing to extreme

 

Right click in Configurator > Select Protection Profile.

 

@smith2006
@Krusty

Many thanks, mystery solved.

 

Now that you mention it, it would be nice if the Protection Modes were somehow placed into the main body of the Configurator--maybe under a tab or something. That way, it's way more easy to find and change according to what you want.

Just saying as it was mentioned earlier that the UI was under consideration to be revamped anyway.

 

Yes, please do -- doing so would make the GUI more user friendly.

 

I fixed my activation issue described above, by going to the "Customer Portal web page" and deactivating my license on other device, and then activating on the new laptop. Success!!!!

 

I decided to up protection from Medium to Advanced. I'm not sure if this is a FP or if OSA is just doing its job but I'm posting here anyway.

Spoiler: Rule Name: Block any process executed from web browsers

Date/Time: 17/06/2022 7:39:51 AM
Process: [13504]C:\Program Files\Malwarebytes\Anti-Malware\MbamBgNativeMsg.exe
Process Size: 2.85 MB (2,991,864 bytes)
Process MD5 Hash: 2048C10C0E461B137DD8625676D68E15
Parent: [6924]C:\Program Files\Mozilla Firefox\firefox.exe
Parent Process Size: 613.44 KB (628,160 bytes)
Rule: BlockAnyProcessExecutedFromWebBrowsers
Rule Name: Block any process executed from web browsers
Command Line: "C:\Program Files\Malwarebytes\Anti-Malware\mbambgnativemsg.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbam.firefox.manifest.json" {242af0bb-db11-4734-b7a0-61cb8a9b20fb}
Signer: Malwarebytes Inc.
Parent Signer: Mozilla Corporation
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

 

Here is a pre-release test 1 version of OSArmor PERSONAL v1.7.2:

Code:

https://downloads.osarmor.com/osarmor-personal-1.7.2-setup-test1.exe

Here is the changelog so far:

Let me know if you find any issue or FP.

@plat1098 @LoneWolf

Good point, added the button "Protection Options" in the "Protections" tab that should make things easier to select protection profiles:



@smith2006

The OSA service (OSArmorDevSvc.exe) has now the same version as OSA GUI (in this case v1.7.2.0).

We used to update the version only on OSA GUI for easier maintenance.

@Krusty

Thanks for reporting that FP, it should be fixed now.

 

Here is a pre-release test 2 version of OSArmor PERSONAL v1.7.2:

Code:

https://downloads.osarmor.com/osarmor-personal-1.7.2-setup-test2.exe

Just added some minor improvements on internal rules.

Let me know if you find issues or FPs.

 

Thanks @novirusthanks, will install it later today

 

I installed PERSONAL v1.7.2 on my aging laptop Win7 computer --- smooth sailing, calm seas, & a following wind.

Only potential issue for me, so far...
I have not used OSA's Protection Options button at all. I did all the Protection settings manually. The main OSA GUI says I am using "basic protection" even though I manually put an "X" by every black-text rule (or left the X's that were already there) and by all but 9 red-text rules --- e.g., I don't want OSA to block popular web browsers. In fact, the mere presence of that rule confounds me.

Are my "all black & all but 9 red" rule selections no more than "basic"? If so, I wonder what "medium protection would involve, not to mention advanced or extreme protection? Ergo, it's probably still "basic" on the main GUI just because I haven't used the Protection Options button ----- right?

 

Feedback from support. Hope this help out!!!

support
@osarmor.com

https://
osarmor.com

There should be no issues with Avast One, Sandboxie, Hitman Pro or Malwarebytes (other users are using that combo).

You can test OSArmor for 30 days to see if it works within your programs and regular PC usage, but there should be no issues.

We provide a volume discount based on devices, for 4 licenses there is a -35% discount on the final price, so each device will cost $12.99 USD /year.

You can check the pricing page here (change the quantity to get the updated pricing):
https://
osarmor.onfastspring.com/osarmor-personal

Please let me know if that sounds good for you.

For any questions don't hesitate to ask.

Best regards,
Roberto


From: Moose look over and watch, see in action.
https://
youtu.be/g90-lqBXNKM

 

Here is a pre-release test 4 version of OSArmor PERSONAL v1.7.2:

Code:

https://downloads.osarmor.com/osarmor-personal-1.7.2-setup-test4.exe

Let me know if you find issues or FPs.

@bellgamin

You are correct, the OSA GUI doesn't show if you changed the protections checkboxes (and thus you're using a custom protection profile), it just shows the last selected protection profile.

It was added mainly to remember to the user the last selected protection profile.

I will see if we can improve that.

@Moose World

Thanks for sharing it.