NoVirusThanks OSArmor: An Additional Layer of Defense

that wp you've got there is wonderful, plat.

 

Thank you. What is "wp'?

 

sorry, my bad. wallpaper.

 

Spoiler: top-left

1.7.9

 

OK @novirusthanks --here ya go!

https://www.youtube.com/watch?v=5SKe3F1FyYM

Oh, and this is the latest build 1.7.9.

 

Hi @novirusthanks !
I was a long time happy user of NVT ERP, until recently I started running into issues with some apps (most noticeably Electron apps) being tremendously slow to start-up. As soon as I figured out ERP caused these issues, I decided to finally get rid of it and look for alternatives. ERP has not been updated for several years and officially has no Windows 10 support, so that was to be expected. Unfortunately there aren't any worthy alternatives, in my opinion. I just want a simple allow/deny prompt for every new process launched and ERP did an excellent job at that!

Now, OSA got my attention as a "workaround" for an additional layer of protection, to at least block suspicious process activity. I'm curious though: why doesn't OSA use the same approach for blocking processes? Why can't we get a prompt to allow/deny the action and put the process on hold, instead of a default block action with an option to create an exclude rule?
Now it involves three steps every time: running a process, creating an exclusion rule, restart the process. And since there is no "Install" option as with ERP, I have to disable OSA every time I install/update software (on higher protection levels). Forgive me though, if this already has been discussed earlier in this thread

I am also running into issues with exclusions that seem to be ignored. I added several rules using the "Add to Exclusions" option, but OSA keeps blocking the processes on the next run. If I choose to exclude it again, nothing gets changed in the exclude file. This seems to happen with all processes that start with additional parameters.

About this video: it seems to me this video is a little misleading. It starts off by showing the Basic Protection profile is used (which is the default), only to manually enable options that are part of the Extreme Protection profile (like blocking signers that are not in the Trusted Vendor list). That implies the Basic Protection profile is not sufficient enough to block certain malware activity. Shouldn't the default profile be updated to reflect these changes?

 

@acid king

Thanks for reporting that FP, it will be fixed on the next build.

@Krusty

Can't reproduce it here, if I disable (uncheck) that option and then I close/restart OSA and I reopen OSA Configurator, I see the option is stil unchecked.

Tried also a few reboots but after I open OSA Configurator it is still unchecked.

Will run more tests on the next days, but seems to work fine so far.

@plat1098

Thanks for the video, sent you a PM.

@ghysler

We want to keep OSA simple without allow/deny dialogs if possible.

Yes that can happen if the command-line parameter changes, you may need to use wildcard like * on the part that changes.

Can you send me via PM or email the .log file of blocked processes and the Exclusions.db file?

So I can see what is happening.

In the video I enabled the 4 additional protection options because I tested also direct execution of .exe malware samples and wanted to show how that additional options can cover .exe malware executions (signed and unsigned).

OSA Basic Protection profile is perfect for home users and it blocks common malware delivery methods and first stages of an infection.

For example, malware/ransomware are commonly delivered by weaponized maldocs, scripts (vbs/js/hta/etc), ISO/IMG/LNK (more recently) and the payloads of these delivery methods are blocked by OSA Basic Protection profile.

Direct .exe malware/ransomware files are not common to be delivered directly to the end user, except for the case of cracked software or fake installers/updates downloaded from unofficial websites.

But don't forget that you should have an AV software installed alongside with OSA.

If you want OSA to also block direct .exe malware execution then you should enable the option to block unsigned processes on user space .
*** This implies that you use applications that are all digitally signed, else they are blocked.

And if you want to block signed malware (commonly a problem of businesses/enterprises, not much of users since once the certificate is identified it is revoked) then you should enable the option to block signers not present in Trusted Vendors.
*** This implies that if you use an application that has the signer not present in OSA's Trusted Vendors, you add it to the list else it is blocked.

Recently OSA was tested by Shadowra on MT:
https://malwaretips.com/threads/novirusthanks-osarmor-demonstration-tests.115056/

As you see from the video, OSA on Basic Protection profile blocked the malware delivery methods and first stages of infection (maldocs payloads), but it didn't block the direct execution of the .exe malware sample. Then when in Extreme Protection profile it blocked all .exe malware samples and the system was clean. As wrote by Shadowra, Basic Protection profile is recommended if you have an antivirus on the side.

We created 4 protection profiles (Basic/Medium/Advanced/Extreme) trying to balance protection level and false positives.

With Basic Protection profile you have a strong additional protection layer that blocks malware delivery methods, scripts and first stages of an infection with a very low number of false positives.
While on Extreme Protection you have an increased protection level but you may have more false positives.

 

Hmm.. I feel a little left out because latest OSA runs smooth as silk (notifications & all) on Elizabeth (my aging-but-beautiful HP laptop)

 

lol

Working fine for me too right now.

 

Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.0:

Code:

https://downloads.osarmor.com/osa-1-8-0-personal-setup-test1.exe

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

Here is what's new:

//Everyone

There is one issue that is related to the "Reminder: Protection Disabled" notification window that unfortunately I can't reproduce:

#4379 and #4335 and #4358

If possible, it would be very useful if you can try this:

1) Install this new build v1.8.0 test 1
2) Then disable OSArmor protection via right-click on tray icon -> Protection -> Disable Protection
3) Now wait around 10/12 minutes (do not open applications in full-screen mode meanwhile)
4) And then you should get the "Protection Disabled" notification on the bottom-right area

If you get the notification on the top-left area (that is wrong) please let me know, and then check if this file exists:

C:\Users\<USER>\AppData\Local\Temp\OSArmorDevUI_Debug.log

If it is present, please send it to me via email.

Thank you everyone!

 

Updated to pre-release test 1 version of OSArmor PERSONAL v1.8.0, and ran the test as instructed:

No problem.

 

I installed build v1.8.0 test 1, then disabled OSA protection. I waited for about ten minutes and did get the "Protection Disabled" notification at the upper left hand side.
The file OSArmorDevUI_Debug.log does not exist here.

EDIT: Just tried again. No problems this time. I found the notification at the lower right hand side, as expected. Hm....

 

@novirusthanks

Thank you for the detailed explanation on the protection options used in the video and the purpose of the different protection profiles. That clears it all up for me!

From my point of view, the current situation also shows a dialog when an action is blocked. The only difference is the options are limited.
Perhaps it could be made into an advanced setting for users who want to have more control, like "Use advanced notification dialog", which could instead put the process on hold and show a pull down menu in place of the Exclude button with options for:

Allow Once
Allow Always (create exclude)
Deny Once
Deny Always (add to blacklist)

That sort of could combine the functions of ERP and OSA together! Oh well, I'm just brainstorming at this point. I just need to patient for a new ERP release, I guess

One last question: after installing a license, do we still need to keep the License Manager installed and running? Or does it suffice to run the License Manager just before the license expires? It seems a bit much to have two processes running in the background just for the licensing checks (NVTHelperProcess.exe and NVTLicenseManager.exe).

I will send you an e-mail with the log file and exclusions. Thanks again.

 

It only happened once on one machine. Perhaps it was operator error.

 

As a Behavior Blocker, OSA is default/deny, which is exactly the needed protection whenever an app manifests actions similar to those actions done by malware.

After OSA blocks an app, that app CANNOT resume installing on its own, even if an exclusion is made by user. An user's impatient or careless "Allow" click cannot bring disaster. In effect, the user is forced to think a bit before acting. IMO, that is exactly what is needed when a default/deny Behavior Blocker is doing its job.

The situation between OSA (a Behavior Blocker)and ERP (an Anti-EXE) are quite different. To illustrate, suppose a shop owner has 2 security guards. One is ERP. The other is OSA. One day, a guy enters the shop...
>ERP says, "That guy is a stranger. Shall I let him in?"
>OSA says, "That guy was trying to open the cash register so I kicked him out!"

 

Great analogy, @bellgamin !

 

Here is a pre-release test 2 version of OSArmor PERSONAL v1.8.0:

Code:

https://downloads.osarmor.com/osa-1-8-0-personal-setup-test2-tk.exe

You can install it "over-the-top" of the installed version, reboot is not needed.

I've mainly changed one parameter related to how the notification dialog is displayed on bottom right.

If possible, it would be very useful if you can try this again:

1) Install this new build v1.8.0 test 2
2) Then disable OSArmor protection via right-click on tray icon -> Protection -> Disable Protection
3) Now wait around 10/12 minutes (do not open applications in full-screen mode meanwhile)
4) And then you should get the "Protection Disabled" notification on the bottom-right area

If you get the notification on the top-left area (that is wrong) please let me know.

I'm particularly interested in @Buddel @plat1098 and @bjm_ results since you could reproduce the issue.

@ghysler

Yes it needs to be installed and running in the system.

It is used also by our other commercial applications like USB Radar, Win Update Stop, Appsvoid, etc.

The process NVTHelperProcess.exe is part of OSArmor, it is used to check if an application certificate is revoked.

@bellgamin

Great explanation =)

 

Tested, it is in order

 

Well, I think this notification phenomenon is a sentient being as I'm doing this over and over and it's not happening. Only when I least expect it.

1.8.0 test 2 Works great, no issues (so far) but who knows, this could be premature as it was earlier. Will def. report if it should ever pop up again. (Well of course I will).

 

Same here. I installed test build 2 and disabled protection. OSA works as expected and shows the notification at the bottom right of the screen, right where it belongs. I will try again later...

Eidt: I have disabled protection three times since I installed test build 2 a couple of hours ago. The notification was always displayed at the bottom right of the screen. Maybe the latest build has fixed the notification issue. Who knows.

 

me too - 1.8.0 test 2

 

It's late for me to say this but, inwardly, I never agreed that OSA should report disabled protection after 10 minutes. Why? Because I have long believed that the option to Disable Permanently should, itself, be deleted.

OSA already has a Disable Temporarily that can go on as long as 1 hour. One hour should be sufficient to complete anything that needs doing with OSA disabled, shouldn't it?

 

Whaaat?

How will extremely lazy people like me cope? Or people that don't want to be boxed into a time frame?

 

Just tried again to disable protection. This time, however, the notification was displayed at the upper left hand side. Again, I could not find the file OSArmorDevUI_Debug.log in my Temp folder.

Edit: Disabled protection again; ten minutes later the notification was properly displayed at the bottom of the screen. So far, the notification was NOT displayed correctly after disabling OSA for the first time after booting my machine. Second, third, fourth attempts could not reproduce this issue.

 

It makes some sense to me. Other NVT programs, some that i still use on 8.1, implement that feature which helps if for example there are safe programs or some maintenance the user wants to do. Or if you keep squeaky clean problem-free setup or offline but running, it's an added bonus to turn off protection and it's simple easy to reinitiate it again. In the case of OSA the Notify Prompt is another useful addition just in case someone forgets to to turn it back on while doing other things.