NoVirusThanks OSArmor: An Additional Layer of Defense

Already added all requested applications (except two of them) on "Anti-Exploit" tab, will upload the new build tomorrow.

Thanks all for the suggestions and feedbacks!

@n8chavez

JRiver Media Center is not digitally signed, I prefer to support only digitally signed applications.

A program needs Admin rights to terminate OSA service, so it is not that easy.

However, we'll add self-defense in next versions.

@bjm_

Thanks for the screenshot!

@liba

Epic Privacy Browser is not digitally signed, I prefer to support only digitally signed applications.

@rethink

I fixed the second FP, but about the first one, do you get any errors on Internet Explorer when csc.exe is blocked?

@cruelsister

Some users may need to run some .vbs scripts, so I am going to discuss if we can enable the option "Block execution of .vbs scripts" by default.

We have the option "Block any process executed from wscript.exe" enabled by default, and it would protect from malicious .vbs (the payload is blocked).

Have prepared a new option "Block suspicious processes executed from Rundll32", will add it tomorrow.

 

+1

 

Bummers. I installed test 13 . When I did a reboot, the task bar again was missing. Tried again with NO firewall & ER set to Disabled. Again, no task bar. I checked task management. OSA was loaded & running.

IMO, there has to be some aspect of OSA that is causing this. The only security app that I haven't killed is Zemana AntiMalware. I might try that tomorrow but it's getting tiresome. When the task bar doesn't load, I have no choice except to restore a functioning image. I have already done this 8 times, trying to figure what is causing the problem. As reported earlier, there was just one time when I got the task bar with OSA loaded, but I have been unable to repeat that.

 

Hi Andreas,

I test this in a virtual machine so I will need to test how Internet Explorer reacts.
About the flexnet agent it should come directly from the application which requires the flexnet licensing module. I am not sure why it runs through svchost, I will investigate more.

 

Here are a few parent child command lines I think should be blocked from rundll32.exe I think vulnerable parent processes should never be allowed to spawn the listed child processes below. This would cover Office Applications, PDF Viewers, Media Players (this includes flash), Browsers, Browser containers & Plugins, P2P Applications (File Sharing Apps, Instant Messengers), and Java.

I actually block vulnerable applications from spawning any .exe except for the ones that the application uses. I doubt your trying to be that aggressive though.

rundll32 ----> cmd.exe
rundll32----->powershell.exe
rundll32----->powershell_ise.exe
rundll32----->regsvr32.exe
rundll32 ----> wscript.exe
rundll32 ----> cscript.exe
rundll32------>vbs.exe
rundll32 ----> java.exe
rundll32 ----> javaw.exe
rundll32----->lsass.exe (i'm not sure this can be done safely)
rundll32----->presentationhost.exe
rundll32----->mshta.exe
rundll32----->msra.exe
rundll32------>mstsc.exe
rundll32----->bitsadmin.exe
rundll32----->runonce.exe
rundll32----->bcdedit.exe
rundll32----->msiexec.exe
rundll32----->schtask.exe
rundll32------>regedit.exe
rundll32------>netsh.exe
rundll32------->at.exe
rundll32------>reg.exe
rundll32------->reset.exe
rundll32------->sc.exe
rundll32------->taskkill.exe
rundll32------->IEExec.exe
rundll32------->diskpart.exe
rundll32------->debug.exe
rundll32 ----> .tmp

Also, rundll32 should be blocked from being spawned by any vulnerable application. This will block the attack earlier in stage that way a malicious instance of rundll32 never is spawned at all.

 

BINGOOOOOO !!!

Also I have ZAM but in portable version.
I did not think about it.

@novirusthanks

You can then check if the suspect number 1 is ZAM portable.

__________________________________________

 

NVT- The default rule "Block any process executed from wscript.exe" would be inadequate for many worms (eg. something like the later Dunihi worm variants). These will drop a payload somewhere on the drive and at the same time set itself up for persistence. The spread would be through wscript itself without any further payload. On reboot, even after an initial alert from OSA that wscript was blocked, the worm re-propagates and will connect out.

M

 

Holy crap, this OSArmor tool keeps getting better and better! When it comes to anti-exploit, I suppose not all child processes are blocked? But you didn't answer my question about the ability to block processes from running browsers (Chrome, Opera, Firefox, Vivaldi) as a child process. You should also be able to block processes from running explorer.exe and svchost.exe, this will block process hollowing attacks. And what about EXE Radar, when can we expect a new stable version?

 

I think vulnerable parent processes should never be allowed to spawn the listed child processes below. This includes Office Applications, PDF Viewers, Media Players (this includes flash), Browsers, Browser Containers & Plugins, P2P File Sharing Applications, Instant Messengers, Notepad, Wordpad, Archive software, and Java.

cmd----->powershell.exe
cmd----->powershell_ise.exe
cmd----->rundll32.exe
cmd----->regsvr32.exe
cmd-----> to all the same processes listed below.

vulnerable app ----> cmd.exe
vulnerable app----->powershell.exe
vulnerable app----->powershell_ise.exe
vulnerable app----->rundll32.exe
vulnerable app----->regsvr32.exe
vulnerable app ----> wscript.exe
vulnerable app ----> cscript.exe
vulnerable app------>vbs.exe
vulnerable app ----> java.exe
vulnerable app ----> javaw.exe
vulnerable app----->presentationhost.exe
vulnerable app----->mshta.exe
vulnerable app----->msra.exe
vulnerable app------>mstsc.exe
vulnerable app----->bitsadmin.exe
Vulnerable app----->lsass.exe
vulnerable app----->runonce.exe
vulnerable app----->bcdedit.exe
vulnerable app----->msiexec.exe
vulnerable app----->schtask.exe
vulnerable app------>regedit.exe
vulnerable app------>netsh.exe
vulnerable app------->at.exe
vulnerable app------>reg.exe
vulnerable app------->reset.exe
vulnerable app------->sc.exe
vulnerable app------->taskkill.exe
vulnerable app------->IEExec.exe
vulnerable app------->diskpart.exe
vulnerable app-------->debug.exe
vulnerable app ----> .tmp

Also some rules need to be created to block vulnerable apps from injecting into explorer.exe, and browsers as Rasheed pointed out above.

 

What processes are used to operate SMB? I'm not getting a clear answer when doing a Google Search. We need to create rules to block vulnerable apps from using SMB maliciously.

 

It's a protocol. I doubt that you can control it on process level without breaking networking all together.

 

Yeah, I know. I was hoping maybe blocking access to certain processes might help keep it from being abused. I think process injection mitigation may help, but that's something different as well.

 

Here is a new v1.4 (pre-release) (test14):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test14.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of C Sharp compiler (csc.exe) (unchecked by default)
+ Block execution of Visual Basic compiler (vbc.exe) (unchecked by default)
+ Block suspicious processes executed from Rundll32 (unchecked by default)
+ On "Exclusions Helper" GUI do not add the exclusion rule if is already present
+ Added LibreOffice and Kingsoft WPS Office on "Anti-Exploit" tab
+ Block processes executed from C Sharp compiler (csc.exe) (unchecked by default)
+ Block processes executed from Visual Basic compiler (vbc.exe) (unchecked by default)
+ Fixed some false positives

To install this pre-release, first uninstall the old one.

Here is a new video of OSArmor protecting Kingsoft WPS Office:

Block WPS Office Exploit Payloads with OSArmor
https://www.youtube.com/watch?v=-r-bp3WKM3A

@bellgamin

I will try to reproduce the issue you and @Sampei Nihira have.

Will update here asap.

@rethink

The issue about FLEXNET should be fixed now.

@Sampei Nihira

Thanks for the video on PM and for the details.

Will install ZAM setup + portable on Monday in the XP VM and will check what happens

@cruelsister

I will enable "Block execution of .vbs scripts" by default in the next build.

Will need to make sure there are no FPs on regular systems.

@Rasheed187

OSA can monitor child processes also of running processes, can't say much about internal rules.
ERP dev is a little slow now (due to OSA) but is on its track.

@Cutting_Edgetech @Rasheed187

Yes, we already take care of vulnerable apps in a smart way (take a look at the recent videos).

 

Thanks @novirusthanks for the new build.

I have a quick question in the "advance section" from the configurator, which Process would you recommend to block to start with?
Thanks

 

I disabled ZAM. I did NOT disable anything else but ZAM. Did 3 reboots. All of them worked perfectly WITH OSA test 13 installed. Go figure.

 

@novirusthanks: OK, after installing test 14, I needed to open the Configurator and tried to launch it via OSArmor on docker. No, it will not open from there. From tray and from taskbar: yes. Docker: no, it is only a decoration there. The Configurator itself functions on the dock but the shortcut is um..rather flat and bumps against the others. This is rather frivolous, so maybe when it's convenient to answer. Also, very pleased to be able to save my very few rules in Advanced settings, thank you.

 

@novirusthanks If I want to exclude a folder like I do in ERP (C:\Program Files (x86)\Zemana AntiMalware\*) do I use the "Process Path" option?

Can OSA protect chrome while sandboxed in sbie?
Can you add uninstaller in start menu?

 

Last I heard using "OpenPipePath=*\mailslot\NVTInj\*" works

 

maybe, see .... message & message.

 

The removal of ZAM also in portable version leaves 2 drivers in the Windows folder:

ZAM.krnl.trace
ZAM_Guard.krnl.trace

These can only be deleted by removing the corresponding registry keys.
Also other tracks to delete to consider uninstalled the software.

 

I monitor every install with an uninstaller program. I uninstall in 2 steps: (1) first I use control panel's program remover, then (2) I use uninstall program. This method has never failed to do a total clean up.

After I uninstalled Zam, I installed Malware Hunter (MH). But MH also caused my task bar not to load. So I dumped MH and switched to Stinger. Stinger is totally portable and 100% self contained. My task bar now loads just fine and OSA test 14 is running smooth as a baby's booty.

 

Is why I will never ever use ZAM again.

 

... can we expect a video test from this "fine" lady soon?