NoVirusThanks OSArmor: An Additional Layer of Defense

W.10 x64 + WDEG - On + OSA (test 24)
Exploit Test Tool (HPA3) renamed Opera.exe - WDEG (18 Mitigations - On).

There is only one test where both Anti-Exploits intervene:

ROP - system() in msvcrt

 

Can OSArmor be used with ESET (NOD32, ESET Internet Security, etc.)?
Found two postings at the ESET forum indicating some problem(s):
https://forum.eset.com/topic/12757-hips-and-some-problems/?page=6
1. post (last Sunday) by member persian-boy :

(PS, note by me: I guess a little typo; I suppose persian-boy meant Marcos)

2. post (last Sunday) by member itman :

 

@FanJ

https://malwaretips.com/threads/novirusthanks-osarmor.78195/page-27#post-705143
"I've update OSArmor to exclude ESET, hope this will fix it.

But I still think you may need to exclude OSArmor in ESET HIPS"

 

I've not had any problems at all with OSArmor, and Eset HIPS. I'm using Eset Internet Security 11 with the HIPS in Smart Mode. I can see how Interactive Mode could be problematic though.

 

What happened to me was when I was using the Eset GUI to add/modify HIPS rules and the like, OSArmor was locking up ESET. Now I did not specifically exclude ekrn.exe and equi.exe from monitoring by OSArmor.

My opinion is that Eset IS/SS has excellent exploit protection; if that is the reason one is using OSArmor in the first place. Add to this is anyone running Win 10 1709 has WDEG running.

-EDIT- If one wants to score 100% on the Surfright/Sophos HMP-A test tool for their browser, just create a HIPS "ask" rule for it to prevent any app performing "process modification" against it. Of course, you will also have to create corresponding "allow" rules for legit apps doing like activity.

 

https://malwaretips.com/threads/novirusthanks-osarmor.78195/page-25#post-704287

 

Thank you Azure Phoenix, Cutting_Edgetech and itman!
I really appreciate your posts!
I wasn't aware that the "issue" with OSArmor and ESET was also discussed at Malwaretips. I admit that I hardly go there.
Thank you all again.

 

I spoke to soon. I have just booted my computer, and the issue with the CPU usage is back (test build 24, Windows 10 Home Premium 32-bit).

PS: Booting time has also slightly increased since test build 23, but there is nothing in the log file. Hm...

PPS: I have also found some error messages related to OSArmorDevSvc in my Windows event viewer:
Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst OSArmorDevSvc erreicht. It means that the service OSArmorDevSvc reached a certain time limit (30000 ms). I found five or six of these error messages in my event viewer shortly after booting my machine. Something's not quite right here.

Just one more thing: Maybe I should add that I have enabled all OSA options, but the OSArmor log file is always empty, nothing has so far been blocked by OSA.

 

Can't wait!

Add quotes as this was written by someone else Pete

 

Lockdown has said OSA is a rules-based SRP. Its a lot like Appguard - hardens the system and locks it down. Whether one calls it a BB is a matter of preference.

That will become clear by the time version 1.5 comes out.

 

Thanks Andreas, it keeps getting better and stronger

 

I'm curious because [%PARENTSIGNER%: NoVirusThanks Company Srl] also excludes processes started by Exe Radar Pro.
e.g., [Action: Allowed [Started by EXE Radar Pro]] [Bitness: 64] [Process: [7668]C:\WINDOWS\system32\mmc.exe] [MD5 Hash: C75224D3741563FBD526BB7813488A4A] [Publisher: Microsoft Corporation] [Parent: [3832]C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe] [Command-Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\Services.msc" ]
Note: I have all rules checked (for testing test builds) including "Block execution of .msc scripts".

Do parent exclusions e.g., [%PARENTFILEPATH%: C:\Program Files\Sandboxie\*] or [%PARENTSIGNER%: Invincea, Inc.] carry exclusion over to processes (started by) run in my sandboxes.
Meaning, can I exclude Sandboxie parent and not exclude sandbox'd files.

 

If you start a program with "Run Sandboxed", the [%PARENTFILEPATH%] for this file is "C:\Program Files\Sandboxie\*", so it will be excluded.
If a sandboxed program wants to start another program, the [%PARENTFILEPATH%] is different (and will not be excluded)

 

Okay, so with Sandboxie parent exclusion my Run Sandboxed programs and my forced programs would not be subject to OSA rules (will be excluded).
Thanks

 

That is also my understanding, rather than a BB ...

 

@novirusthanks
WinXP SP3
On startup there is an error #7009 in system log:
"Timeout (30000 ms) waiting for service connection NoVirusThanks OSArmorDevSvc."
After logon In Services.msc OSArmorDevSvc service is not running but when I manually start it up it's ok and running.

Also when nonadmin user is opening any OSA config window (Main config or exclusions) from OSA's tray icon no settings can be saved because of lack of necessary permissions. So obviously its necessary to call OSA's windows in tray icon through UAC (in WinXP through run as) so user could enter admin creditionals and save config changes successfully.

 

@novirusthanks
Had another occurence of OSArmor Configurator (OSArmorDevCfg.exe) not starting properly. Checked Task Manager and analysed wait chain for the process. This process: OfficeC2RClient.exe was preventing the GUI window from opening. This is the Office Click-To-Run Client which is part of Office 365.

 

I also see this error message on startup (Windows 10 Home Premium 32-bit), but I do not have to start it manually. However, there must be something wrong here because CPU usage of OSArmorDevSvc is rather high (first observed in test build 23, and now also in build 24). I do hope this can be fixed.

 

@FanJ

OSArmor should work fine with ESET, I'll install it on a VM on these days and I'll check it.

I think it will be needed to exclude OSArmor in ESET HIPS, but will have to check.

@Buddel @AeroFit

I could reproduce the CPU usage spikes (10-20%) and the error in the Event Viewer "Timeout (30000 ms) waiting for..."

Should be fixed in the next build.

@askmark

Will install Office 365 and try to reproduce the issue.

Question 1: Can you reproduce it always? I mean if you first open OfficeC2RClient.exe and then open OSArmorDevCfg, it is always blocked from running by OfficeC2RClient.exe?

Question 2: Was VS installed and active when OSArmorDevCfg could not start?

@j9ksf

Can you try to uninstall VS, reboot, then open various times OSA Configurator to see if it works fine.

Then re-install VS and try to open again OSA Configurator.

Probably you may try to exclude folder C:\Program Files\NoVirusThanks\* in VS.

 

Good new! Thank you.

 

Thanks for your reply.
Today Dan has issued 4.16 which enables configurator to be opened.

 

SRP -- what?

 

Software restriction policy

 

Yup. But it doesn't lock down critical processes that could leave you locked out of Windows.

Applocker is dangerous if you don't know what you're doing. OSA has all that preconfigured
without one needing to be an expert on Windows rules enforcement.

 

Do we have a list of acronyms? If not (I have not found it), we need one.