NoVirusThanks OSArmor: An Additional Layer of Defense

Test build 30 cannot be properly installed here (Win10, 32bit). Only the Service exe is to be found in my startup list, but the program just won't launch, not even after a reboot.

PS: I've just removed test build 30 from my computer and reinstalled build 28, which works as expected.

 

@novirusthanks

Unfortunately I went back to a clean system on Win10 X64 Home FCU 1709 (Secure Boot) so no logs. Only from I seen was the service would stop and could not be restarted.

Test 30 works fine and "Protection is Enabled"

Regards.

 

try mouse hover ! ! > Can create false positives.

 

It's all about the likelihood that enabling the setting will cause issues/false positives.
white means it probably won't, orange means it might, and red means...

 

Right, the orange one was saying that as of a number of builds ago. But, the red one says the same thing, so was wondering about the color difference and significance--you can hazard a guess but...

@shmu26: tried installing Alert w/OSArmor (no Sandboxie) and got a system slowdown, with a big-time delay at startup, with and without OSArmor. This secondary machine has several group policy rules in effect plus several exploit guards so something isn't quite meshing on here. True, though, Alert and OSArmor together didn't create any System errors for that short period. Couldn't make an exclusion for OSArmor in Alert either, Alert didn't take it. SurfRight will have to keep working on it, they were aware of some problems but these apparently were affecting only a minority of users.

 

Yeah, it started to do that to me, too. And the slowdown continued even after startup. On top of that, the known issue with HMPA and Windows start button started to plague me. So I simply said goodbye to HMPA.

 

Ahh, okay. For me, red means stronger than orange.
Orange means: caution FPs & Red means: caution++ FPs.
Just me?

 

Yes, 1) and 3) are fixed now with build 30 and the notification window appears much smoother now.

Regarding 2) (Nirsoft utilities are not blocked):
Anyone who doesn't want to read the complete post, only need to read the quote (summary):

Spoiler: More Details

I have noticed that some other rules has also no effect (i have ticked all options)
For example:
[X] Block execution of unsigned processes on Temp Folder
[X] Block execution of unsigned processes on Windows Temp
[X] Block execution of .cmd scripts
[...]
Then i have executed files (via filemanager Total Commander) for example on the Desktop folder, Public, and i was also able to execute unsigned files (.cmd-files, ...)

I have tried both custom rules below (CustomBlock.db) and they work perfectly:

Code:

[%PROCESS%: c:\Users\*\Downloads\*.exe] [%FILESIGNER%: Nir Sofer]
[%FILESIGNER%: Nir Sofer]

Ok, i guess i have found the source of the issue (why rules are simply failing)

Spoiler: 4 Tests

a)
I have executed cmd.exe via startmenu = blocked (=expected behaviour)
I have executed cmd.exe via filemanager = NOT blocked
b)
I have executed unsigned files via explorer = blocked (=expected behaviour)
I have executed unsigned files via filemanager = NOT blocked
c)
I have executed .cmd-files via explorer = blocked (=expected behaviour)
I have executed .cmd-files via filemanager = NOT blocked
d)
Launching of NirSoft Utilties via explorer = blocked (=expected behaviour)
Launching of NirSoft Utilties via filemanager = NOT blocked

Is the filemanager ("c:\Program Files\totalcmd\TOTALCMD64.EXE") internally whitelisted by OS Armor?

Custom rules always work even if i launch files via filemanager (for example: [%FILESIGNER%: Nir Sofer]) which is correct behaviour.

Edit: This is expected behaviour. Total Commander is a safe program and is allowed to run other processes:

 

Thanks mood, good to know...much obliged for the heads up.

Regards, Baldrick

 

Test 30 fine on 7x64.

 

"What is the name of the 16-bit process you need to run?"
@novirusthanks
It is called NEWSOED.exe and is in folder C:\Program Files\NewSOED\

 

I have noticed that the rule for block processes in suspicious locations prevents the installation and updating of a lot of software.
Maybe this is a necessary evil, but I just thought I would mention it.

 

Win7 x86 SP1
When launching Test30 installation there is an alert from HPA that there is a malware in setup file )))
Test29 didn't have such an alert, but when installed it couldn't start protection

UPD: Test30 protection was enabled successfully right after installation

 

@ to All

You can check if using the OSA internal uninstaller get the corresponding OSA pop-up:

http://sendvid.com/3vhr01in

You can check if a correct uninstallation also eliminates the driver and your service.
TH.


I cleaned all this and also the software folder for a new installation of the next version.

 

V.30 solved my problems

 

Including OS Armor itself
(launching of the setup and also the uninstallation):

Code:

Installer of OS Armor:
Process: [9492]C:\Users\****\AppData\Local\Temp\is-8QOH7.tmp\osarmor_setup_1.4_test30.tmp
Parent: [5804]C:\Users\****\Downloads\osarmor_setup_1.4_test30.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders

Uninstallation of OS Armor:
Process: [11100]C:\Users\***\AppData\Local\Temp\_iu14D2N.tmp
Parent: [5208]C:\Program Files\NoVirusThanks\OSArmorDevSvc\unins000.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders

As OS Armor is affected, all other installer which are based on NSIS (Nullsoft Scriptable Install System) are affected too.
The installer is extracting a process to a temporary folder and part of the folder name is randomized with each execution of the installer:
"...\AppData\Local\Temp\is-?????.tmp\[...].tmp"

Perhaps the developer can add some internal rules to mitigate this.

 

Does OS Armor browser exploit rules protect against phony, malicious extensions?

 

Here is a new v1.4 (pre-release) (test31):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test31.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block processes executed from Shared Folder
+ Improved detection of malformed PowerShell commands
+ Improved detection of suspicious processes
+ Improved detection of suspicious scripts
+ Hint text for red icon (on Configurator) is changed to "Can create many false positives"
+ Block ShellExecute\Start-Process in PowerShell cmdline
+ Fixed false positive on "Block processes located in suspicious folders" related to SUA users
+ Prevent schtasks.exe from creating tasks

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Question to users that had the issue "Can't enable protection":

Did you try to install OSA from a SUA account?

@mood @Sampei Nihira @shmu26

The FP about "Block processes located in suspicious folders" related to installers\uninstallers is fixed now, thanks for the details.

@Charyb

No, OSA doesn't monitor for browser extensions.

@mood

About NirSoft, yes you are right.

We use some internal whitelists and we allow safe programs on Program Files to run other processes.

You can disable our internal whitelists from Configurator -> Uncheck "Enable internal rules to allow safe behaviors".

However I would recommend to keep it enabled, it handles rules for Windows Updates, etc.

Alternatively you may add a custom block rule to block all processes signed by Nir Sofer (bypassing our internal whitelist rules):

Code:

[%FILESIGNER%: Nir Sofer]

@bjm_

Now the red icon has a hint like "Can create many false positives", and for the orange icon is "Can create false positives".

 

I used an Admin account to uninstall build 28 and install build 30. Test build 30 did not install properly. I tried to launch it manually (with admin priviliges) but this didn't help, either. Back to build 28, which works here.
I will give build 31 a try when I'm back home. Maybe I will be able to install it.

 

many = simple, yet elegant.
Um, perhaps rule numbers...e.g., M1, M2, .. A1, A2, ..

 

With each new update, how do I know when a new rule has been added? Can it be identified by date added?

 

@novirusthanks

Windows Defender views the download as a trojan. This is a first.

When I click on Learn More, after OS Armor was installed, I am blocked by OS Armor and when I search for the rule to uncheck it is difficult to find. The rule list is getting very long in the Advanced tab and needs a better way of organizing. I did forget that you added the option to temporarily disable protection which I should have used.

Date/Time: 2/2/2018 10:34:03 AM
Process: [7880]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Parent: [8664]C:\Windows\System32\RuntimeBroker.exe
Rule: BlockProcessesFromRuntimeBroker
Rule Name: Block processes executed from RuntimeBroker
Command Line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "https://go.microsoft.com/fwlink/?linkid=142185&name=<Trojan:Win32/Fuerboos.B!cl>&threatid=<2147723653>"
Signer: Google Inc
Parent Signer: Microsoft Windows

 

Here is a new v1.4 (pre-release) (test31):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test31.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block processes executed from Shared Folder
+ Improved detection of malformed PowerShell commands
+ Improved detection of suspicious processes
+ Improved detection of suspicious scripts
+ Hint text for red icon (on Configurator) is changed to "Can create many false positives"
+ Block ShellExecute\Start-Process in PowerShell cmdline
+ Fixed false positive on "Block processes located in suspicious folders" related to SUA users
+ Prevent schtasks.exe from creating tasks

 

Same issue with build 31, back to build 28.

 

FP-Webroot OSA build 31

Date/Time: 2/2/2018 9:21:08 AM
Process: [3204]C:\Users\Jim\OneDrive\wsainstall.exe
Parent: [3764]C:\Windows\explorer.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: "C:\Users\Jim\OneDrive\wsainstall.exe"
Signer: Webroot Inc.
Parent Signer:

Also does OSA protect the UEFI against ransomware?