NoVirusThanks OSArmor: An Additional Layer of Defense

@novirusthanks

Net command is not monitored.
Do you think to add a rule?

 

Installed here with custom settings and no problem.

 

Any chance to put a build # in the about section with the updates, also a auto update feature or something to check for updates would be useful.

 

It is working flawlessly - no false positives. I haven't been through a major Windows Update yet though, so we'll see.

I block cmd.exe, and I use cmd.exe sometimes. Therefore I just have to disable protection temporarily when using the cmd.exe. But that's it.

 

Solid piece of work for a test build beta/pre-release.

 

Planning to add these new rules to completely block other commonly abused system processes:

+ Block execution of sc.exe
+ Block execution of net\net1.exe
+ Block execution of wmic.exe
+ Block execution of netsh.exe
+ Block execution of bitsadmin.exe
+ Block execution of reg.exe



@Sampei Nihira

We don't have specific rules for net.exe yet.

Do you have any example of rules to add related to net.exe?

@fatex

We plan to add check for update on next version (v1.5)

 

@novirusthanks

Examples

net user accountname /delete

The Net command will also delete the contents of the folders Documents, Images, Downloads, Music, Video, ...

___________________________________________

net user accountname /add
net localgroup administrators account name /add

The Net commands will create an account with administrative rights.

___________________________________________

net user accountname *

choice of password

___________________________________________

For more info enter the command below:

net help user

___________________________________________

P.S.

What happens if an attacker set the Integrity Level to "Untrusted" for every file in the OSArmorDevSvc folder?
Usually the exe files stop working.
With CHML this is easily possible:

 

@novirusthanks

Please add PotPlayer on Anti-Exploit tab.

 

I already asked for it two times...

+1

 

Does it have a digital signature? See: https://www.wilderssecurity.com/thr...-layer-of-defense.398859/page-38#post-2736211

 

Yes, PotPlayer is digitally signed.

 

If you launch cmd.exe the same way every time, all you have to do is make one exception rule when you get the block prompt, and you are good to go. You can launch cmd.exe, but malware can't.

 

Thanks! Something like this then?

[%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\system32\cmd.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows]

I reckon malware could not mimic that in any way. Parent process needs to be signed 'Microsoft Windows' and namned 'explorer.exe' in order to abuse my exclusion for cmd.exe now?

 

Well it depends on how paranoid you want to be about it. You see, explorer.exe is sometimes attacked by malware, so explorer>cmd is potentially abusable.

It would be safer, I think, to make an allow rule for an alternative search tool, such as Everything or Ultra Search, or maybe someone else has an even better and more paranoid idea...

 

True, but the exclusion doesn't whitelist any command lines. Wouldn't malware typically start cmd.exe with a command line?

 

Good point. I think you are right.

 

Build 40 running well with no issues for three days. Default with one additional setting.

 

@Sampei Nihira

We'll add the option "Block execution of net\net1.exe"

The processes net\net1.exe are rarely executed in general, and that rule would block net\net1.exe entirely (easiest choice).

Sys admins that need net.exe will need to exclude specific command-lines to use net\net1.exe

@Azazal

Will check it later and will see if will be added on this v1.4 or on next version.

@shadek

That exclusion for cmd.exe is correct because you included also the parent process and the command-line.

It would just allow explorer.exe to launch cmd.exe (with no parameters) and is totally safe.

@Peter2150

No, it should keep these 8 options (on Advanced tab) checked after you click on "Reset to Default" button:

 

Hmm. Just encountered problem too installing test40 - installed but was disabled, with no ability to change it.

Disabled EAM, installed successfully and I was able to set it to Passive Logging mode.

 

"The time comes when you have to choose between what is easy and what is right."

(Harry Potter)

 

Indeed, I have edited my post.

 

After a few days of running the latest build, same problem. Protection is disabled. Any way to fix this? What info do you need from me? I ended up just uninstalling it for now.