NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    849
    Same here.
     
  2. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Question for anyone that reported these "protection is disabled at reboot" issues:

    - Are you using a Limited User Account (LUA)?
    - Do you have other security software (AVs\HIPS\BB) installed?
     
  3. guest

    guest Guest

    @novirusthanks i'm on SUA with OSA on 3 Win10 live systems and never had this issue; so i guess , having an HIPS/BB which may not be properly configured to handle OSA is more than probable.
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I agree. Not using LUA, but I am using Emsisoft AM which has a BB (though NVT OSA program files folder is excluded from scanning and monitoring).
     
  5. sun88

    sun88 Registered Member

    Joined:
    Aug 27, 2009
    Posts:
    69
    No problems here.
    Win 10 Pro 1709 x64
    Emsisoft Anti Malware
    HitmanPro.Alert
    NoVirusThanks SysHardener
    NoVirusThanks OSArmor (test 40)
    Windows Defender
    Windows Firewall
     
  6. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    I am not using a Limited User Account. I only use Windows Defender and Windows Firewall Control by Binisoft. Windows Defender does have app and browser control and exploit protection with all settings at default.
     
  7. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    1,271
    Location:
    sweden
    Trying to run the program - Configure Defender - but OSA stops and warns over and over again even though i make an exclusion over and over again. This is not the first time or program that i have experienced it with OSA.
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @pb1

    Can you share details about what has been blocked?

    Please post the content of the OSArmor log file so I can see what has been blocked and why.

    @guest

    Yeah, I too think there is a third-party program (HIPS\BB\AV\etc) that is interfering with OSA somehow.

    Unfortunately I can't reproduce that issue here (W7\W10 Pro x64 live systems).

    Will prepare a new test version with additional debug details for users that reported the issue.
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    ConfigureDefender has multiple PS scripts, if you are getting a block for each PS script, that is correct OSA behavior. I think you should just disable OSA when running ConfigureDefender
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well if anyone wonders is OSA works, It does. Was playing with some malware tonight and had an excel spread sheet. Turned on the macro in it and wowser. OSA blocked it and the log file indicated a powershell attack. Well done Andreas.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    :thumb:

    Yepser. It's been running pretty solid all along on this end in spite of needing this and that which will be added in time.

    Reminds me of the last ERP version. Set it and forget it.

    Exclusions only rare up occasionally since my PC's are dotted with Saflashplayer files and love the way OSA puts on the brakes!
     
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Except for one suspected FP I don't even notice OSA is on my machines.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well if I know if's a false postive report it to Andreas and/or set an exclusion. He has make that painless.
     
  14. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Assume you got my PM Andreas. Looking forward to the next build. Cheers!!!
     
  15. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    574
    Location:
    The Outer Limits
    Yup, "set it and forget it" and I`ve recently tested it against a couple of Trojans which it blocked no problem, so it definitely works.

    Regards Eck:)
     
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    It could be interesting to open a debate on the rules to be enabled in the "Advanced" section.

    Example.

    In "Block Specific Location" the rules for unsigned processes are interesting.
    In my PC W.10, however, I prefer to use the trick "Validate Admin Code Signatures" registry key trick.
    So the "unsigned" rules are disabled, only the rule below is enabled:


    "Block unsigned processes located on root folder"

    With XP, I have to do things differently.
     
    Last edited: Mar 11, 2018
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I see no reason for a "debate" I enabled all but 2 and am watching what happens. Nothing to debate
     
  18. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Not sure what you are saying. Did you mean you enabled all protection except for two? I _enabled everything_ and it works fine. Hope it does for you too!
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I didn't check block shutdown why would you want to do that.
     
  20. guest

    guest Guest

    "Validate Admin Code Signatures" (or: "User Account Control: Only elevate executable files that are signed and validated")
    is only blocking the elevation of unsigned executables. Unsigned executables can still be launched normally.
    "Block Specific Location" in OS Armor will block launching of unsigned executables in any case.
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I did.
     
  22. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    130
    Location:
    Australia
    novirusthanks,

    Downloading and installing "Discord" on the latest version, which I did exclude.

    Code:
    Date/Time: 11/03/2018 2:44:14 PM
    Process: [9120]C:\Windows\SysWOW64\reg.exe
    Parent: [7768]C:\Users\ronal\AppData\Local\Discord\app-0.0.300\Discord.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d C:\Users\ronal\AppData\Local\Discord\app-0.0.300\Discord.exe /f
    Signer:
    Parent Signer: Hammer & Chisel Inc.
    
    Also a older one which I have not tried in the latest version which may have been fixed.

    These were at "OSArmor default setting Win10X64 latest updates.

    Code:
    Date/Time: 28/02/2018 12:12:42 AM
    Process: [12644]C:\Windows\Temp\74967ca7-3655-40fd-8999-79d41595a72f\svchost.exe
    Parent: [12604]C:\Windows\System32\consent.exe
    Rule: BlockFakeSystemProcesses
    Rule Name: Block fake system processes
    Command Line: "C:\Windows\TEMP\74967ca7-3655-40fd-8999-79d41595a72f\svchost.exe"
    Signer: AVAST Software a.s.
    Parent Signer: Microsoft Windows
    
    Regards.
     
  23. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    I went ahead and enabled everything in Advanced Tab except those with orange or red info dots. Lets see how it goes...
     
  24. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Did the same thing couple of days ago and no problem so far.:thumb:
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v1.4 (pre-release) test41:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test41.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved OSArmor self defense (basic)
    + Improved detection of suspicious processes
    + Improved detection of fake system processes
    + Added Event Log Service on "Prevent important Windows Services from being disabled"
    + Improved Block processes named like *keygen* or *crack*
    + Block execution of sc.exe
    + Block execution of net\net1.exe
    + Block execution of wmic.exe
    + Block execution of netsh.exe
    + Block execution of bitsadmin.exe
    + Block execution of reg.exe
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @Krusty @ronald739

    All reported FPs should be fixed.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.