NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    Andreas awesome work!

    I have the latest build 41 installed and never saw the disabled problem. I also went ahead and enabled most of the orange entries,, but not any of the reds yet.
     
  2. plat1098

    plat1098 Guest

    To add: for me over two times, changing startup to Auto-Delayed--the yellow icon doesn't show up for at least one minute. There's no service running in task manager. How delayed is it? So I keep it at Automatic but a notice sure would be helpful in these times.
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I think that delayed for two minutes is normal. It is just for testing purposes, it is not meant to be a permanent setting or anything.
     
  4. plat1098

    plat1098 Guest

    OK but I don't want the protection "off" for even one minute. :) It may be still in development but I still consider this a working part of my security.
     
  5. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    I am one of those that have the problem of the protection been disabled at startup. I am testing, since last night a special version that Andreas sent me in private. I have made over 25x reboots so far and the problem seems to be fixed.:)

    I must say a big thank you to Andreas, there are so many different configurations possible, but he never gave up. He deserve a big :thumb:

    Thank you Andreas for your hard work.:)
     
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    @novirusthanks

    It might be useful:

    http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html


    P.S. Many info on Net Command.
     
  7. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v1.4 (pre-release) test42:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test42.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved detection of PowerShell malformed commands
    + Change Registry value ServicesPipeTimeout to 180000 via setup file
    + Modified the service to fix a rare crash on session change
    + Improved detection of fake system processes
    + Improved Block command-lines that match *\Start Menu\Programs\Startup\*
    + Added BitLocker Service on "Prevent important Windows Services from being disabled"
    + Improved Block unknown processes on Windows folder
    + Improved Block execution of .reg scripts
    + Block execution of xcopy\robocopy.exe
    + Block execution of diskpart.exe
    + Block execution of format.com
    + Block execution of tasklist.exe
    + Block execution of systeminfo.exe
    + Block execution of whoami.exe
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @shadek @Antarctica @Trooper @Dark Star 72 @Charyb @IvoShoen

    Please test this new version and let me know if the issue "protection is disabled at reboot" is fixed.

    * No need to set OSArmorDevSvc to "Automatic (Delayed Start)" *

    @Lorina

    The two alerts (false positives aka FPs) should be fixed.

    @Azure Phoenix

    That netsh.exe alerts are related probably to Heimdal Pro and I may not fix them internally.

    You can whitelist them via the Exclusions Manager, make sure to include Process, Parent and Command Line (no wildcard needed).

    @Sampei Nihira

    Thanks, have added a few more system processes to the list.
     
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    I have seen.:thumb:;)
    The Whoami command is not available for Windows XP.

    P.S.

    The Flash FP (rundll32.exe) is not soved:

    12.JPG

    Date/Time: 14/03/2018 19.00.09

    Process: [3176]C:\WINDOWS\system32\FlashPlayerApp.exe
    Parent: [1524]C:\WINDOWS\system32\rundll32.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: "C:\WINDOWS\system32\FlashPlayerApp.exe"
    Signer:
    Parent Signer:
     
    Last edited: Mar 14, 2018
  9. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    It's working perfectly Andreas. Thank you:thumb::)
     
  10. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    @novirusthanks

    No problem. I already excluded them. Just wanted to report it just in case.
     
  11. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Have any seen OSA Anti-Exploit work Sandboxie'd ?
    Thanks
     
  12. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    @novirusthanks

    I have rebooted with the new version about 15 times - OSA started as enabled every time. No problems so far with the new version! If OSA works like this by tomorrow night I'd say the issue has been resolved on my computer for sure.
     
  13. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    No problems with the new version Andreas. Will report if I do get any.
     
  14. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Latest build looks good here. Thanks, Andreas.
     
  15. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    @novirusthanks
    So far, so good with 1.4 test42 and 42-b1. I'm going to continue monitoring the startup and will let you know if anything changes.
    Thank you.
     
  16. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,156
    Location:
    Canada
    test 42 running well here, tried install without rebooting this time, no problems.
     
  17. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,156
    Location:
    Canada
    Tried running in Sandboxie, OSArmour gui popped saying "Protection Disabled".
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Sorry, I meant have any seen OSA Anti-Exploit work in for example Sandboxie'd browser ?
     
  19. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,156
    Location:
    Canada

    ok.
     
  20. guest

    guest Guest

    I have no issue with OSA and Sandboxie
     
  21. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    228
    Location:
    UK
    Test 42 seems to have resolved the non-starting of the UI and has survived several restart cycles. Good job!
     
  22. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    228
    Location:
    UK
    Uh! Spoke too soon, after a shutdown and restart the service is running but the UI or tray icon isn't. This may not be OSA's fault because my network adapter is slow to start and I know in the past that progs like VoodooShield complained about this.
     
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    I have no issue with OSA and Sandboxie.
    Have you seen OSA Anti-Exploit work in for example Sandboxie'd browser?
     
  24. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    @novirusthanks

    Vssadmin Command is not monitored.
    Abused by ransomware.
     
  25. guest

    guest Guest

    I don't let any chances to be exploited, so no.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.