NoVirusThanks OSArmor: An Additional Layer of Defense

Good catch.

That one is in my own rules from ERP 3 in Vulnerable Process List.

Nice additions and OSA is running swell on this side too.

 

Have you tested this? The very first post of this thread states:

...This security application analyzes parent processes and prevents, for example, MS Word from running cmd.exe or powershell.exe, it prevents ransomware from deleting shadow copies of files via vssadmin.exe, it blocks processes with double file extensions...

 

good for u.

 

The generic vssadmin command is executable:



It is necessary to know if the developer has inserted a (hidden) specific rule.

 

Try to delete shadow copies with vssadmin.exe.
OS Armor should prevent it ("it prevents ransomware from deleting shadow copies of files via vssadmin.exe")

 

It is not necessary because there is no specific rule (VSSADMIN) in the list of rules.
The only rule I find monitored is wbadmin.exe

 

Tested and just Confirmed on this end.

 

The commands used by ransomware to delete shadow volume copies are:

C:\Windows\System32\vssadmin.exe Delete Shadows /All /Quiet

-or-

C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /All /Quiet

 

You beat me to posting that itman. OSA is got the goods and drop on a ton of sets.

 

If I may ask: What Rule Name (in log file) blocked the vssadmin.exe?

 

Here it is (enabled by default in Main Protections tab):



Rule: BlockDeletionOfShadowCopies
Rule Name: Block system processes from deleting shadow copies

 

Whew. Is there any sets that haven't been covered yet?

Frankly, like most of you i'm blowed away with all the defensive measures implemented in this latest OSA build and the resource usage is virtually non-existent. It's running in tandem with the last build of ERP 4 which another of that release is due anytime I expect.

Still trying to dig up any issues that could be considered a bug but nothing yet. Then again there's a long list of settings and testing them one by one is quite a chore.

Compatibility with other security apps is picture perfect too. No friction detected whatsoever. Amazing.

 

Dism.exe

https://research.checkpoint.com/beware-bashware-new-method-malware-bypass-security-solutions/

 

NoVirusThanks OSArmor test42 prevents Outlook 2016 from opening when I have G Data Antivirus installed.
I don't see anything in the logs but Outlook doesn't start with both enabled.
Edit: excluded OSArmorDevUI.exe, OSArmorDevSvc.exe and OSArmorDevCfg.exe from being guarded by G Data antivirus and now Outlook open like before.
Edit2: Second time it doesn't work anymore

 

@Sampei Nihira

I'll take a look at that Bashware, probably we may just block bash.exe and other related processes.

Will also add an option on SysHardener to "Disable Windows Subsystem for Linux".

@EASTER

Thanks for the good feedback

We tried to include all needed rules to add a good additional layer of defense.

I think we miss a very few rules and then it should be quite complete.

In the next build will improve protection against UAC bypasses (will post a video soon).

@Gandalf_The_Grey

That looks strange, if nothing is blocked by OSA it should not be the cause.

I see you already excluded\allowed OSA's processes on G-Data AV, that is good.

Do you have the W10 OS up-to-date? I read on a forum that Outlook 2016 had an issue with a not-up-to-date W10 OS.

Anyway will take a look at it asap.

 

Windows 10 is up to date version 1709 build 16299.309
I saw that G Data is the only one flagging build 42 on virus total: ~ Removed VirusTotal Results as per Policy ~
Did a full scan on my computer and submitted the file osarmor_setup_1.4_test42.exe to G Data as false positive. Have no response back yet...
Reinstalled OSArmor and this time excluded all 5 exes in C:\Program Files\NoVirusThanks\OSArmorDevSvc from G Data.
No problems anymore with opening Outlook 2016

 

Is there a way to reset the statistics?

 

Exit GUI

 

Thanks!

 

Everything working fine so far only things I had to disable was the following cause they would not let my VPN connect normally.

 

Just out of curiosity, as I use a VPN myself. Is your VPN-connection using OpenVPN?

 

Weird, seems to have stopped working for me and have uninstalled, rebooted and installed the latest version. Now I can rename any file and it does not block it, even though the program is active.
Any other suggestions?

 

Yes and there is an OpenVPN.exe running also.