NoVirusThanks OSArmor: An Additional Layer of Defense

How did you launch it?
I only see this behavior when I launch from Search Everywhere. If I launch from Explorer, i.e., the standard Windows way to launch things, cmd is successfully blocked.

I have seen this behavior repeatedly on my system, and not just with cmd.exe. Also with wscript.

 

There is an internal whitelist and some programs are allowed to launch it (for example XYPlorer/Total Commander/etc.) and perhaps Everything is on the whitelist too:

... i have tested it and it is indeed "on the whitelist". Try to untick temporarily "Enable internal rules for allowing safe behaviors" and you'll see that it will be blocked now:

Code:

Process: [9588]C:\Windows\System32\cmd.exe
Process MD5 Hash: E08FE2DE3DDD22123247D49A11B4F53D
Parent: [2820]C:\Program Files\Everything\Everything.exe
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: "C:\Windows\System32\cmd.exe"
Signer: 
Parent Signer: David Carpenter
User/Domain: XXX/XXX
Integrity Level: Medium
Parent Integrity Level: Medium

 

Hi @shmu26.

I launched DIRECT from the Everything list just as indicated from the screenshot.

Also in reference,, and if it can be of any help, I also have "Enable internal rules for allowing safe behaviors" checked as it is default.

I would try @mood's suggestion to uncheck and run again.

 

Thanks, @mood. That explains everything.
I wonder why the internal whitelist is not working the same for @EASTER?

 

Good question. I get a toast alert everytime, even when I copy Everything Search executable to a different folder.

OK for me though since it shows that the particular Rule is indeed blocking where/when checked.

 

Here is a new v1.4 (pre-release) test57:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test57.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block download of remote URLs via command-lines
+ Block unsigned processes outside system partition (e.g. C:\)
+ Block ALL processes outside system partition (e.g. C:\)
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

With the new rules you can now block any (or only unsigned) processes executed outside system partition (e.g. C:\).

So a process executed, e.g., from F:\ or G:\ will be blocked, see this screenshot:



@Krusty

Should add it asap, sorry for the delay =)

@aldist

I personally prefer the double-click on the tray icon, noticed most programs use this behavior.

That's very strange, can you check OSA's log file to see if something got blocked?

If nothing is present in the log file then OSA should not have blocked it.

Will try to reproduce that behavior here in case.

@loungehake

Strange, using it on 3 W7 VMs and no issues here.

Will check if I noticed any similar issue.

@Sampei Nihira

Thanks for sharing!

OSA should already protect from all of that obfuscation techniques

@shmu26

Yes, as @mood said, Everything is a safe process and is allowed to run processes (if the internal whitelisting option is checked).

 

This thing just keeps getting better. Nice work as always Andreas.


On a different matter, could or would it be useful to have the Log list actions-timestamp reading from top to bottom in place of the reverse so that the most recent will show up first/top and scrolling down the previous logged events?

 

+1

 

-1
Please keep it the way it is. Chronological order make more sense to me.

 

Problem is resolved. The C:\Windows\System32\gpscript.exe process was locked by the user-defined rule [%PROCESS%: *script.exe]

 

It would be nice if the log were automatically scrolled to the last record down.

 

not sure it is possible, those are text file.
Anyway, not a big deal; scrolling won't kill us.

 

Running smooth here still. Thanks!

 

@novirusthanks

Hi Andreas.
I propose to insert a specific rule to prevent the disabling of UAC from the command line:

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Few will enable the "block execution of reg.exe" rule because of the FP warning.

 

@novirusthanks
Just updated without uninstalling the previous version first.
Everything went smooth without any problems
Just a small request: is it possible to avoid the creation of a desktop shortcut if it wasn't there before?

 

No problems here with test build 57 (standard settings). Thanks, Andreas.

 

FWIW ~ observation:
When my resident AV detects and quarantines files. My UAC 'Never notify' preference toggles to 'Always notify'.
UAC toggle is expected known behavior pre OSA.
I think? around the UAC toggle event. OSA Service drops out. OSA tray Icon goes gray with Protection Disabled.

Start returns OSA Protection Enabled.
test57 with all rules checked

 

Just funnin .... I been in since the beginning of this wonderful tool.

I have NEVER Uninstalled the SAME piece of Software so many times.

TY Andreas

 

Here is a new v1.4 (pre-release) test58:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test58.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Show System File: True\False on log file
+ Show Parent System File: True\False on log file
+ Improved detection of parent processes
+ Improved detection of UAC-bypass attempts
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

@Sampei Nihira

Rule is already present:

@bjm_

Can you make a small video to show the issue in action?

Or provide exact steps to reproduce the issue (including resident AV you have installed).

Can't seem to reproduce it here (W10 VM).

@imuade

Will check it.

@EASTER

Will discuss about it, but personally I prefer as is now (last blocked event is at the bottom of the .log file).

 

Lovely. Thankyou. Really hope you can add Chromium and PotPlayer I’ve even considered moving to Chrome just because I like my security software to work in unison if you know what I mean. I’ve moved fulltime to OSArmor (everything ticked) to protect my system along with Windows 10 inbuilt exploit mitigations (replaced Excubits Bouncer), MemProtect to cage my browser and Windows Firewall Control (Binisoft). Can’t really get a lighter setup but it’s very secure. Great tool, really happy with it.

 

Mannaggia......mi precedi ogni volta !!
Have a nice weekend.

 

@novirusthanks
Feature request
1/ When looking for problems in the operation system, it may be necessary to disable all protections permanently - antivirus, SRPPrevent, Firewall etc.
How to disable OSA protection so that it does not turn on after rebooting the machine? Is it really only uninstallation OSA?
Is it possible to add the "Protestion - Disable Permanently" option in system tray?
2/ This option turns on/off the internal rules of Main Proteсtion, Anti-Exploit, Advanced, but does not affect Custom Block-Rules?

3/ Perhaps you need an option to disable Custom Block-Rules, possibly in the system tray.
4/ "Exit GUI" disables internal rules and Custom Block-Rules?

 

OSA is still active if the GUI is closed:

 

Hello @aldist,

Use "Passive Logging" (right click tray icon > Protection > Passive Logging)...
From @novirusthanks post # 870

and
From @novirusthanks post # 962

I hope this helps...

 

1. You can permanently disable it in Services. It would be nice to be able to permanently disable it using the tray icon.