NoVirusThanks OSArmor: An Additional Layer of Defense

I have been happily using OSArmor with Windows XP SP3 since the beginning of 2018 and now running OSArmor Test 61. The host computers both date back to 2002 and they both run well. These installations of Windows XP date back to 2004 and have been running well with many changes, including three service packs and POSReady security updates after April 2014. All the main, anti-exploit and advanced protections are enabled, excepting the Main Protection's 'Block execution of 16-bit NTVDM processes'. I am delighted at the ease with which I can manage exclusions.

Paradoxically, Windows 7 x64 has been very troublesome when OSArmor is installed. The system hanging behaviour continues, the slower of the two (AMD Sempron 3000+ 1.8GHz) being particularly reluctant to work for more than a few minutes before going into a coma. The other hardware, an Intel Pentium 4 Prescott (3.2GHz twin core) runs OK for much longer but inevitably also becomes comatose.

My only thought about the Windows 7 problem is that there is a timing problem which is much worse on very slow hardware (Sempron) but the Intel Pentium 4 Prescott is also slow enough to create a timing problem, albeit much less severe. When it happens the system slows up progressively and within a few seconds becomes terminally unresponsive, unless a hardware restart is initiated.

In view of Windows XP being soon to be totally 'security update free', I am very grateful to the author of OSArmor for providing enormously increased security for my classic Windows PCs. The virtual battlefield defences provided by OSArmor (which reinforce Panda Dome Free 18.05, MBAE, Outpost Firewall Pro 9.3 and CryptoPrevent) are very reassuring to have on board.

 

I wish to offer a suggestion which is to add the option for a one-off bypassing of blocking a process (without adding it to the Exclusions.db file). I would like that option to be available through the Exclusions dialog box. It seems to me that it would enhance OSArmor's protections if one-off permissions for a process to run or to continue to run leave the protections intact so that a similar subsequent event can also be automatically brought to the user's attention. The creation of permanent exclusions weakens protection against unforeseen exploits because permission is effectively granted for any subsequent process which conforms to an exclusion rule to proceed without drawing attention to itself.

Edit Note: I worded this request badly and the phrase 'blocking a process' replaces my initial unsatisfactory wording. I also added additional justifications for my request commencing with the words 'It seems to me that it would enhance OSArmor's protections ... '

 

I am deeply disappointed to have to say that one of my Windows XP systems has got glued up in a similar way to my Windows 7 systems. XP became almost unresponsive but pulled itself round after a few minutes. OSArmor had to go. Sorry.

 

one would hope that last action was done on the operating system.

 

@novirusthanks

Run IobitUnistaller Portable on W.10 1803:

 

Here is a new v1.4 (pre-release) test62:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test62.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious command-lines
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

* The option "Block suspicious command-lines" contains an experimental rule, if you notice a FP let me know *

@Sampei Nihira @loungehake

I'll try to reproduce the issues on a XP VM tomorrow and will update here.

@Sampei Nihira

FP about cipher.exe is fixed, can you post the log of the FP about IobitUnistaller Portable and wmic.exe?

@shmu26

That feature is in the todo list for v1.5

 

Date/Time: 04/05/2018 17:02:57
Process: [8284]C:\Windows\System32\wbem\WMIC.exe
Process MD5 Hash: EC80E603E0090B3AC3C1234C2BA43A0F
Parent: [7444]C:\Windows\System32\cmd.exe
Rule: BlockWmicExecution
Rule Name: Block execution of wmic.exe
Command Line: WMIC QFE GET /format:list
Signer:
Parent Signer:
User/Domain: ********************
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High

 

Sampei Nihira

Thanks, will fix it asap

 

Date/Time: 04/05/2018 16:21:29
Process: [216]C:\Windows\System32\reg.exe
Process MD5 Hash: E3DACF0B31841FA02064B4457D44B357
Parent: [2148]C:\Windows\System32\cmd.exe
Rule: BlockRegExeHijackingRegistryStartupEntries
Rule Name: Block reg.exe from hijacking Registry startup entries
Command Line: REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /V "Windows10UpgraderApp.exe" /t REG_SZ /F /D "C:\Windows10Upgrade\Windows10UpgraderApp.exe /SkipSelfUpdate"
Signer:
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System

_____________________________________

@novirusthanks

Q: Better to disable the rule?

Block reg.exe from hijacking Registry startup entries

 

If blocking of wmic is enabled, doesn't this just require an custom exclusion rule, or am I missing something?

 

An update for my Epson printers software updater gave this:

Date/Time: 4-5-2018 19:51:48
Process: [2808]C:\Program Files (x86)\Epson Software\Download Navigator\EPSDNAVI.EXE
Process MD5 Hash: 384C3887FC581754B1F8C3C821B501C8
Parent: [8652]C:\Users\xxxxx\AppData\Local\Temp\EPSDNAVI_Temp\Download Navigator\Setup.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Program Files (x86)\Epson Software\Download Navigator\EPSDNAVI.EXE" /P "XP-820 Series(Netwerk)"
Signer: SEIKO EPSON CORPORATION
Parent Signer:
User/Domain:
System File: False
Parent System File: False
Integrity Level: High
Parent Integrity Level: Unknown

 

Nothing of any real consequence to air out to bring attention to on fp or other possible issue.

Will watch suggestions here though. A lot excellent ones showing up and many already added.

 

Basically yes but if it is internally whitelisted, an exclusion rule isn't needed anymore (and users of "IobitUnistaller Portable" don't see this blocking anymore)
The idea behind is that OS Armor interferes as less as possible with "normal program activity" ("safe behaviours") and that the user doesn't get bombarded with blockings.

 

Thanks @mood for the explanation.

 

Btw.: no problems with "v1.4 (pre-release) test62" encountered. It is running smooth.

 

I just got this while running PrivaZer. OSA in default settings.

Code:

Date/Time: 5/05/2018 10:16:30 AM
Process: [1756]C:\Windows\SysWOW64\wbem\WMIC.exe
Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
Parent: [8380]C:\Windows\SysWOW64\cmd.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: wmic.exe   process where caption="dllhost.exe" get Processid, commandline
Signer:
Parent Signer:
User/Domain: Krusty/KRUSTY-PC
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High


Date/Time: 5/05/2018 10:16:29 AM
Process: [2200]C:\Windows\SysWOW64\wbem\WMIC.exe
Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
Parent: [7308]C:\Windows\SysWOW64\cmd.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: wmic.exe   process where caption="dllhost.exe" get Processid, commandline
Signer: 

Win10 x64 1709
OSA Test 62

 

Regarding my previous comments on OSArmor seeming to cause the OS to appear to hang, I have noticed that the OSArmor SVC and UI processes have a high context switch Delta (c.1100 and 160 respectively in comparison with other processes, apart from the System Idle Process (range c.1700<->2000) and Interrupt process (range c.2500<->3000). These figures are stated by Process Explorer on Windows 7 x64 with an Intel Pentium4 Prescott 3.2GHz 2 core processor.

Just wondered if this was of any significance, especially when using slower CPUs with single or twin cores.

Additional: -
Using the default advanced settings substantially reduces the context switch Deltas for the the OSArmor SVC and UI processes. The host systems are also livelier with so few advanced blocking rules set.
I run the Garmin SATNAV support software and for the tiny amount of work it does most of the time it don't 'arf context switch a lot. I started to use this coincidentally with OSArmor. I now start Garmin manually. I have a hunch that the presence of running Garmin software might not be convivial for OSArmor on low powered systems.

A long time ago (c. 35 years), Pr1me minicomputers used hardware context switching. This was so effective that a Pr1me 750 (8MB !!! ) could support more than a dozen CAD work stations on our design office. A DEC Vax 11/780 could only support about half that number. The Vax had software context switching and so, I guess, do Windows PCs. The moral of this little anecdote is that high levels of process context switching use more CPU power than the data shown by Process Explorer would suggest. Shame that the Pr1me computers had a floating point arithmetic flaw. End of history lesson for today.

 

Date/Time: 05/05/2018 20:41:47
Process: [8832]C:\Program Files\Bandizip\Bandizip.exe
Process MD5 Hash: E7A52CFD55DE101EFC002E80051511CB
Parent: [456]C:\Windows\explorer.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Program Files\Bandizip\Bandizip.exe" bx -o:"C:\Users\*********\Documents\CPU-Z\" "C:\Users\***********\Documents\CPU-Z\cpu-z_1.85-en.zip"
Signer: Bandisoft
Parent Signer: Microsoft Windows
User/Domain: *********************
System File: False
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

 

can someone teach this individual how to click on the button "exclude"? it's driving me insane he posts every alert OSArmor makes.

 

The purpose is not that if you have not understood it yet.
An advice not to read what I write.

 

Well, the dev did say that he wants to hardcode exclusions for FPs from popular applications, and he asked that FPs be reported. I think that is where @Sampei Nihira is coming from

 

Keep up the good work @Sampei Nihira. You have done a great deal to help improve the usability of OS Armor by reporting bugs and false positives. This is exactly what we are supposed to do.

 

WinXP have to go instead...

 

never mind then, keep it up!

 

That's fine with me. I don't expect much new software so the existing rules are fine and dandy. OSArmor being better than nothing is an understatement.