NoVirusThanks OSArmor: An Additional Layer of Defense

Hello, bellgamin!

Thank you for your welcome greeting.

Have I done a WhoIs lookup on 64.6.64.6? Yes, I have. I mentioned this in my first post. The IP corresponds to VeriSign.
I quote myself: "URL: VeriSign Global Registry Services - which is my DNS."

I use a Firewall called "FortKnox". It is a nearly perfect clone of the "old" Sygate Personal Firewall PRO. And it works "like greased".

If the Firewall designed by the team of experts who worked for Sygate, is much better than the default Firewall included in Windows 7, by Microsoft, remains an open question. FortKnox is very sensitive. You can test it, if you wish, on your machine. It is compatible with Windows 7. Maybe it can "feel" things which W7 FW can not feel. You can also try GlassWire Firewall, if you don't like FortKnox. My FW can not be cheated so easily, even if it has nearly no HIPS capabilities.

I confess you that I replaced EVERY "accessory" program included in Windows XP Pro; with non-Microsoft programs; starting with the Firewall, and ending with Notepad and WMP9. On my OS, the only left Microsoft "program", is the Operating System.


The question is: WHY OSArmorDevSvc.exe wants Internet access?

 

Thank you, aldist, for your well documented reply. I appreciate your endeavor.

Here is my answer to your reply:

1. Indeed, I blocked the communication attempts of OSArmor. But, in my naivety, I am somehow worried because my Firewall's activity might be hampered by the repeated attempts of OSArmor to connect to the Internet; with any price. I never heard, yet, about a Firewall being "knocked-down" by an application who is "bombarding" it with repeated, stubbornly, attempts to connect to the Internet. The fact is that my FW consumes computing resources trying to deal with the task of blocking any network access of OSArmorDevSvc.exe. (Including writing countless data in the FW's Traffic Log) My Firewall is busy enough, even without these "unusual" connecting attempts.

2. You are right when you say that many users are upgrading without uninstalling. But, unless the author of OSArmor expressly states otherwise, I prefer the safe, "canonical" way of updating OSA. Therefore, if it is recommendable to update in this way - uninstall old version, install new version -, then, once more, I do not see why OSA needs to connect to the Internet [in order to download a new version].

Nevertheless, an auto-update mechanism would be convenient. It would save time. But in this case, I would like to see an encrypted connection, on, let's say, port 80; and TCP protocol.

Usually, the Port 53 is used for DNS queries (Domain Name Service)
There are recorded attacks that target vulnerabilities within DNS servers. Some trojans also use this port: ADM worm, li0n, MscanWorm, MuSka52, Trojan.Esteem.C (05.12.2005), W32.Spybot.ABDO (12.12.2005). Bonk (DoS) trojan horse also uses port 53 (TCP). Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53. Etc., etc.

I wait an answer from the designer of the program: why OSArmorDevSvc.exe is soliciting Internet access?

3. I quote you: "The program is updated very rarely, and I absolutely do not need this option."

In the last years, the program was updated as it follows: [22-Dec-2017] v1.3.0.0, [20-Jun-2018] v1.4.0.0; [25-Oct-2018] v1.4.1.0; [11-Jan-2019] v1.4.2.0. The updating frequency has increased. Let's say that a new stable version started to appear at every 4 months. Is this "very rarely"? I let others to answer.

I noticed on this sub-forum that there are many users who accept to ß-test OSArmor. For these, new versions appear, if not weekly, at least monthly. Is this "very rarely"?

In one regard, my opinion coincides with yours: me too, I do not need an "Auto-update mechanism". I prefer to visit the developer's website, or, let's say, Softpedia, and to download the new version from there.

I do not like the fact that OSArmor connects to the Internet.
But you and I, we should not be selfish. Perhaps other users would want to see something like "Check for Updates".
The final decision does not belong to us. The author of the program decides.

4. Yes, Windows XP is at the end of its life cycle. This year will reach the age of 18. In IT, 18 years mean "many geological ages". But XP is still supported (see 'Windows Embedded POSReady'). There are people (and devices) in such areas as retail, manufacturing, healthcare, ... who still use Windows XP.

Windows XP is old; but not totally obsolete. We are talking about Software, not about perishable food. Windows XP will still be supported - but only for clients with deep pockets. Agencies are still paying Microsoft millions to support old systems. A discussion about the new versions of Windows would be off-topic.

Every new version of Windows brings its own security problems. And has inside large pieces of Code from the old versions. Windows XP had (initially) approximately 45 millions Lines of Source Code. The installer was stored on a CD-ROM. Starting with Windows Vista, Microsoft already needed a DVD-ROM to store the almost double amount of SLOCs. The more Lines of code, the bigger the failure probability - due to bugs, programming errors, security vulnerabilities, a.s.o. If you really think that NT 6 is "safer" and "more reliable", than NT 5, dream on. Windows Vista was a failure. After its rejection, Steven Ballmer has resigned. Windows XP was the last version of Windows which contains lines of code written by Mr. Bill Gates himself. Starting with [Hasta la] Vista, his influence, his vision, vanished. Also, after Vista, IBM decided to sell its PC business. Since 2005, they started to invest money in Linux. Serious money: over one Billion Dollars.

Saying that one Windows version is better than the other, and mocking users of older Windows versions, is tragicomic. Solaris, FreeBSD, Irix, OS/2, even the small and mighty Amiga OS, are better than Windows. They are real Operating Systems. Windows is a [bad] joke. A huge Spyware. Basically, Windows 10 makes the same things as Windows 3.1. But it uses twenty times more computing resources. Windows contains lines of code "borrowed" from the BSDs. And who knows from what other sources. Who can inspect their code?

Maybe, in Windows 10, the memory management is better than in Windows XP. But the designer of OSArmor should optimize the program for every Windows version. Or, if it is a too difficult task, he should make OSArmor available only for Windows 7-10 users. Note: OSArmor is installed as a service. I have not bothered to check how many Megabytes of RAM are taken by NoVirusThanks OSArmorDevSvc. This data is missing from both of our screenshots (mine and yours). In Win10 the amount of [hidden] RAM might be bigger.

5. I quote you: "For beauty. Does it bother you much?".

Well, the answer is "Yes" and "No".

"Yes", from aesthetic and logical point of view. Their place is really not there. Facebook and Twitter have nothing in common with NVT OSArmor. The links to FB and TWT, placed on the Help -> About small window, are enough. On the main window, the yellow-green shield should be placed on the right side, exactly where the FB and TWT hiperlinks are now.

"No", because I have nothing against Facebook or Twitter. I just don't use them. I do not have accounts on any of them. I prefer other "social networks".
Almost everybody uses Gillette shaving blades. I use Wilkinson Sword. But I have nothing against those who use Gillette...


I am glad that you have exposed your point of view. Now I would like to hear what the author of OSArmor has to say.


P.S. I apologize for the length of my comment.-

 

@Wolfram

Perhaps, you might consider sending an email of your questions. Don't know how fast you might get a reply though.

https://www.novirusthanks.org/contacts/

 

Ah so -- you have set your FW to block OSA out-calls. Ergo, OSA is denied before it can even reach your DNS. If it were me, I would allow OSA to connect out so that I could see its final destination & do a look-up on THAT. (I'm a curious cat.)

Perhaps the reason OSA keeps hammering your firewall is that it's programmed to "keep trying." Per my firewall, OSA rarely connects out. It doesn't need to "keep trying" because I set OSA free to rock & roll. I have used OSA from just about the very instant it was born. I trust it totally & let it do anything it wants to do. My ONLY real-time security is OSA & Private FW. Nada mas.

You have awakened my interest in FtKnox FW. I shall give it a ride anon.

Hey Wolfram -- live long & prosper!

 

Thank you for your reply.

Sending a message to NVT, throuh E-mail, is not at all a bad idea. Initially, I wanted to do this. But, right before writing to NVT, I discovered this forum. And I noticed that the author of the program posts here. From time to time he answers the questions which are addressed to him.

In my opinion it is a public matter. Every reader of this forum, every user of OSArmor has the right to read his explanations.

Note: the anomalies which I discovered have nothing to do with the capabilities of OSArmor. It is far from me the intention to disregard the programmer's work. I just need some clarification. That's all.-

 

I'm glad my post has raised your interest.

In what concerns "the opening" of my Firewall, I have not your courage. I am curios, too. But I don't want to risk. The golden rule in Security is "Trust no one".

Moreover, you know what they say: curiosity killed the cat...

 

I gave a reply in the https://www.wilderssecurity.com/threads/fortknox-firewall.392974/page-2
I do not want to hijack this thread.

Never had a outbound request by OSA.
Has to be the Firewall "Fortknox". It couldn't be a pop-up I get none.

 

Same here. Never had one since the first beta.

 

Thank you, Circuit, for sharing with us the experience you had with the FortKnox Firewall.

You can read my answer to your post about FK FW, here:
https://www.wilderssecurity.com/threads/fortknox-firewall.392974/page-2#post-2806069


On your system - Windows 7 64-bit -, you said that "Never had a outbound request by OSA".
guest said the same thing. (By the way: I like guest. We all have a lot to learn from him.)

On belgamin's System - which is also based on Windows 7 - OSArmor connects to the Internet.
I quote from his post - #2380: "Per my firewall, OSA rarely connects out. It doesn't need to "keep trying" because I set OSA free to rock & roll. (...)"

Even under Windows 7, OSArmor connects to the Internet. Less frequently, yes; but it still does. And I don''t think it has to do with W7 version - 32-bit / 64-bit -, or edition: Home Basic, Home Premium, Professional, Enterprise, Ultimate. Or does it?

The question is, once again, why?
Why OSArmorDevSvc.exe is soliciting Internet access?

 

Warning: it follows a rather long post...

Cute belgamin:
I would like to ask you a favor.
In your comment - #2380 - you told us that, on your system, OSArmor can connect to the Internet without restrictions.

Please, can you tell us where it connects? Perhaps you have a list of IPs, or URLs associated with them, a list which you would like to share with us. Is there any "mother ship" where OSArmor sends data? A "Command Center"? An obscure Mailbox? A "Reserved domain"? A big company? Or, OSArmor it only connects (periodically) at the NVT headquarters - supposedly, to check for a new version?


In another train of thoughts: your system's protection / armor is well thought. Refined. It is the result of many hours spent testing various "security solutions for PCs".

As someone said, people can experience three security phases: FEAR -> EXPERIMENT -> SIMPLICITY + KNOWLEDGE. It seems that you have reached the final phase.

In fact, no Security expert uses Antivirus programs.

In what concerns me, I centered the PC Security concept around the notion of Firewall. Give me a good Firewall, and a specialist in Networking, able to properly configure it, and I will give you a well secured PC.

Such a good Firewall is (was) Online Armor. Unfortunately, now it can no longer be activated. All the support functions that were needed for it have been shut down.


For the moment I added to my Firewall (FortKnox) two programs: the "ancient" Script Sentry, and another one called Simple Software-Restriction Policy.

"In essence, a Software Policy lays down rules about where on disk programs can be run from. Thus, programs in 'Program Files' will be given the OK, but programs in 'Downloads' will not. Since this defensive mechanism does not rely on identifying a given program as malicious, it is in principle effective against ALL strains of malware."
https://iwrconsultancy.co.uk/softwarepolicy

SSRP allows to run [new] EXEs placed ONLY in the Program Files folder (besides the Windows folder). An executable trying to run in any other location will be instantly blocked.

SSRP is a simpler [free] alternative to AppGuard. And it never connects to the Internet.
It also allows the users to run certain programs with restricted rights. (But not Internet Explorer, or Chrome.)

I still hesitate to adopt OSArmor. In principle, SSRP + FK might be enough. I am still studying the behavior of OSArmor. Let's say that I am not that bothered by the fact that OSA tries to connect to the Internet. I can prevent this. What I really do not like is its "slowness" in reactions. Compared to OSArmor, Script Sentry and SSRP react lightning fast.

Supplementary, I run a monthly scan of my system with KVRT; just in case.
You can download the latest version of Kaspersky Virus Removal Tool, from here:
https://www.softpedia.com/get/Antivirus/Kaspersky-Virus-Removal-Tool.shtml
Why Kaspersky? Because it is quite fast; and, by default, it is not scanning what it shouldn't (i.e., data placed in My Documents folder).

Tip.: when KVRT runs, do not allow it to connect to the Internet.


And because Ransomware has become the most dangerous computer threat of the moment, and because certain common PC users can not deal with a program like OSArmor, or SSRP, after I tested some free anti-RW apps, I recommend Kaspersky Anti-Ransomware Tool for Business, as a mean of protection. But only for those who trust the Russian software company. (I do not trust them. Protected you will be, by Kasperky; but with the price of losing your Privacy. Read carefully the EULA of any Security program, before installing it! See the cases of Avast, AVG, and other companies accused of spying on customers. Including Kasperky. There is no smoke without fire...)
https://www.kaspersky.com/anti-ransomware-tool

Unfortunately, the last version of KART does not run on Windows XP systems.

I added to my arsenal the good old Phoenix FirstWare Recover Pro - an innovative system restoration utility.
Those with newer systems can use a product like Deep Freeze Standard. Excellent software. Vital, in certain circumstances.
https://www.faronics.com/en-uk/products/deep-freeze/standard

"Deep Freeze preserves your computer configuration. Any changes – either malicious or unintentional – are reversed on reboot. This is called Reboot-to-Restore where each reboot restores the computer to its desired configuration."

In summary, this is what I installed on my system: FortKnox Firewall, Simple Software-Restriction Policy (anti-exe), Recover Pro, and, experimentally, as a supplement, OSArmor, with its plethora of very useful protections.

Nota Bene: above all, nothing can replace the periodic rescue of data. Save, save, save - at least daily. Be it online, or offline. For archiving I recommend M-DISC.

"M-DISC's design is intended to provide greater archival media longevity. Millenniata claims that properly stored M-DISC DVD recordings will last 1000 years [!]."
https://en.wikipedia.org/wiki/M-DISC

For online saving ("Cloud Backup") you can opt for a company like BACKBLAZE. They offer unlimited storage space, on their servers, for only 50 USD per year (Personal Backup). BackBlaze is practically the only one company who offers data about the reliability of various HDD models produced by Seagate, Western Digital, and Hitachi.

You can test OSArmor to see if it is really able to protect your system against Ransomware. How? Use RanSim!
https://www.knowbe4.com/ransomware-simulator

"RanSim will simulate 13 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable."

Note: RanSim is compatible only with Windows 7-10.

On a system provided with a comprehensive anti-exe, in theory, Ransomware can not run.
But on a system like the one used by belgamin, a system which has on it only OSArmor, it would be useful to find out if OSA can certainly provide the expected protection against Ransomware. Do you accept the challenge, belgamin?


In what concerns a so-called "safe browser", an interesting alternative to the browsers offered by Avast, Avira, or Comodo, is Puffin browser.
https://www.puffin.com/secure-browser/

"Browser Isolation in the local sandbox is insufficient. All major browsers fell to white-hat hackers at Pwn2Own browser hacking competition every year. The most secure sandboxes from the most talented browser companies are simply not good enough. Puffin implements Browser Isolation in the cloud sandbox. The cloud sandbox cannot isolate viruses 100% just like the local sandbox, but Puffin’s network protocol can isolate viruses 100%. The extreme robustness comes from the extreme simplicity. Puffin’s network protocol and data exchange is too lightweight to carry viruses from the cloud servers to the client devices."


I have already proposed "The Final Solution" against ANY possible computer threat, present or future. But no IT company wants to put it into practice. Because it will mean the end of ALL the Security solutions providers.

I posted my solution here:
https://www.techsupportalert.com/fr...3723-effectiveness-of-antivirus-programs.html

I am not a Security expert. My field of expertise is Digital Electronics.

I wish an instructive reading to all those interested.


And, one final thought, directed primarily to belgamin: we, all the "hobbysts" who posted on this group of discussions, we will all live long and prosper! God will not let us perish.

 

Yes, I guess that's the cool part, no alerts.

 

@Wolfram
more humility please...you are talking to guy who is on Wilders since 17 years and his participation to build content of Wilders is priceless

OK...back to the topic - some features/actions of OSArmor are to controll and block suspicious/danger activity with connection to system processes and services - I mean svchost.exe. It's possible thtat OSA is listening ports to filter in-/outbound connections. On my Vista Bussines I've used 4 tools to register some internet activity of OSA - NVT Connection Viewer, Process Hacker, System Explorer, Anvir Task Manager and additionaly I've checked log file in my FW (SpyShelter) - I didn't find such activity of OSArmorDevSvc.exe (it was on Vista).
I noticed only one access to the internet but it was using Firefox (opening NVT page just after installing of OSA) so we can omit such action.

 

Exactly, the only thing that will pop are the blocks and then you can whitelist them on the fly (a window will open).

thank you

And for the sake of it, i just reinstalled OSA v1.4.2, still no FW alerts (im on win10 Enterprise, using Windows Firewall with Binisoft WFC for outbound alerts), and no OSA's processes listening or connecting (checked with TCPview and NVT Connection Viewer).

I cant disable the damn Windows' Core Isolation so i cant test it with Spyshelter FW...

 

Disable Virtualization in your BIOS/UEFI.

 

i dont have the option...basic BIOS on a laptop... but thanks for the tip.

 

Why are you on enterprise?

 

for the built-in security: GP, SRP, Applocker, device Guard, etc...
and im bored with Home lol, i have to test stuff to be happy

 

I have read and thanks.
Have switch back and forward from one firewall to another (trying to find the right one).
Used ZoneAlarmPro, WFC, WFC10, and none of them have produced an alert with OSA, or anything mention in the logs.

By the way guest is well informed.

 

RanSim is probably a pretty cool test. I've got OSarmor on this machine, so thought I'd give it a try. I forgot I had Comodo Firewall (CS settings). Comodo immediately contained all in the sandbox and nothing can run. Guess that says Comodo at least is on the job.

 

Curiosity can be a first step toward learning. IMO, there is no overwhelming risk in venturing into security's "dark waters." Why? Because Imaging Software can cure just about any software ailment.

I image daily to a separate drive. I retain image files for a very long time -- huge storage capacity is dirt cheap nowadays. So, if I get infected (or have to replace a hard drive, or whatever), I simply install a clean image and Poof! -- the sun shines brightly again.

Imaging is a VERY powerful security device that enables me to run only only 2 real-time security apps (OSA & FW) for *prevention* of infections. Instead, I have several on-demand security apps (such as a file integrity checker, Hitman, & EEK) for *detection* of infections. Thus, my somewhat outdated computers are quite peppy for their age & my rare infections are quickly remedied.

 

So true.

 

Thank you, ichito, for your involvement in clarification of OSArmorDevSvc.exe behavior. What you have discovered, while you were monitoring OSArmor, is useful for all of us.

Some time ago, when I had installed Emsisoft Online Armor, on one of my systems, this Firewall always warned me about programs trying to suspiciously use svchost.exe (usually, immediately after installation). But Online Armor was a Firewall. Even if NVT OSArmor has a broad spectrum of defensive actions, it is not a Firewall. OSArmor should work even on PCs without LAN-Internet access.

As I said in my first post, a certain component of OSArmor [v. 1.4.2] is asking my Firewall to open Port #53, in order to connect to my DNS, using UDP protocol.

If the author of OSArmor will not give us the required explanations about his program, I will make my own research.-


P. S.: in the case of people, truth is often the fruit of the dispute, not of the concord. I do not question anyone's merits.

 

Give him time.

+1

 

Hello, Belgamin!

I confess that I like your "anti-Malware arsenal". It is well chosen.

Indeed, it's a great idea to use Disk Imaging Software. Instead of spending time managing complex computer backups, disk imaging allows you to quickly and easily make a perfect copy of your computer’s hard drive.

Every HDD eventually fails. When that happens, your valuable data is only as safe as your current backup.

But, before creating an image of your HDD, you need to be as surely as possible that your system is "clean".

Your option for EEK is an inspired one. From what I heard, the Austrian company Emsi Software GmbH has a very good reputation in terms of respecting consumer privacy.

Unfortunately, Emsisoft Emergency Kit no longer runs on Windows XP. That is why I proposed the scanner offered by Kaspersky.

An observation: EEK needs to periodically update its database. Depending on location and the moment of the day, the update process takes around five minutes. Of course, the operation requires you to allow EEK to connect to the Internet.

KVRT.exe can be downloaded, from Softpedia, in less than one minute (if you have a wide-band Internet connection). KVRT is "already updated"; it is always "the latest version"; it contains the latest Malware definitions. Using your Firewall, you can block kvrt.exe to access the Internet. Thus, opting for Kasperky, you will be even safer; especially if you start having some "doubts" about Emsisoft's integrity; or their capacity to guard, against hacker attacks, the data collected from their clients; such as: Services Metadata, Log data, Device information, Location information, a.s.o.

The fundamental question is: who has the most comprehensive collection of "Malware" samples?: Emsisoft, or Kaspersky? Which scanner will detect most computer threats on your system? I do not know the answer. (Maybe... Avira?)


Next week I will allow OSArmor to connect to the Internet. I'll track where the program connects. And I'll post what I've found. Let's hope that OSArmor does not ex-filtrate "sensitive" data.


I notice that the author of OSArmor prefers "epistolary silence". He avoids answering the questions I have asked him. No answer is an answer. Maybe he's on vacation. Besides, he is not obliged to answer. OSArmor is a free program. Technical support is optional.-

 

He is often busy, dozen of project at same time; you will get an answer when he will log in Wilders, as you can see in his previous posts, he replies to all inquiries at same time on one post.
Stop being paranoid, even if OSA would connect? so what are you afraid of? Data leaks, then don't use Windows.

And to be honest, i wont trust much obsolete firewalls on obsolete OS, but that is just me.