NoVirusThanks OSArmor: An Additional Layer of Defense

As a super qualified professional developer (rare breed), where dependable and dare say some super reliable security programs are so thoughtfully well designed (which long now rest comfortably within billions of PC user's machines), I wouldn't take much exception that your efforts haven't been above board & incredibly appreciated for the absolute unfailing support you and your team have so generously added to each release-upgrade etc.

Thank You

 

@Wolfram in regards to security issues you should be concerned about, the first priority would be to get some decent AV software.

In regards to the hxxps://imx.to screen shot links you posted in reply #2412, I clicked on:

1. hxxps://imx.to/i/1yizxj which Eset immediately detected a redirect to hxxps://afeuvqrsswz.com and blocked it.

2. I then proceeded to click on hxxps://imx.to/i/1yj02x and Eset again detected a redirect to hxxps://afeuvqrsswz.com and blocked it. At this point I should have exited the web site. Instead I clicked on the Continue link shown and was immediately greeted with a locked browser flashing screen with a siren blaring and a voice telling me my PC was infected. Well, I recovered from that without incident.

So you need to immediately delink all postings with hxxps://imx.to in them and find a different upload site.

 

@ wolfram -- constructive criticism is 1 thing, but your long-winded comments have gone far beyond being helpful. Your latest comments border on harassment, & are almost becoming troll-like.

 

I am sorry, but on my Windows XP system I do not use ANY [active] Antivirus software. I have other means of protection. I do not intend to install on it a AV program.

In what concerns the links, you are the only person who complained about "redirection". If someone else will tell me the same thing, then I will post the pictures on another image hosting website. Till then, please copy and paste the problematic links on a proxy server of your choice. I hope this solution will help you to see the images, without being hindered by ESET.

 

Yes. 13 imx links work okay with my content blocker. Sans content blocker. OMG. Scared the poop out of me.
Sandbox'd... so okay....albeit, need new shorts.

 

Hi, Peter2150!

Here is what I said in my post #2412 (I quote myself):

"I consider that we have a mutual understanding between gentlemen. If you gave your word that OSArmor does not do "espionage", for me it is enough."

Are these the words of a man "who do not trust" Mr. Andreas?

 

Ha Ha. I tried a different link of his out of curiosity. ESET popped up with a warning, but not before I found myself looking at some very explicit porn!

 

Yes, porn + with my speakers at 100 ... "malware alert" was a jolt.

 

As far as the ChinaNet baloney goes, it is located in the U.S.

CHINA TELECOM (AMERICAS) CORPORATION - more info here: https://www.ctamericas.com/

https://rdpguard.com/free-whois.aspx?ip=104.192.109.105

My guess is its an Internet backbone provider as are many others. I know I have personally seen its IP address range show up in other Internet traffic and I don't use OSArmor.

 

@itman all this is just basic paranoia, all based from datas delivered by a 3rd party home user firewall on an obsolete OS.
If i was you, I won't waste much time dissecting the subject.

At least if the datas came from a corporate-level firewall/UTM on a modern OS, it would maybe trigger my curiosity...

 

Thank you for taking the time and effort in writing this reply.

Despite the fact that I was categorized as "paranoid", by some of the good people who post here, I, in my turn, I did not accuse them of being "careless", or "overly confident". Let's say that I am not a "superficial" guy.

I do not like when someone, instead of offering proofs that he is right, and has nothing to hide, advises me "to not use the software, if I do not trust the developer".

I also do not like when others try to speak in your name. As if they were lawyers, or expert programmers, not only "sympathizers".

Its is not ME the one who accuses here. On the contrary, I try to preserve your reputation. But you are not willing to help me. You are deliberately avoiding to provide punctual answers to my legitimate questions.

Filseclab is "accusing" OSArmor / NVT !
FortKnox is "accusing" OSArmor / NVT !
Hybris-Analysis is "accusing" OSArmor / NVT !

I just made you aware of the accusations / anomalies. Why do you shoot in the courier? I am just a simple messenger.

If OPSWAT-Filseclab "accused" OSArmor, and they gave some sort of evidence, then you should present counter-evidence [to them, primarily]. Telling me to "shut-up", will not stop OPSWAT and H-A to "shout" against OSArmor.

OSArmor is a free program. I did not know that you offer technical assistance for your free programs. You should clearly state this on your website. Now I know.

But there are many things that I do not know - about the [main] developer of OSArmor. For example, I do not know if he works as an independent software developer. And his work is then taken by NVT S.r.l., and slightly modified; "adapted" to certain, unknown, commercial purposes.

I quote you: "We developed them, ask us if you have questions, simple."

I asked NVT many questions. Not directly, but on this forum. For example:

- I wanted to know why OSArmor is not using certain components of Windows to check the Digital Signatures of the installed programs. I received no answer.
- I asked the developer how often these checks are made, by default. But, again, I received no answer.
- I asked the developer where is supposed to connect, OSArmor, in order to verify a program. But I received no answer.

Instead, it has been suggested that "I harass" the developer.
How am I doing this?: Am I threatening him? Am I following him, on the streets, in Perugia? Am I bombarding him with countless messages on Facebook, Twitter, and NVT's contact form? I defamed him, I accused him of incompetence, I offended him? Was I rude, uncivilized, impolite?

Is this a free discussion Forum, or a Forum where only "the politically correct" opinions are allowed?

For me, wilderssecurity is a place where you can ask questions. And this is EXACTLY what I have done, till now.

NVT has no obligation to answer; even when faced with constructive criticism. But when it does reply, I expect it to do it only after a mature thought. Not at a few hours after I made the last post. Why so much haste?

I was expecting you to contact OPSWAT-Filseclab, first. And then to talk to the guys from Hybrid-Analysis. Instead, you presented us only your soothing point of view. Their opinion does not matter at all?

In any case, if NVT does not consider necessary to respond to the classification given, to OSArmor, by a particular *obscure* AV program producer, it's fine. This does not affect me at all. I have absolutely nothing to lose.

What Filseclab "said", about OSArmor, means NOTHING to me, in the absence of any valid evidence.
But, also, your attitude of bantering OPSWAT-Filseclab, means nothing to me, as long as no one can do a program audit.

It is "a false positive"? Very well: then let THEM tell us that they were wrong. Force them to publicly acknowledge their error.

Its is something between NVT and OPSWAT, not something between NVT and Wolfram.
My position is neutral. I do not hold the part of any company.
If it were not a demonetized term, I would say I stand on the side of the truth.
Unfortunately, most of the time, people prefer to hear "warm stories", instead of the cold drizzle of reality.

Indeed ReversingLabs does not work for free. But, when it comes to your reputation...
As you well know, there are audit programs which offer free trials, or even free versions; like ADAudit Plus, for example.


One last question: if you are offering OSArmor for free, if you do not get any profit from the program, and if you claim that OSArmor is "perfectly clean" - and I never stated it isn't! -, then why aren't you making it Open Source?

 

@Wolfram the problem is that only you see it.
Install a modern OS, use another firewall, tell us if you can replicate your findings.

Until then, people won't take you seriously and will consider you more a paranoid basher than anything else.

 

Honestly, this is getting downright ridiculous.

One of 40 scanners on OPSWAT named Filsclab which I never heard of before detected Adware.CsdiMonetize.AI.twym.

Per Fortinet:

https://fortiguard.com/encyclopedia/virus/6988664

OK - anyone getting ads displayed by OSArmor? Its a false positive. End of discussion.

 

Check their website, "super-sandbox", "Anti-BSOD". Loooool.

And we should take them seriously?

 

Yeah, constantly. Oh wait, I mean no never.

FWIW there is no firewall rule for OSA on my machines running Norton.

 

Filesclab/Twister has major issues with false positives. Years ago it was a very good antivirus and recommended here, but those days are long gone.

 

guest, please, do not take it like a challenge: it is something I do not understand. Maybe you can enlighten me.

In your post, #2384, you wrote this:

"[Circuit said: Never had a outbound request by OSA.]
guest said: Same here. Never had one since the first beta."

The author of OSArmor told us that his program connects to the Internet; because it has to verify the Digital Signatures of the running programs.

Win 10's Firewall detects nothing: no OSArmor connection.
Win XP's [installed] Firewall correctly detects OSArmor's connection attempts to the Internet.
NVT's developer stated that OSArmor has to connect to the Internet.

Considering only the above facts, why should I follow your advice to install "a modern OS"?
At least in one respect, Win XP proved superior to Win 10. I see no reason to replace it. Anyway, not with a Smartphone-type OS.
And if Mr Andreas admitted that OSArmor wants online, why should I install another Firewall?: to confirm me what the developer already told us?!


If I am not wrong, in the newer versions of Windows, Win API is quite similar (up to a point) with Win API of the older versions. Changing the OS (and the Firewall) will not change the behavior of OSArmor.


Since 2008 I decided to follow The Leader: IBM Corporation. I switched to Linux.

I still use a system with Windows XP, on it, for various reasons: software tests, certain [old] accounting programs, a set of special scanners and printers - which have no drivers for Win 7-10 -, old (and captivating) DOS games; and, mainly, to be able to help other people who still use Windows XP. Besides, this OS is still supported: for Windows Embedded POSReady 2009, Extended support will end on April 9, 2019. Microsoft ditto.

You have NO IDEA how many people are still using Windows XP, in Eastern Europe; and in China. I have always refrained from proselytizing: I never advised others to replace Windows with Linux, or FreeBSD.

OSArmor is compatible with Windows XP. It is NVT's duty to make "tests", on their systems, in order to replicate the issues I encountered.

Otherwise, no one can prevent you (and others), to boycott Windows XP. I do not mind if you propose, to Mr. Andreas, something like this:
"Starting with OSArmor v. 1.5, the program will not run on Windows XP systems."

One of the effects will be that I will no longer have reasons to post comments on this forum.

Please tell us what you you think about my proposal. Let's initiate a voting procedure. Who is "for", and who is "against".

 

When I click on the links I posted, I see no "explicit content", whatever. Nothing. Nada. Niente. I will not ask you "proofs" under the form of screen-captures. The discussion has already degenerated. Like many other photo sharing websites, IMX is universal. People are allowed store on it all kind of photos. If you don't like what you see, by accident, on some pop-up web-page, you can simply close it. Or, instead of complaining, you might replace your Adblocker. Or disable your web-page rating mechanism. Or use a Parental Filter, if you are under the age of 18.

I can no longer edit my initial post, available here: https://www.wilderssecurity.com/thr...-layer-of-defense.398859/page-97#post-2807007

So, for all those who had problems with IMX, I decided to re-upload the images - on Free Image Host.

Here are the new links:

01. https://freeimage.host/i/1-osarmor-service-requests-internet-access.qDgYG
02. https://freeimage.host/i/2-osarmor-allowed-connect-internet.qDrvf
03. https://freeimage.host/i/3-osarmor-connects-internet-between-223038-and-223052.qD4p4
04. https://freeimage.host/i/4-first-destination.qDPTl
05. https://freeimage.host/i/5-first-destination-detalied-record.qDij2
06. https://freeimage.host/i/6-second-destination.qDQC7
07. https://freeimage.host/i/7-third-connection-established.qDZG9
08. https://freeimage.host/i/8-third-connection-identified-1.qDt4e
09. https://freeimage.host/i/9-third-connection-identified-2.qDb3u
10. https://freeimage.host/i/10-subsequent-internet-traffic.qDmYb
11. https://freeimage.host/i/11-new-connection-right-after-i-started-palemoon-web-browser.qDpvj
12. https://freeimage.host/i/12-identification-ip-made-arin.qDyyx
13. https://freeimage.host/i/13-very-talkative-osa.qbHTQ


I hope that now the discussion will move from "gossip" to the content of the photos I uploaded.-

 

i thought you knew that WinXP firewall is trash in term of security, reason why you use a 3rd party one.

because i have more trust on serious corporate firewall/UTM like Symantec EP or Sophos than the one you are using. (also see my quote at the end.)

nothing to do with the actual discussion, i use Linux too so what?

Good for you. I won't, i prefer ditch obsolete and vulnerable softs/OS.

This version is not supposed to be used by home users. even MS doesn't recommend it. WinXP is full of vulnerability, no way i would use an OS that requires me to add tons of software just to have the bare minimum of security.

i live in south east Asia, so i know it very well, XP is part responsible of why the region is one of the most infected in the world...luckily modern computers are shipped with Win10 and people get decent security "out-of-the-box".

not a duty, i worked for a couple of well known security vendors, if only one person report it, it is not worth the time and resource spent on it, especially when the subject is something the dev can refute right away.
All you did is to blindly rely on your 3rd party FW to state something only you observed so far, it is why i told you try with another OS and Firewall, if you can reproduce this behavior then maybe people and the dev will take your observations seriously.

not saying:
- maybe your OSA process was compromised by a malware?
- maybe you are attempting to discredit NVT OSA for some reasons?

You see i can say many thing without any concrete evidences, if you know a bit about Q&A, you would know that when a behavior is observed, your first move is to reproduce it on several similar and different systems, so you have a base to prove your point.

I have no reason to propose such thing to him, he knows better on what system he will develop OSA.

 

I see things are still going strong this morning.

Today's words of wisdom. Feed a troll and he will misguide, misdirect, and monopolize the discussion to the point where truth cannot be distinguished from falsehood. Ignore the troll and he will crawl back into the hole where he came from.

 

You can not judge a company only after the looks of its website.
The question is: why OPSWAT takes them seriously?

 

Following along from the cheap seats.
I found my WFC did not have Rule for OSArmor Service.
I've added OSArmorDevSvc.exe = Allow Out

 

@guest

Ref.: your reply #2470


... The built-in Windows 10 Firewall has the additional "feature" that it allows all the Windows 10 Spyware executables, that Microsoft built into the OS, to totally bypass its own Firewall, for anytime online access, sending to the Mother-ship every bit of personal info it can hoover off your PC...

A good router - usually, not the one given to you by the ISP -, can offer a powerful layer of protection against online attacks. It uses Network Address Translation to assign each device an IP address in a range that's only visible within the local network. That alone is enough to block many direct attacks. Some routers have additional security layers built-in. Problems appear when you are on the road; because you can no longer get the benefits from the router you use in your home, or in your office. You can not carry it with you. In this case, the traveler should use a VPN, in addition to Firewall.

This is not the proper place for a discussion about Hardware Firewalls vs Software Firewalls.
For me, FortKnox + my carefully configured [quite expensive] router, means sufficient protection.

What surprised me is the fact that even with one of your favorite Firewalls, installed on your Win 10 system, you had no idea that OSArmor connects to the Internet!
I quote you once again: "Never had one [connection] since the first beta."

It seems that your Firewall allows every digitally signed *trusted* program to connect to the Internet, without informing you. (OSArmor included)

If it was not me, with my initial post, if it was not Mr. Andreas to confirm the fact that his programs connects to the Internet, then you (and many others) would have lived convinced that there is no such a "phantasmagorical" thing as "OSA silencieux online access". I think this is somehow funny, for a security vendor ex-employee.


P. S.

1. I told you about Linux because I wanted you to know that I can not install FortKnox on a Win 10 system. I do not have one. Except a Win XP system, and a Win 7 System (for my guests), all my other PCs are running Linux.
2. I do not intend to discredit OSArmor. I am using it! The only thing I don't like is that it connects to the Internet. In our days, the Digital Signatures can be counterfeited. In my vision, OSArmor should not base its protection on online checks of the installed programs. This is its main weakness. In this respect, AppGuard is superior: it never connects to the Internet to verify Digital Signatures. It doesn't have to. It works on other principles.-

 

Here's a link to the Hybrid-Analysis sandbox analysis for OSArmorDevSvc.exe performed on Win 7 x(64): https://www.hybrid-analysis.com/sam...f3e329b01015aae49fee61b2a1a?environmentId=120

Of note: