NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Thanks, digmor crusher. I'll wait for more answers and likely will use both since there is a slight difference in when they detect trouble, or so I've read here someplace in this hundred-page thread.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I've been running OSA + MB without issue. OSA does show a pop-up which you can use to make exclusions if required.

    No idea about "LOLbins", sorry.
     
  3. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    176
    "Attackers have learned to use the legitimate tools built into Windows operating
    systems for malicious purposes. Living off the land binaries, or LOLBins, are
    native Windows tools that can be used maliciously to make an attack harder to
    catch through traditional security measures. Even after they are discovered,
    stopping them remains a challenge."


    https://www.cybereason.com/blog/ado...mic-techniques-to-deliver-customized-payloads"

    For more reading do a Web search for

    malware living off the land
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks, but so far I haven't actually had to make any changes to any settings in both ERP and OSA, they don't seem to interfere. In fact, because of OSA I have now white-listed certain folders which reduces alerts from ERP. However, I have currently disabled OSA to check if Vivaldi now runs a bit more smoothly.
     
  5. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Windows 10, maybe?
    Or all versions?
     
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Thank you, waking.
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    I gather you use Malwarebytes AV which now includes anti-exploit. But I don't know if what they include is identical to MBAE, which is what I want to know if I'm to use it with OSA.
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Your welcome, act8192. :rolleyes:
    Malwarebytes is not an AV. Even they will tell you that.
    The stand-alone MBAE beta is tested before it gets incorporated into MB, so the latest MBAE will be newer than what is in MB.
     
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Krusty, my error. I wasn't watching what i type :(, I know MB is not AV!
    I forgot MBAE is beta for MB. It works so well for so long now I don't think about it as beta.
     
  10. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    176
    If you're asking if the term LOLbin applies only to Win10 then AFAIK the answer
    is "no".

    Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
    https://github.com/LOLBAS-Project/LOLBAS

    Living Off The Land Binaries and Scripts (and also Libraries)
    https://lolbas-project.github.io/

    See for example the entry for Wab.exe:

    https://lolbas-project.github.io/lolbas/Binaries/Wab/

    "OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10"
     
  11. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Beginer's questions:
    1. Please, confirm that I installed it correctly by first login in admin account instead of me. Or should I have installed under my account but RunAs admin?
    2. There are 4 windows, each has the Save button on it. It appears to me that it's a "global" save, i.e. all rules in all tabs regardless of where you selected to save rules. Correct?
    3. I see that SeaMonkey is not in the anti-exploit list. I'd like it to be watched even though MBAE watches it. How to add it? Should I? And when it shows Opera does it mean the newest or is the old v12.18 included? Firefox is included so SeaMonkey should not be too hard.
    4. I don't want to install any malware, but would love to see a block popup in action. Is there a safe test file I could use?
     
  12. guest

    guest Guest

    you did the best way possible, both were valid anyway


    yep.

    OSA anti-exploit is not real anti-exploit, it is anti-(post-)exploitation; nothing like MBAE or HMPA, who are real Anti-Exploit and protect the memory space of apps; so keep MBAE active.
    OSA's "Anti-Exploit" mechanism is more like apps in the Anti-Exploit tab can't be executed by other (malicious) processes, etc...
    Anyway the "anti-exploit" rules are hardcoded so nothing you can do nor nothing you can add.
    You may simulate it by creating Custom Block rules that prevent Seamonkey to be executed by or execute other processes but it is an hassle you may avoid.

    create a simple Custom Block rule, like block execution from a specified folder.
     
  13. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Basic user, me, but as a test example, I have the rule "block unsigned processes running with high privileges." Trying to download a trusted software from the official site like CPUID should and does result in OSA's blocking the download. Testing by ticking "block Microsoft Edge" in Advanced tab only works if Edge is disabled from running in the background, but Internet Explorer rule works without any Settings tweak. Good lesson, Krusty. :) I tried to test one time.using fake AMTSO exe but SmartScreen always responded first and I didn't want to disable it. As a local Administrator, I expect the UAC prompt when opening Configurator and I make sure the self-protection rule is enabled in Settings.

    Not to go off-topic but ERP 4.0 beta build 32 works well for me in Windows 1903. I don't use it right now as there's a little shutdown delay when it's installed. But that's purely a subjective thing.
     
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    guest, many, many thanks for your super-clear answers :). I will do what you suggest to make some custom blocking rule just to learn how it's done.
    I won't fiddle with SeaMonkey. I looked through several ERP version3 logs I saved when I uninstalled it and confirmed that SeaMonkey hasn't started any programs and was always started by explorer in about a month of logs.
    I think I'm going to like this OSA.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  16. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    Is OSA being developed anymore?
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I don't know, but it's already pretty good. I haven't had any issues so far, and I combine it with EXE Radar.
     
  18. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    OSA's proponent (NVT aka Andre) is still functioning. As a behavior blocker, OSA doesn't need frequent updates. Moreover, OSA allows you to write your own Custom Block Rules so users are free to "develop" OSA on their own, as they see fit. Shazam! :thumb:
     
  19. guest

    guest Guest

    The only things updates would bring is bug fixes, the mechanism is simple and efficient and doesn't need frequent updates.
     
  20. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    I wish it had a build in updater when new versions come out.
     
  21. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    That and 'Select All' in the Configurator. Tedious to check every one; easier to deselect what affects one's system.

    Robert
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I doubt Andreas is going to do much more with it. It works beautifully and it's a free product.
     
  23. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
  24. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    237
    Is OSArmor compatible with Smart Object Blocker rules (rule sets)? When I was digging around and looking at how to configure OSArmor I noticed that it may be possible to insert (paste) a set of Smart Object Blocker rules into OSArmor.

    Phil
     
  25. guest

    guest Guest

    The syntaxes is very similar between all NVT products so it should be possible to transfer the rules, and with probably with some minor changes in the command lines.

    I tried the updated version of SOB on 1803 but it was not SUA friendly, so I recommend to stick with OSA until @novirusthanks optimize it for 1903
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.