NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Yes, OSA hasn't been updated for a while, but its current block list is still valid. Also, you can Manage Exclusions and/or add Custom Block Rules to it at your discretion.
     
  2. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Is it possible in OSA to prohibit a specific program from opening a page in a browser or launching a browser? If possible, please give an example of the rule.
     
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,346
    Location:
    Italy
    You can create a rule in the registry to prevent starting specific software:

    200.JPG

    My rule prevents ProcDump.exe from starting.
    Unfortunately it does not prevent you from launching the software via prompt.
     
  4. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Not certainly in that way. Another example: we have RegOrganizer Portable, launch it, Help -> Open Home Page. Or "renew the license" -> refuse - anyway, the page in the default browser will be forced to open.
    The goal is to prevent RegOrg from opening a page or launching a browser.
     
  5. guest

    guest Guest

    Example: We want to block a filemanager (Total Commander) from launching of Firefox:
    Code:
    Location of Firefox, for example: "c:\Program Files\Mozilla Firefox\firefox.exe"
    Location of Total Commander: "c:\Program Files\totalcmd\TOTALCMD64.EXE"
    
    If the filemanager launches Firefox, it will be the parent process (%PARENTPROCESS%) of Firefox (%PROCESS)
    
    This would block Firefox completely:
    [%PROCESS%: c:\Program Files\Mozilla Firefox\firefox.exe]
    = we need to add %PARENTPROCESS% to the rule.
    
    The final rule:
    [%PROCESS%: c:\Program Files\Mozilla Firefox\firefox.exe] [%PARENTPROCESS%: c:\Program Files\totalcmd\TOTALCMD64.EXE]
    or
    [%PROCESS%: *\firefox.exe] [%PARENTPROCESS%: c:\Program Files\totalcmd\TOTALCMD64.EXE]
    = Doubleclick on a .html file within the filemanager: TOTALCMD64.exe wants to launch Firefox.exe = Blocked
    
    More:
    I want to block "Process Y" from launching of "Process Z"
    = "Process Y" will be %PARENTPROCESS%, "Process Z" will be %PROCESS%
    
    Executables in C:\Windows\Temp\ shouldn't be allowed to launch anything located in C:\Program Files\ and subdirectories.
    =
    [%PROCESS%: C:\Program Files\*] [%PARENTPROCESS%: C:\Windows\Temp\*]
    
     
  6. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    Super and Great! Thank!
     
  7. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    OSArmor utilises built in windows features, its not heuristics based protection which is why updates dont matter.
     
  8. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    513
    Location:
    Bulgaria
    But updates are needed (if) when some rules are broken. You can bypass the problem by creating custom rules of course but it will be good to have them fixed by default. Also missing updates often means less added features and security fixes/improvements (if needed). So no, updates are not useless at all.
     
  9. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    It would be GREAT if everyone would share their custom rules whenever such rules might have value to more than a few others.
     
  10. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    I don't have many rules. And they are fairly simple so I doubt it will interest anyone here.

    [%PROCESS%: C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe] [%PARENTPROCESS%: C:*]


    [%PROCESS%: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe] [%PARENTPROCESS%: C:*]
     
    Last edited: Feb 6, 2020
  11. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @Azure Phoenix -- Great, & thanks. I suggest you also give the purpose of each rule. I *think* your 2 rules are designed to block all (*) processes in drive C from launching browsers Brave and Edge. If so, why?
     
  12. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    There are some programs that annoyingly like to open browsers. This prevent that from happening.

    In addition, brave isn't protected by the OSarmor anti-exploit (yeah, I know this isn't a true anti-exploit.), so I wanted to make rule that could emulate such protection as close as possible.

    After testing the custom rule with Hitmanpro.alert test tool, it appeared to work really well.
     
  13. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    A) I have a puzzling *situation* with OSArmor (OSA). It's NOT a problem, for reasons I'll explain in paragraph "C" below, but it is very puzzling. Namely, the GUI of OSA on my computer now looks like this:
    ScreenHunter_01 Feb. 08 21.48.gif

    B) I tried to fix the shrunken GUI as follows:
    1) I reinstalled OSA. The GUI was normal again, until I shut the computer down & did a cold start. Then it shrunk again.
    2) I reinstalled OSA a second time & the GUI was fully normal size again. I then did a SHA-256 of each of the exe files in OSA's file folder. I shut down & did a cold start. The GUI again shrunk. So I then did a SHA-256 of all OSA's exe files. They were unchanged!!! The GUI shrunk, but the SHA 256-s were exactly the same as they were when the GUI was fully normal size.
    3) I then downloaded OSA from novirusthanks.com. The downloaded OSA has the exact same SHA-256 as the one I already had installed, but I installed the newly downloaded OSA anyhow. Result: the GUI still shrinks after a cold start.
    4) I checked every OSA file with VirusTotal, HitmanPro, SecureAPlus, & Emsisoft AV. All clean. Scans of my entire computer are also clean.

    C) It's a *mystery* and NOT a problem because OSA's tray icon will still load perfect GUIs for OSA's three main functions (1) "Open Configurator," (2) "Manage Exclusions," and "(3) Custom Block Rules". OSA itself still functions perfectly -- yes, OSA's main GUI is shrunk, but it really isn't really needed because the other 3 GUIs do the full job, & they are quite okay.

    D) I'm sure that this situation is unique to my computer so I'm posting this only in the highly unlikely possibility that someone might have a theory as to what the heck is going on. :cautious:
     
  14. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,346
    Location:
    Italy
    Reboot the PC.
    After the restart do not open the GUI immediately, wait at least 10 '
    Open and see if the view is normal.
     
  15. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,940
    Location:
    UK
    @bellgamin
    Does the same thing happen if you open the GUI from Program Files after a cold start ? (OSArmorDevUI.exe)
     
  16. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    201
    Location:
    Wigan
    I see the shrunken GUI too but only on Windows 7. It happens from time to time. I have yet to see it occur on Windows XP, 8.1 or 10.
     
  17. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @Sampei Nihira -- Thanks. It didn't work.
    @stapp -- Yes. Thanks for asking.
    @loungehake -- Thanks, that's a great clue. I'm on Win7, too.

    @ all -- I just now let Kerish Doctor (KD) do its full list of 21 diagnostics. After KD did its clean-up job, OSA's GUI now loads full size. Post hoc ergo propter hoc? Anyhow, it looks like *something* got fixed -- for now? or for good? -- time will tell. :doubt:
     
  18. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    201
    Location:
    Wigan
    I have run a ransomware simulation created by knowbe4 (version 2.0.0.56). The only thing which was capable of blocking the simulator was OSArmor 1.4.3 (using default settings).
     
  19. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,157
    Location:
    Canada
    Thanks, would be even more interesting to know what didn't block it.
     
  20. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    VoodooShield, EAM and Eset stop it.
     
  21. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    201
    Location:
    Wigan
    I would rather not comment on that yet. One AV firm concerned says that it would treat such a simulator as a PUP and will not recognise a ransomware simulator as actual ransomware. Along with another, it is evaluating the performance of the simulator so I will wait a while because I want to be sure of my facts.
     
  22. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    The first one sounds like ESET. It's no secret that they don't consider the simulator as actual ransomware.

    https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/
     
  23. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Yes, but ESET knows the simulator in advance. The cat's out of the bag. I for one am a little relieved OSArmor reportedly blocked it. It's reassuring for one, and a "correct" detection. Anything that behaves out of the ordinary range and whitelisted (simulated or not) on one's machine should be flagged.
     
  24. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    > The cat's out of the bag
    What do you mean?

    ESET and the entire AV industry already knows about that simulator. That in itself doesn't affect the accuracy of the product.
     
  25. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    This is the detection from ESET
    Capture#12.JPG
    Not a signature detection
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.