NoVirusThanks OSArmor: An Additional Layer of Defense

No response to this, see link? I know that you're busy, so don't sweat it.

https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-154#post-3034086

 

Does it verify digital signatures only during installation or when running installed programs as well? I have a program that has an expired certificate and NoVirus is not detecting it.

https://www.mediafire.com/view/ksju418t2vy5175/ASRock_BETA__4.0.10_Digital_Sig.png/file
https://www.mediafire.com/view/ksju418t2vy5175/ASRock_BETA__4.0.10_Digital_Sig.png/file

 

Hi, i am going to throw in a more amateur question here: --> I was doing a bunch of tests on my computer and disabled Os Armor, but one of the os armor processes still used a bit of cpu from time to time, despite the program being disabled, is this normal behavior and why?

 

Code:

Process: [2428]C:\Windows\System32\cmd.exe
Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
Parent: [2592]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files\Malwarebytes\Anti-Malware\mbambgnativemsg.exe" chrome-extension://ihcjicgdanjaechkgeegckofjjedodee/ --parent-window=0 < \\.\pipe\LOCAL\edge.nativeMessaging.in.1f0b89407bac3856 > \\.\pipe\LOCAL\edge.nativeMessaging.out.1f0b89407bac3856
Signer: <NULL>
Parent Signer: Microsoft Corporation
User/Domain: bjm/DESKTOP-DELL
System File: True
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

Exclusion with wildcards.

Code:

[%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files\Malwarebytes\Anti-Malware\mbambgnativemsg.exe" chrome-extension://*/ --parent-window=0 < \\.\pipe\LOCAL\edge.nativeMessaging.in.* > \\.\pipe\LOCAL\edge.nativeMessaging.out.*] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe] [%PARENTSIGNER%: Microsoft Corporation]

I'm thinking OSA event is related to 'Hide duplicate warnings' On in Malwarebytes Browser Guard extension. OSA is quiet without Exclusion + 'Hide duplicate warnings' Off.

Edit:
My Sandboxie Edge box is happier with 'Hide duplicate warnings' Off.
I'll run 'Hide duplicate warnings' Off. Thanks anyway.

 

NoVirus Malware scanner picked up threats on my machine. Can anyone interpret these?

Log:

NoVirusThanks Malware Remover Free 3.1.0.0
DB version: 594 (28.04.2011)
Report created on 9/10/2021 at 9:18:50 pm
Windows 10 Enterprise 6.3 64-bit


Scan type: Quick Scan
Time elapsed: 00:26:27
Objects scanned: 192890
Threats detected: 4

Files Infected:


Folders Infected:


Registry Values Infected:


Registry Keys Infected:


System Hijacks Found:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit -> -> No action taken

IE Hijacks Found:


Hosts File Hijack Found:


Traces Found:

c:\users\m-rog-admin\appdata\local\temp\hwinfo64a_163.sys -> No action taken
c:\users\m-rog-admin\appdata\local\temp\hwinfo64a_164.sys -> No action taken
c:\windows\temp\cpuz152\cpuz152_x64.sys -> No action taken

End.

 

Maybe, update DB version: 688 (21.02.2012) and re-scan.
as test: Version 3.1 Last Updated April 30, 2011

Spoiler: related info

NoVirusThanks Malware Remover Free 3.1.0.0
DB version: 688 (21.02.2012)
Report created on 10/9/2021 at 1:30:37 PM
Windows 10 Home 6.3 64-bit
DESKTOP-DELL - bjm
Scan type: Quick Scan
Time elapsed: 00:39:48
Objects scanned: 70441
Threats detected: 0
End.
-
NoVirusThanks Malware Remover Free 3.1.0.0
DB version: 688 (21.02.2012)
Report created on 10/9/2021 at 2:15:22 PM
Windows 10 Home 6.3 64-bit
DESKTOP-DELL - bjm
Scan type: Full Scan
Time elapsed: 00:35:10
Objects scanned: 77276
Threats detected: 0
End.

 

scan em with VT if there's nothing then prob OSArmor is fp

 

It doesn't have anything to do with OSA. The "threats" were picked up by an NVT app that was last updated more than ten years ago.

 

Exactly! In security software time that might as well be a lifetime,

 

Oh thought it is cuz u post in OSarmor thread. Maybe you should make a thread about that product instead.

 

For some reason I'm not receiving automatic updates to OSArmor. I discovered I'm still on 1.5.9. Is there any reason why Windows Defender Smartscreen blocks the OSArmor 1.6 installer?

 

Did you try run anyway when you got the Smartscreen popup?

 

No I wanted to find out why Smartscreen blocks it.

 

It could be a FP. Annoying when your security software blocks a legitimate program for no reason.

 

It seems that unblocking the setup.exe (right click, properties) no longer generates the SmartScreen warning.

 

Does anyone know anything more about the security blocks Windows puts on certain downloaded files like it has with OSArmor?

 

I believe SmartScreen is sort of like a white-list, so for whatever reason it didn't recognize OSA 1.6, perhaps something with the digital signature? But if Win Defender says the file is clean it should not be a problem. You can also scan it with VirusTotal of course.

 

Every executable file I've ever downloaded from anywhere gets marked that way. It's only warning you that you might have no reason to trust it. I "unblock" every file I download, but use my anti-malware software's opinion to decide whether it's safe to use.

Incidentally the blocking flag is stored in what Windows calls an "Alternate Data Stream". All files on your computer can have more than one set of data associated with them, though the vast majority only have one. "Unblock"ing removes the flag (which was added during download) from a specifc ADS associated with a file. In general, legitimate use of ADSs is rare. Sometimes malware hides in ADSs - "hides" because if you examine such a file with any normal utility (text editor, image viewer etc) you'll only see the contents of the main/primary data stream.

Another instance when I see creation of ADS data is if I move a file out of my Dropbox folder; it gains an ADS which contains Dropbox flags, so (I guess) if I ever put it back into Dropbox maybe it can have the same flags.

There are utilities that let you see ADS' existence and contents, eg the Microsoft Sysinternals "streams.exe", NirSoft have one (see: https://www.nirsoft.net/utils/alternate_data_streams.html ), and even "dir" can tell you which files have them - use the "/R" switch.. You can also read about them at: https://docs.microsoft.com/en-gb/archive/blogs/askcore/alternate-data-streams-in-ntfs

 

and with Run anyway...no Security dialog

Spoiler: related pics

Edit: pics

 

That's funny! I've never seen OSA flagged as a FP before.

 

OSA gets blocked by Smart Screen on Win10. Something to do with the signature.

 

Thanks for explaining this. Do the blocking flags come from the Windows attachment Manager? When we see the option to unblock a file what security zone is this flagged under?

https://support.microsoft.com/en-us...-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738

 

I don't know. I /do/ know that I download mainly with Firefox. If it uses Windows APIs to handle the download then maybe it also uses the Attachment Manager, but if it uses its own fetching I code I doubt it would. All I know is that /executable/ files tend to be blocked. That said, that matches the description of how the AM grades files, as described in the "More Information" section of the text at that URL.

One can programmatically remove the flag; it involves writing an empty string (ie just a string terminator) to the ADS that contains the flag. See https://stackoverflow.com/questions/15263523/batch-file-to-unblock-files-copied-from-internet

 

i get high cpu in OSArmor Service on a standard user account. No problem with a admin account.

 

Do you mean generally around the clock? I don't seem to have the same problem myself with a standard user account.