NoVirusThanks OSArmor: An Additional Layer of Defense

Oh, OK, and you know, I seem to remember this little issue coming up before somewhere. Maybe I should've searched first. OK, thanks for the info, stapp and novirusthanks.

 

We've released OSArmor v1.6.8:
https://www.osarmor.com/download/

Here is the changelog:

Code:

+ Fixed all reported false positives
+ Fixed some false positives on Windows Server 2016
+ Added more signers to Trusted Vendors list
+ Added Block execution of any process related to Python
+ Added Block any process related to Jernej Simončič (wget & netcat signed)
+ Added Block execution of wget.exe
+ Include process and parent process file size in blocked-process events
+ Improved monitoring of processes with large file size (e.g 50+ MB)
+ Improved internal rules to block suspicious behaviors
+ Improved detection of malformed/obfuscated command-lines
+ Improved installer and uninstaller scripts
+ Minor improvements

If you find false positives or issues please let me know.

@plat1098

The issue you reported was new, thanks for reporting it

Should be fixed on this new version.

// Everyone

If you are running the test builds please update to this final version.

 

OK, then. I reinstalled the BCU and although it's now showing https for NVT OSA, the highlight color is still saying "unverified."

I have an acct. at GitHub but am unsure whether this would rise to the occasion of notifying the developer "Klocman" about it. Anyone with advice? Surely this change-over happens now and then so I'll see in a few days maybe.

Spoiler: https still "unverified"

 

1- When OSA pops-up an alert, it provides VERY little information. I use the example of an update of the Kaspersky Virus Removal Tool (KVRT). When KVRT updates, it puts a temporary file in the Registry startup. OSA pops-up an alert because a command is issued to change Registry's startup content. In the KVRT example, the OSA pop-up alert showed only the following information:

Suspicious Process Blocked
C:|Windows\System32\reg.exe
Block reg.exe from hijacking Registry startup en

2- The only two options offered by OSA's pop-ups are "Exclude" & "Open Logs" If you choose "Exclude," you are presented with a format like the following:


3. On the Exclude Processes format shown above, notice that:
=> The full command line cannot be seen because there is no word wrap.
=> Despite the lack of word wrap, this format does not offer a full-screen option.
=> Nowhere does the format give any indication of the executable that issued the command line. It can be "figured out" by the user, but there is no obvious disclosure by OSA to assist the user in doing that.

4. As for the Open Logs option, it produces a format like the following:


5 On the Open Logs information shown above notice that:
=>There is still no readily seen identification of the "calling" app -- namely Kaspersky's KVRT. (IMO, awareness of the "calling" app for a command line is an important piece of information for determining whether to Exclude it or not.)
=>The log offers very little information that is not on the Exclude Process format.
=>OSA has chosen to give the user unformatted, plain text data using Microsoft's simplex Notepad -- IMO, that log is not a user-friendly tool.

6. I feel that OSA, as a paid, mature security app, should provide clear & informative alerts so as to enable users to make good Exclude/Block decisions. Concerning this, I call attention to the alert popped-up by "Another App" (a freebie, by the way), for the same exact KVRT action as was shown for OSA:


7. On the above alert by Another App, please notice the extensive information & options provided to the user to assist in making an Allow/Block decision:
=> The top line & third line of the alert clearly identify it as coming from Kaspersky, & also give the exact KVRT executable that did the "calling."
=> Notice that word wrap is used throughout so that the content of all entries is fully visible.
=> Three options are offered: Allow, Block, Terminate -- with a check block for one-time or permanent (as "Remember"). The drop down menu at the bottom offers several options for the user's selection as to the exact items to be allowed or blocked.

8. I request that OSA's alerts be upgraded to show more information and provide better quality formats & options to enable users to make and enter decisions.

 

When i tried to run Kaspersky's KVRT i got a popup that i had to exclude every time i ran it. I tried to pin it to the sys tray but could not do it.

 

That occurs because KVRT changes the name of its temporary startup file each time that KVRT updates.

If OSA had an "Exclude Once" option, it wouldn't make me load up the Exclude list with dead KVRT command lines. As it stands now, I just stop OSA's protection while I update KVRT. It's a bit risky to do that. However, since I don't want to keep cleaning out deadwood from the Exclude list, OSA's present alert process forces *some* sort of work-around.

 

https://www.novirusthanks.org/

? wondering bout this as i was looking for an antivirus is this the one alot of people are using these days?

 

Many people use OSArmour as a supplement to an AV, as a secondary level of protection, its another program from the novirusthanks gang.

https://www.osarmor.com/

 

@majorpain -- Neither OSArmor, nor the app that your post links to, are an "antivirus" in the usual sense of how that word is used here at Wilders.

As used here, an "antivirus" (AV) is a security app that runs real-time within your computer. Each time you download a new file, or use an existing file on your computer, the AV will check it so as to alert you to any file that can possibly cause an infection.

If you are running Windows 10 or Windows 11 on your computer, you already have an AV installed. Its name is Windows Defender. If you are unfamiliar with Windows Defender, I suggest you visit THIS Wilder's forum & start a new topic titled something like "I need help using Windows Defender" -- I'm sure that you will get lots of friendly suggestions.

However, if you are using an Operating System OTHER than Windows 10 or 11, please post that fact here so that we can steer you to the right place for help.

 

I'm a new user here.
Sorry if this a noob question, but I'm not a tech savvy.

I'm looking forward to a free (yet good) configuration for my computer.
I am actually using OSArmor free version, which is now 3 years old (not updated).

The user bellgamin advertised a FREE alternative solution to PAID OSArmor. Yet he didn't mention the name.

I would be glad if someone could tell me which is this application, and if it actually can be a GOOD and FREE alternative to OSArmor.

I tried to reach the user, but I believe I'm blocked to some functions like PM.

 

Just a footnote about the naming of the malware protection which
is part of Windows. In short, "Windows Defender" has basically
been renamed "Microsoft Defender" and that may be how it appears
in the Win settings dialogs. The renaming has metamorphed over
several Win releases, so exactly what name a user may see
depends to some extent on the version of Windows installed.

See:

Microsoft Defender
https://en.wikipedia.org/wiki/Microsoft_Defender


Especially:

Name changes
https://en.wikipedia.org/wiki/Microsoft_Defender#Name_changes

 

@Chaoskong -- Since you already are using the old/free version of OSArmor (OSA), you might want to upgrade to the current/paid version. It is much more powerful than the old version. Get a free 30-day trial HERE. If you later decide to use the current version, it only costs $19.99/year. OSA is a VERY powerful adjunct to any AntiVirus (AV). AV's guard your computer's "front door" so as to block bad guys and only admit nice guys. OSA is a Rottweiler than lunches on anything that gets in through a "back door" or sneaks past the AV guarding the front door.

By the way, the producers of OSA have acknowledged the need to expand the info provided by OSA's alerts & they are working on fixing that.

I took pains NOT to promote any other security app here. That's why I never mentioned its name. I am a long-time user and fan of OSA. However, I also use some other fine security apps. I suggest you visit THIS Wilders forum and ask the friendly folks there for help. That forum is dedicated to the "another app" that I mentioned in my prior posts here. Umm... it's a freebie, by the way.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

P.S. In your post #4035 you wrote, "I tried to reach the user, but I believe I'm blocked to some functions like PM." Inter-personal contacts within this forum are not called PM (Personal Messages). They are called "Conversations". Go to the top line of any forum page and click on your own user name. That will get you a drop-down menu. In right-side column, 2nd item down, you will see the word "Conversation". Click on that and you can start a conversation with any Wilders member. A VERY small minority of members do not accept conversations. I am not one of those few.

Oh -- if for some weird reason "Conversation" is blocked for you, you need to report it to a forum Moderator. One way to do that is to go to one of your own posts. At the very bottom of your post, on left side, there is a "Report" button. Click that & you get a box where you can write about a problem. Write something like this: "Moderator: I am new here and it seems I am blocked from starting any conversation. Please help."

Hang in there, companheiro, and WELCOME aboard Wilders!

 

I think you need a minimum number of posts before you can send PMs / Conversations.

 

Thanks @bellgamin for your kind answer! My post was meant to be a separate thread, but it seems a moderator decided to merge it with the current discussion.
Even if OSArmor isn't really expensive (and of course it's devs should be paid for their job), I like to try free alternatives. If all software we daily use had to be paid it would be hard to keep up. Especially for home users.

I think @Krusty have a point on why I couldn't start a conversation.

Thanks for help!

 

Here is a pre-release test 1 for OSArmor Personal v1.6.9:

Code:

https://downloads.osarmor.com/osa-personal-1-6-9-setup-pre1.exe

This is the changelog so far:

Code:

+ Fixed all reported false positives
+ Added new internal rules to block suspicious behaviors
+ Improved the pre-filled text of exclusion rule when button "Exclude" is clicked
+ Updated NVT License Manager with latest version
+ Added more signers to Trusted Vendors list
+ Minor improvements

Please let me know if you find issues or FPs.

Thanks guys!

 

Yes, the License Manager was flagged by HitmanPro scanner. Requested the engineers to have a look in the HitmanPro thread.

Spoiler

Edit: Monday, March 21st: it seems this false positive was taken care of earlier this morning. All clear.

 

Got it. Runs great -- fair winds and a following sea! BUT - I have nothing to trigger an alert so I can see the revised "Exlude" pop-up.

==>REQUEST: If anyone gets an "Exclude" pop-up alert, please post a screen shot.

 

Are there any valid discounts right now? I stupidly let my license expire.

 

Here is a pre-release test 2 for OSArmor Personal v1.6.9:

Code:

https://downloads.osarmor.com/osa-personal-1-6-9-setup-pre2.exe

I updated the notification window when a process is blocked, here is a screenshot:




Please let me know if you find issues or FPs.

@plat1098

Thanks for reporting that, hope the FP will be fixed soon.

@bellgamin

Now you can see also the parent process of the blocked process on the "process blocked" notification window.

Have not yet updated the Exclusion Helper GUI, will see if I can make it simpler.

@n8chavez

Replied on PM.

 

I'm going to repeat a request I made a long time ago, can we please get a dark theme? If users' have a dark Windows theme OSA looks even worse than it used to. For whatever reason, OSA seems to have doubled down on the bright white in its UI evolution and it makes it very literally unreadable when using a dark theme. OSA is a great product but it's not free, and because of that NoVirusThanks can take some criticism. Give us a dark theme for OSA. As good as it is, if users cannot read it to use it effectively, what's the point without that?

 

I wouldn't mind a dark theme if possible.

 

Another dark theme fan here.

 

Hmm, I could go along with that. Even though I don't have the UI open hardly at all, it would be more interesting to have a choice.

 

For me, it's not just the main UI. The exclusion popup is also hard to read, even on 1.6.9 pre test2. If I can't read what it says I'm afraid of allowing something I shouldn't.

 

@novirusthanks -- That is a MUCH improved notification! However, an additional improvement is needed -- namely, the "Reason" entry on the notification needs to be much more explanatory.

In the screenshot example that you provided, the "Reason" entry merely states "Protect Office applications with anti-exploit module." That doesn't sound like an actual "reason" for blocking. Instead, it merely sounds like the name of the Rule that caused the block -- not very helpful at all.

In the example notification that you provided, I believe a more helpful REASON for blocking the example's mshta.exe would be something like this: "mshta.exe is a Windows process that has been used or faked by malware in order to execute malicious code on a user's computer."

REQUEST: I request that the notification window's "Reason" for blocking be improved so as to be of increased value for user decisions.