NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @novirusthanks -- OSArmor's license manager constantly uses cpu. AFAIK, none of my other security apps have a separate, real-time license manager using cpu.

    Is the license manager's constant use of cpu performing any function that enhances OSArmor's protective capabilities?
     
  2. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    That's strange, it should use always 0% CPU, can you take a screenshot of Task Manager showing the CPU and memory usage?

    We separated the license manager because we can call it from all our other commercial applications (no need to build a license manager inside every application).

    Also, what is your OS?
     
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Of course it helps. Thank you very, very much.
     
  4. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    ScreenHunter_02 Apr. 08 15.38.gif ScreenHunter_01 Apr. 08 15.38.gif

    @novirusthanks -- Win7 Pro is my OS. The column heads didn't quite line up with the data (2 separate sceenshots used so as to avoid an over-large image). Just mentally shift the column heads a bit to the left & you've got it.
     
  5. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    40
    Location:
    New Zealand

    Attached Files:

  6. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Graphite85

    They are false positives, you can exclude them by clicking on Exclude on the alert window.

    This is an example exclusion rule that doesn't match command-line string (since it can change frequently):

    Code:
    [%PROCESS%: C:\Windows\SysWOW64\cmd.exe] [%PARENTPROCESS%: F:\SteamLibrary\steamapps\common\3DMark\bin\x64\jre\bin\javaw.exe] [%PARENTSIGNER%: Azul Systems, Inc.]
    
    I will see if we can internally fix it on the next version.

    Thanks for reporting it.

    @bellgamin

    Generally NVTLicenseManager.exe should always use 0% of CPU, in your case it is possible it was checking the license or similar.

    Does it always use 0.11% of CPU or does it go back to 0% occasionally?
     
  7. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I put Sysinternals Process Exploror on maximum speed update & let it run for about 15 minutes. Every time I glanced at it, & watched each time for 30 seconds or so, NVT License Manager was steadily using 0.11% to 0.13% of cpu. It might sometimes drop to 0% but it didn't do so while I was watching.

    Moreover, License Manager's cumulative cpu is still increasing. It is increasing very slowly, but it is increasing. Every other process that should be at a normal 0% IS at 0%, but not NVT License Manager. I downloaded a portable version of Process Hacker -- to use as a temporary cross-check. Process Hacker showed the same data for License Manager as did Sysinternals Process Explorer.
     
    Last edited: Apr 11, 2022
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I installed BC Uninstaller v5.1, and updated to v5.2 a few hours later.

    I was to slow to ignore the popups, that would have allowed me to exclude these two popups as follows:

     
  9. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I *think* you meant to say that you were "slow to act on the popups" because you apparently did ignore them. :)

    By the way, I am very satisfied that OAS does "Block execution of suspicious processes" -- I wouldn't use OSA if it lacked that particular protection. Any app that can uninstall other apps is potentially a malware that wants to eliminate my computer's protection. OSA's re-designed pop-ups make it easy to do an informed "Exclude", as needed. I easily excluded the specific uninstaller I am using.

    Uhhh... I had never heard of BC Uninstaller (Bulk Crap Uninstaller) until you mentioned it. I checked on it. Looks VERY interesting so I downloaded the portable & shall give it a spin. Thanks for mentioning it. :thumb:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    @novirusthanks -- does OAS have a place to configure how long pop-up alerts will stay up, before they automatically go away?
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    You can disable the automatic closing but I can't see anywhere you can alter the duration of the pop up.

    Right click the tray icon > Open Configurator > Settings > uncheck Automatically close the notification window.

    I do that in case something is blocked while I'm away from my PC.
     
  11. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Me, too. However, most security apps have the option to specify durations rather than just (in effect) "Too FAST!" & "Dead STOP".
     
  12. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I should have said, that I was slow to respond. Apparently, one can't control the duration of said "popups" :)

     
  13. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    Thank you for that advice. :thumb:
     
  14. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    True: variable duration cannot be controlled. However, see Krusty's post #4110 above. By the method Krusty suggested, you can make the pop-up come to a dead stop until you make it go away.
     
  15. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Hi, probably this was answered in the past but I am currently running Windows 10 on one drive and Windows 11 on a backup drive to evaluate it as it goes along.

    Today after updating 11 to build 22598.1 (Insiders beta), I find that the Dev Service no longer starts and no protection is enabled. Is the license tied to the Windows drive? If so, pls. inform so I can make alternative arrangements for my security. Thanks.

    Edit: I've installed my main drive with Windows 10 and OSArmor is running and protection is enabled for this drive. So, I presume that the License Manager had de-activated OSA for my Windows 11 drive.

    If the License Manager has determined that OSArmor is not permitted to run on another drive, it would be nice if there was some kind of notification--something like: "sorry, this drive is not registered with OSA" or something like that.
     
    Last edited: Apr 13, 2022
  16. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    If you read my reply to Krusty, you will see that I have taken his advice, and consequently I have made the change in the OSA configurator. :)
     
  17. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    40
    Location:
    New Zealand
    No problem. :)
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    @novirusthanks , there is an issue with OSA blocking of obfuscated PowerShell scripts.

    When I tested a .bat script with embedded obfuscated PowerShell code within it, OSA did generate a block alert:
    Problem is the PowerShell code ran before OSA blocked and terminated it. A command prompt window briefly appeared with text code within it before disappearing.

    The PowerShell code is benign and just performs what is stated above. Also, I run Eset so that might be a factor here but don't believe that is the cause.
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @itman

    That should be cmd.exe that executed powershell.exe (that got correctly blocked by OSA according to its rule).

    When you run a .bat script it always shows a black window that disappears within 1 or 2 seconds if there is no "pause" command.

    If you create a .bat script with this content:

    Code:
    start notepad.exe
    
    When you run it, you will see the black window of cmd.exe for a few seconds before notepad.exe window happears.

    If you add "pause" command like this:

    Code:
    start notepad.exe
    pause
    
    The black window of cmd.exe will remain visible until you press a key (any) to close it.

    All is normal, made a quick test here with a .bat script and powershell.exe was correctly blocked.
     
    Last edited: Apr 16, 2022
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I added a pause command at the end of the .bat script. Upon execution of the script, what was displayed in the command window was the source obfuscated PowerShell code prior to execution. Then PowerShell is executed by the command processor. Interesting. I didn't realize PowerShell running from a script did such behavior.
     
  21. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,102
    Location:
    Lunar module
    How can I use a custom rule to completely block Google Chrome from opening mailto links: from Chrome itself and from third-party apps?
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release test 1 for OSArmor Personal v1.7.0:

    Code:
    https://downloads.osarmor.com/osarmor-1-7-0-personal-setup-test1.exe
    
    This is the changelog so far:

    Let me know if you find issues or FPs.

    @aldist

    I think it is not possible to block "mailto:" link via OSA because the web browser should not use command-line to handle the mailto link.

    Will run some tests later and if I find something will update here.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Working smooth as silk again. Thank you, Andreas!
     
  24. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    what heppens if you stop re-buying the programme after subscription ends, it stops working?

    it should be you buy u get permanent license but support updates for 1 year, not that the programme stops working, then it will be fine to buy to me
     
  25. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Yes, it stops working completely. That's one of the functions of the NVT License Manager, which is a separate service from the other three OSA ones.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.