NoVirusThanks OSArmor: An Additional Layer of Defense

Perhaps you underestimate some reptiles?

 

maybe there will be more BBs active (intelligent) or all BB are passive dumb and will b

 

Yes, you are quite correct. Computers are data processors, not actual minds. Computer "learning" in mass-market security apps is primarily based on human-coded programs that cause the computer to create databases for processing by analytic routines from the "if-then-else" family and its ilk.

In colloquial use, "dumb" is often used to describe a very low-performing student, or someone who speaks very slowly & stammers a lot, or a person with a vacant stare and a hang-dog look, or a lawyer or plumber (etc) who did a disgustingly poor job for you.

In other words, "dumb" is a derogatory term. When applied to a product, "dumb" infers that the product is of poor quality & unable to adequately perform the job it was designed to do.

If you have any instance where OSA has failed to do the job it was designed to do, by all means PLEASE report it to this forum & to NVT. Otherwise, please be aware that calling ANY security app "dumb" is an appellation that can unfairly impair that app's reputation & marketability.

 

There are already some BBs that are "active" -- that is, they use invisible-to-user rules and have algorithms to reduce FPs, make if-then-else type decisions, & reduce user alerts.

I *think* WiseVector StopX has a built-in BB in "active" category. AFAIK, just about every "top-tier" AV does, too (MS Defender, Avast, BitDefender, Kaspersky, etc.) As I recall, ESET has an excellent HIPS-type component (first cousin to a BB) that is user-configurable but also fairly effective at default settings.

 

I wouldn't call this program smart. Doesn't it just react to the rules that have been pre-programmed? Isn't it just that simple?

 

The answer to your 2 questions, IMO, is YES.

Let me put it this way, using WiseVector SX (WVSX) as an over-simplified example. To wit: WVSX's BB is active because it has data bases & algorithms designed to minimize the need for user decisions.

OSA is interactive because (a) OSA alerts user on suspicious behavior, and then (b) USER decides whether to allow the block or not, and then (c) OSA "learns" from those exclusions NOT to pop future alerts on that specific exception, plus (d) USER is enabled by OSA to develop his/her own BB rules, to be enforced by OSA, whereas apps like WVSX do not enable this user capability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

=>AT ALL -- I do not know if OSA "harvests" any info about the exclusions & rules made by users, for NVT's consideration in developing future updates to OSA. Does anyone have any info on this? (BTW, I would not object if OSA did harvest this info, now or in the future. Would you?)

 

You will get backlash from some for stating OSA "learns", even though it's in quotes and we know what you mean, but as stated above OSA is certainly NOT smart, and simply reacts based on pre-programmed and enabled rules, as per a basic example:



Of course if the action (or Behaviour) is blocked, the user is given the option to create an Exclusion rule for the specific action so it is not blocked in the future. Hopefully the end user will not create an Exclusion for Locky Ransomware

 

I agree. Computer apps do not learn. Apps build data bases and apply "if-then-else" and similar decision coding, as illustrated by the excellent logic diagram you have included.
~~~~~~~~~~~~~~~~~~~~~~~

 

we're not using colloquial terms, then dumb is fine, used in scientific, nobody got offended, there is alot of weird terms in scientific literature like adversarial networks and so on, alot of them are overly dramatic
then propose something else in return
passive vs active is fine by me, I can drop the dumb (although I think it makes stuff more clear)

active BB systems reduce strain on the user by taking some of the decisions from him or at least suggesting right decisions, using some form of statistics (e.g. regression models), ml or dl
rules can change on the fly so the system is active, machine learns from new samples

passive are based on decisions made by the owner/creator and are based on experts' knowledge, rules and filtering lists without live implementation of statistics, ml or dl
if they are not updated by the owner/creator they stay the same, they don't update on their own using ml or dl, hence the BB system is passive

you could also say AI-based vs non-AI based, as if learning vs not learning, but we can make inferences by leveraging statistics without AI, AI (ml+dl) just brought it up another level

best

 

Well, for me personally, regardless of the context in which you use the word "dumb"--the first reaction I would have is a negative connotation. "Dumb"--stupid, slow, not with it.

The second impression I would get would be that the one calling things "dumb" has some sort of grudge or resentment toward the product. That's just my interpretation. "Dumb" is a negative sort of description, regardless of context. OSArmor wasn't created to be labeled "smart" or "dumb" imo. It's a process blocker, modified by the user by enabling or disabling from a menu of rules.

It's good for my purposes. Who needs "smart" when I, the end-user, am already so brilliant?

 

Yuuuuuuuuuuu betcha!!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am still running OSA version 1.7 test 1. It is running fast & true with a following wind -- BUT I wonder when test 2 or the release version will be offered. I'm hoping for NVT to visit here in the near future.

 

Here is a pre-release test 10 for OSArmor Personal v1.7.0:

Code:

https://downloads.osarmor.com/osarmor-1-7-0-personal-setup-test10.exe

This is the changelog so far:

Let me know if you find any issues.

This rule "Block system processes on user space" is mostly oriented to companies and blocks system processes found in user space (i.e WerFault.exe copied to a user-writable folder and used to load wer.dll -malicious- in the same folder).

In my tests it didn't generate any alerts of legit behaviors, but it may depend on how you utilize the PC.

The rule needs to be enabled manually, it is not enabled in any protection profile at the moment.

@Buddel

We'll start working on SysHardener this week.

Currently SH works fine on W10 and W11, we're going to make it simpler and add new OS hardening tweaks.

@bellgamin

You've summarized and described OSA in a perfect way!

@wat0114

In your image OSA would have blocked both cases with its anti-exploit module, I already showed it in many videos i.e:
https://www.youtube.com/watch?v=fr9YhtlFUC4
https://www.youtube.com/watch?v=g90-lqBXNKM

 

Thanks a lot for the new test build.

This is good news indeed. Thank you very much for the info.

 

Thank you @novirusthanks for this pre-release

 

We've released OSArmor v1.7.0:
https://www.osarmor.com/download/

Here is the changelog:

Code:

+ Fixed all reported false positives
+ Added Block system processes on user space
+ Added new internal rules to block suspicious behaviors
+ Added more signers to Trusted Vendors list
+ Allow to use wildcards on IgnoredNotifications.db
+ Added Copy to Clipboard popup option on Manage Ignored Notifications
+ Improved installer and uninstaller scripts
+ Minor improvements

If you find false positives or issues please let me know.

// Everyone

If you are running the test builds please update to this final version.

 

Does OSA internal updater pull 1.7.0 (final) over 1.7.0 (test build)?

 

@bjm_

No, the internal updater doesn't handle test builds, you should update manually to final v1.7.0.

Installing over-the-top is fine.

 

Installed. Thank you.

 

Too much for Emsisoft. It choked on scanning the exe.

Emsisoft Anti-Malware Home - Version 2022.5
Last update: 27/05/2022 2:12:44 AM
Initiated by: LAPTOP-YYYYYYY\XXXXXXX
Computer name: LAPTOP-YYYYYY
OS version: Windows 10x64
Scan settings:
Scan type: Custom Scan
Objects: C:\Users\MyName\Desktop\osarmor-personal-setup.exe
Detect PUPs: On
Scan archives: On
Scan mail archives: Off
ADS Scan: On
Direct disk access: Off
Scan start: 27/05/2022 2:16:31 AM
Scanned 0
Found 0
Scan end: 27/05/2022 2:29:54 AM
Scan time: 0:13:23
*** Scan aborted by user ***

 

Thank you again, Andreas!

 

Auto-updated silently in the background and is running fine so far.

Thanks @novirusthanks for the continued development.

 

Just tested OSArmor against a recent MS Office 0-day:
https://www.itnews.com.au/news/new-ms-office-zero-day-evades-defender-580632

 

Awesome Andrea Thank you, happy to be using noviruthanks

 

Cool. Thanks for the info.