NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release test 6 version of OSArmor PERSONAL v1.7.8:

    Code:
    https://downloads.osarmor.com/osarmor-personal-1-7-8-setup-test6.exe
    
    You can install it "over-the-top" of the installed version, reboot is not needed.

    Let me know if you find issues or FPs.

    This is the changelog so far:

    Some details:

    - The option "Block processes executed from Microsoft Virtual DVD-ROM":

    Will block any process started from an ISO/IMG mounted as virtual drive, it is auto-enabled on Extreme protection.

    test1.png

    - The option "Automatically delete ANY file on Startup folder of ANY user"

    Will automatically delete any file located in the StartUp folder of ANY user, e.g:

    Code:
    C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    
    * This is a sort of "system hardening" rule and doesn't involve blocking of processes.

    - The option "Protect original Registry Startup folder locations"

    Will protect Registry locations of StartUp folder, e.g:

    Code:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
    
    * This is a sort of "system hardening" rule and doesn't involve blocking of processes.

    With the above two additional protection options we wanted to provide a simple way to protect the Windows StartUp folder. So for example, if a maldoc or an application drop a file on the user StartUp folder, it is automatically deleted. We wanted to specifically provide these options to keep the StartUp folder "clean" and empty.

    @bellgamin

    Yes I confirm that any license (with or without a coupon code) takes effect when it is purchased.

    A license is valid for 1 year from the date of purchase.
     
    Last edited: Aug 9, 2022
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Does deleted file go to Recycle Bin?
     
  3. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @bjm_

    The file is deleted directly via Windows APIs.

    We're discussing if adding the event in the .log file (and in the Windows Events), such as:

    Code:
    Date/Time: 06/08/2022 19:56:58
    File Deleted: C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malware.lnk
    Rule: AutoDeleteFilesOnStartupFolder
    Rule Name: Automatically delete ANY file on Startup folder of ANY user
    
    So the user knows a file was deleted in the StartUp folder.
     
  4. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    808
    Using Extreme protection here, it seems like it is not auto-enabled.
     
  5. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @smith2006

    You need to re-apply Extreme Protection profile (I forgot to write it in the previous post).

    The option is auto-enabled when you apply Extreme Protection profile.
     
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    btw ~ options are not auto-enabled when I apply Extreme Protection Profile. 1.7.8 test 6
    png_15628.png png_15627.png
     
    Last edited: Aug 9, 2022
  7. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    344
    Location:
    Finland
    @novirusthanks
    Does this work FULLY with Enterprise LTSC, any limitations?
    Does it run as a service/kernel level? Protecting, for example instant Image File Exectution Options registry keys changes(disable task manager etc...)
    Which means, not matter what registry "monitor" software you're using, one fresh sample of WinLock wrote some reg entries and then instantly rebooted. System infected.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I recommend you do so. There might be a legit app that adds something to this directory.

    Also, the most malware will drop a malicious .lnk file to this directory. You might consider just monitoring for .lnk file creation.

    BTW - I thought OSA already monitored for this activity (.lnk file creation) given that it has been used by malware for a very long time?
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release test 8 version of OSArmor PERSONAL v1.7.8:

    Code:
    https://downloads.osarmor.com/osarmor-personal-1-7-8-setup-test8.exe
    
    Only added logging to file of Startup folder rules:

    @bjm_

    The two options are not auto-enabled on Extreme protection.

    They need to be enabled manually.

    @moredhelfinland

    We have users that use OSA on Enterprise LTSC and reported no issues so far.

    OSA uses a kernel-mode driver to monitor processes executions and OSArmorDevSvc is a Windows Service.

    OSA doesn't monitor registry keys or such, it monitors and blocks suspicious processes.

    A malware to be able to edit registry or perform other tasks needs to be executed in the system, if the process is blocked or if the infection chain is stopped then the system is not altered.

    That is the point of OSA: prevent malware/ransomware infection by blocking malware delivery methods and suspicious processes.

    With Extreme protection you can "lockdown" the system (it blocks unsigned processes and processes signed by unknown vendors).

    Here is OSA in action with recent malware samples and file types (LNK/ISO/IMG/etc):
    https://www.youtube.com/watch?v=kdtHxUqDNMc

    @itman

    OSA protects from suspicious processes started from LNK shortcuts, here is the chapter were we test malicious LNK files:
    https://www.youtube.com/watch?v=kdtHxUqDNMc&t=954s

    A malware could drop any file there, such as vbs/js/vbe/wsf/hta/exe/scr/pif/com/bat/lnk/url/etc.

    Better to delete any file type since if a file is dropped here it is done with the objective to execute the file when the PC starts.

    OSA already blocks malware delivery methods so the Startup folder is not an issue (if the process/infection chain is stopped no file will be dropped there).

    Additionally, OSA starts before Windows runs the files on Startup folder, so again no issues here:

    example.png

    But we wanted to add options to keep the Startup folder empty (we don't allow for exclusions there).
     
    Last edited: Aug 9, 2022
  10. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    344
    Location:
    Finland
    "OSA doesn't monitor registry keys or such, it monitors and blocks suspicious processes."
    Thanks, that's all needed to know.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Thank you again, @novirusthanks!

    EDIT

    Hi @novirusthanks

    I just installed this Test version and I noticed for the first time - and maybe this has happened in previous versions - after scanning for new trusted vendors, OSA found and added four new entries. However, I have no idea what the entries are, as there is no pop-up alert and nothing in the logs. Other than comparing a previous saved settings to the latest settings, is there a way to maybe have OSA log newly added Trusted vendors or even produce some sort of pop-up message? Otherwise no issues so far. Thanks!
     
    Last edited: Aug 9, 2022
  12. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Win7.
    Test 8 running great! (a rhyme every time.)
     
    Last edited: Aug 9, 2022
  13. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    808
    Thanks @novirusthanks
     
  14. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
    Salutations/Greetings,
    @novirusthanks
    #4305
    #4306
    will Exteme Protection Profile, need to be each time you start
    OSArmor PERSONAL v1.7.8: on your PC:)?
    Or is this a one time input....
     
  15. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    344
    Location:
    Finland
    @novirusthanks
    So does it protect registry keys like image file options like i said before? That registry key/hive is one of the most used by malwares.
    Something like variants of Winlocker(s), which drops a file, then write to image file options registry to disable task manager etc many things on that registry key.
    Gdata and Hibit startup monitor detects the modification of it, but the god damn malware shuts down the puter really fast so its too late.
    Thats why im asking if OSA can protect or even can a user make their on custom protected registry keys protected by OSA.
    Dr.Web "KATANA" is very, very good HIPS like protector of these kind of malware abuse, and its works in the kernel level (blocked instantly winlocker variant registry modifications and prevented "force shutdown")
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Moose World

    When we add new protection options on Protections tab of OSArmor Configurator (this is not frequent) then you may need to re-apply the Extreme Protection profile or enable the new protection option(s) manually.

    In OSArmor PERSONAL v1.7.8 (test 8 build) we added new protection options and in this case yes you need to re-apply Extreme Protection or enable them manually.

    From now on I will write in the post when this is needed.

    @wat0114

    Good point, and yes we can add a new window where OSA will show you which new vendors have been added.

    @moredhelfinland

    Ransomware are commonly delivered via keygen/crack-like exe files and phishing emails with maldocs and scripts/iso/img/lnk/etc attachment files.

    A recent article suggests that 87% of ransomware has been delivered via malicious maldocs to infect targeted systems:

    Code:
    https://www.infosecurity-magazine.com/news/87-ransomware-brands-exploit-macros/
    
    OSA blocks malware/ransomware delivery methods and with Extreme Protection you can "lockdown" the system, example:

    winlock.png

    In the image above OSA blocked winlock.exe ransomware because it is unsigned.

    OSA objective is to prevent execution of ransomware and malware in the system, thus no need to protect registry keys or such: if the malware can't run then it can't alter the system.
     
    Last edited: Aug 10, 2022
  17. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    [%PROCESS%: C:\Windows\System32\msiexec.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\msiexec.exe" /i "C:\Users\Geno\Documents\WindowsPCHealthCheckSetup.msi"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Program Files\Google\Chrome\Application\chrome.exe] [%PARENTSIGNER%: Google LLC]
    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud ??.?\plugins_nms.exe" chrome-extension://*/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.* > \\.\pipe\chrome.nativeMessaging.out.*] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Program Files\Google\Chrome\Application\chrome.exe] [%PARENTSIGNER%: Google LLC]
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Dragon1952

    Thank you for reporting the FPs, will be fixed on the next build.
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release test 10 version of OSArmor PERSONAL v1.7.8:

    Code:
    https://downloads.osarmor.com/osarmor-personal-1-7-8-setup-test10.exe
    
    @wat0114

    Now when new signers are found while scanning for Trusted Vendors, the Configurator will show a new window showing which are the new signers added:

    Immagine.png

    FP reported by @Dragon1952 is also fixed.
     
  20. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Wow, nice new build. :thumb:

    This little window for any new Trusted Vendor is a welcome addition. Not to mention, kind of cute. :)

    tvlist.PNG
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Thank you @novirusthanks! you guys are the best :thumb:
     
  22. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud ??.?\plugins_nms.exe" chrome-extension://*/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.* > \\.\pipe\chrome.nativeMessaging.out.*] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Program Files\Comodo\Dragon\dragon.exe] [%PARENTSIGNER%: Comodo Security Solutions]
     
  23. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Feature request: I'd turned off Protection completely (didn't use the choices for temporarily disablng). Then naturally forgot all about it. Is there a discreet little popup that can remind you the protection is off--maybe after an amt. of time like 15 or 20 min?

    I know VoodooShield has this feature--but does it fall under any kind of patent-related thing?
     
  24. Jan Willy

    Jan Willy Registered Member

    Joined:
    Jan 29, 2021
    Posts:
    226
    Location:
    Netherlands
    It's not an eye-catcher but the color of the icon on the taskbar changes when you disable OSArmor.
     
  25. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Yes, that's right--it turns white or something but the thing is: the taskbar is set to hide, it's not locked. So it's in the system icon tray and then that's hidden. Out of sight, out of mind, in this case at least.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.