NoVirusThanks OSArmor: An Additional Layer of Defense

No.
#3894

 

I've read the post you pointed to. From what I understand, the OSA-editor wrote what I tried to say:
"In the above cases we can better write safe whitelist/exclusion rules by matching parent process PrivaZer.exe, parent signer Goversoft LLC, process and command-line."
But perhaps the problem is too complicated for me and didn't I figure out everything.
Edit:
I also saw that you opted for Extreme Protection. Isn't it a little bit strange that you want optimal protection, but if this leads to problems you are willing to turn off all protection for somewhile.

 

The notification did not work for me when i disable protection.

 

Where did I mention selecting Extreme Protection??

 

I thought that next quote was from you. Now I see that's from the developer. Sorry.
"I tried PrivaZer and I got the following notifications from OSA with Extreme Protection profile set:"

 

I have just tried it - it works here as expected.

 

@Krusty

Will release tomorrow a new build that has the option to disable "Show a notification if protection is disabled for 10 minutes"

@Dragon1952

Should work fine, just right-click on OSA tray icon and click on Protection -> Disable Protection

Then wait 10 minutes and you should see the notification window.

 

Me too. Wonder why upper left corner--opposite from the screenshot.

Edit: next test: lower right corner--same as screenshot.

 

Hi @novirusthanks ,

It isn't a deal breaker and I'm certainly in no hurry. I only run PrivaZer once or twice a week anyway.

Thanks.

 

Can't help but wonder why the folks at Privazer aren't fixing this issue. In any event OSA 1.7.8 is running beautifully on my aging laptop. After 16 test builds, I had hoped things might settle down for a while.

 

You can't look a gifthorse in the mouth. NVT andreas is all hands on deck and it can only get better all the more.
Soon as I get my new 10/11 system this is one of the first security programs that's found a place in the defensive lineup.

 

This block twice in a row (v 1.7.8, medium protection) ...

Date/Time: 8/18/2022 9:36:07 AM
Process: [22640]C:\Windows\System32\wbem\WMIC.exe
Process Size: 562.5 KB (576,000 bytes)
Process MD5 Hash: C37F2F4F4B3CD128BDABCAEB2266A785
Parent: [9884]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: C:\WINDOWS\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: pauld/LAPTOP-BFQLL77F
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

Not sure what caused it - maybe O&O Deskinfo(?) but haven't seen it before - so should I leave it, or could I exclude?

 

@bjm_ @plat1098

Where do you have the taskbar positioned? On bottom?

Also, is the issue happening also on alert notifications when a process is blocked? To test this just rename an exe file into invoice.pdf.exe and run it, it will be blocked by OSA and should show the alert notification on bottom-right of the screen.

The notifications should be always displayed at bottom-right.

@paulderdash

Yes it could be O&O Diskinfo (not tested), that WMIC command is only used to get details about the system.

I will fix it in the next release, meanwhile you can exclude it if it happens again.

 

Taskbar is kept hidden on the right side. That's one of the main reasons I don't go to Windows 11 full-time.

But anyway, like bjm_ first reported, the second time OSA was shut off, the notification appeared correctly on the lower right side. I tried it again just now: same. Strange how this was done automatically, without any input from me. All block-notif. have always appeared in the lower-right regardless of taskbar position, don't worry.

Edit: tried again w/taskbar positioned at top of screen. The notification appeared normally on the lower right but became enabled when I pressed the Space bar on keyboard. (Bandicam's designated hot key). Also enabled OSA with pressing Space bar without Bandicam active. Anyone else?

Not sure if that's an intended result. Shouldn't it just be via the Enable Protection button?

 

Here is a pre-release test 1 version of OSArmor PERSONAL v1.7.9:

Code:

https://downloads.osarmor.com/osarmor-personal-1-7-9-setup-test1.exe

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

Here is the changelog so far:

+ Added option to disable the notification when protection is disabled
+ Improved auto-resize of GUI windows on small screen resolutions
+ Improved display of notifications on bottom-right area
+ Various improvements on notification windows
+ Fixed all reported false positives
+ Minor improvements

@plat1098

Should be fixed now, please confirm if possible.

@bjm_ @plat1098

I could not reproduce the issue of the notification showed on the top-left area (it is always displayed on bottom-right area, I tried also to change taskbar position on top/bottom/right/left/hidden).

Can you confirm that the "Protection Disabled" notification is displayed on bottom-right?

Thank you.

 

Taskbar = bottom. I cannot reproduce Reminder: Protection Disabled...top-left, at this time. 1.7.8

Confirming > Reminder: Protection Disabled = bottom-right. 1.7.8

 

OK, had to post the video at MalwareTips b/c I could not break the link to my video here for some stupid reason.

--removed link to MalwareTips to post video here without link.

Edit: The position of the Notification is OK now. Honest!

Re-edit: OK, great, appreciate this JRViejo.

https://www.youtube.com/watch?v=gPhMT3KvaZk

 

Installed the test build 1.7.9 and it seems good so far. The "disabled" notification shows correctly in the lower right side (with taskbar hidden and positioned on the right side as usual.). Hitting the Space bar on the keyboard didn't do anything, so that's fine.

@Krusty This build here 1.7.9 came with the Notifications display enabled. It's in Settings in Configurator if you want to turn it off (in case it's already on).

Spoiler

 

We've released OSArmor v1.7.9:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.

@bjm_ @plat1098

Thanks for confirming.

 

Update automagically applied



Thank you again for your top-tier technical wizardry and support

 

false positive
[%PROCESS%: C:\Program Files (x86)\Adguard\Adguard.BrowserExtensionHost.exe]
[%PROCESSCMDLINE%: "C:\Program Files (x86)\Adguard\Adguard.BrowserExtensionHost.exe" C:\ProgramData\Adguard\HostManifests\com.adguard.browser_extension_host.nm-firefox-manifest.json browserassistant@adguard.com]
[%SIGNER%: Adguard Software Limited]
[%PARENTPROCESS%: C:\Program Files\Mozilla Firefox\firefox.exe]
[%PARENTSIGNER%: Mozilla Corporation]

from "block any process executed from web browser"
with adguard assistant add-on from adguard home

 

"Added option to disable the notification when protection is disabled"

I disabled that notification but it somehow became re-enabled.

 

Hmmm. Disabled OSA in order to install latest Sandboxie and neglected to enable protection. Come to find the reminder is once again at the upper left hand side; plus, hitting the Space bar to take a snapshot via Bandicam re-enabled OSA and made it go back into the system icon tray. I'll see if I can repeat it and make a video of it--very odd.

Spoiler

Edit: Tried again but the notification appeared correctly in the lower right side. I tried the Space bar thing again to see if OSA would re-enable but it wasn't successful (OSA stayed disabled and the notification remained on desktop). So it seems this anomaly only happens when the notification is displayed on the upper left hand side. If/when it happens again, I will be sure to capture it fully.

If it's meaningful, Bandicam also opens its UI in the upper left hand side of the screen, in the same spot as the OSA notification. Also wondering what exactly triggers the notif. to appear on the left rather than the lower right. What determines how an app's UI is positioned when it's opened for the first time (Bandicam)?