NoVirusThanks OSArmor: An Additional Layer of Defense

Yes, agree totally. I would be happy if NVT ignored all requests for cosmetics & other bells & whistles. Ideally, NVT should use its valuable time to concentrate primarily on enhancing OSA to deal with ever-changing malware shenanigans.

NOTE: I deleted my "additional logging" comment. My thanks to Paul & Krusty, for giving me a friendly nudge.

 

You have every single one of the Protections enabled, yet you see almost no alerts!? You know that many of those Protections are supposed to result in High number of alerts and many others in Medium alerts. It doesn't beg the question for you "why" you are not seeing more alerts?

@Buddel

I have just blanked my Trusted Vendors list while maintaining Extreme Protection, rebooted and resumed as normal, and I so far experience no difference. No alerts yet whatsoever.

@novirusthanks

does OSA utilize the scanned Vendors list created by the user, or does it utilize the TrustedVendors.db file under the C:\Program Files\NoVirusThanks\OSArmorDevSvc directory in its decision making process against those enabled Protections that relate to Signed vendors?

 

No, not at all.

AFAIK, the 3 *gates* for nasties to board my darlin' computer are downloads, email, & internet surfing.
=>I don't download a lot of new apps. When I do download something, I always use a download site that carefully screens the apps it offers.
=>I use PopPeeper as email client, and it's set so that all emails are received as headers only. Full messages only download when requested, and only in rich text. So an email's HTML doesn't happen unless specifically activated.
=>As for internet, I seldom surf in shark-infested waters and, when I do surf there (rarely), I do so in virtual mode.

IMO, after OSA has a few days for "getting to know" the apps populating a careful user's computer (and Exclusions are developed accordingly), OSA should rarely generate alerts until something potentially nasty (or really nasty) is taking place. That's my experience -- your mileage may differ.

 

I mostly agree, your assessment stands to reason.

Past versions on Windows 10 generated far more alerts for me on less than Extreme protection. As I mentioned previously, I had at least five Exclusions created many months ago for Edge and about the same number for Firefox, which I no longer use. However, I realize NVT has fixed numerous FP's reported by users, so that would definitely cut down on the frequency of alerts.

That said, numerous of the Protections when enabled warn of medium or high alerts levels, so when extreme level is chosen and especially when you have enabled them all, it just seems odd to me we are seeing very few alerts.

So on that note: why bother using only Basic or Medium protection when using Extreme or all enabled are going to generate very few alerts in typical daily usage? Why not just enable the stronger options, since they should provide far better protection than the former two.

EDIT

Okay I found this and disabled it. I'll see what happens.

 

*this* means the option to "Enable internal rules for allowing safe behaviors."

I found that Option on Configurator page under Settings and discovered that I had enabled it. Hmmm... perhaps that is why my decision to "Select ALL Protections" has produced very very few alerts. Like @wat0114 I just now disabled that option so --- let's see what happens.

@novirusthanks -- I wonder if enabling those "rules for allowing safe behaviors" might reduce (however slightly) the level of OSA's "Extreme" protection. More specifically, I wonder if {"Medium" protection + DISabled rules} might be nearly equal to {"Extreme" protection + ENabled rules}. No big deal -- just wondering.

 

Hi bellgamin,

I think those internal rules are mostly FP's reported by users over the past couple years.

Anyways, since I disabled it, I've had three alerts:

Code:

Process: [6228]C:\Windows\System32\sc.exe
Parent: [1480]C:\Windows\System32\svchost.exe
Rule: BlockScExecution
Rule Name: Block execution of sc.exe
Command Line: C:\WINDOWS\system32\sc.exe start wuauserv
Signer: <NULL>
Parent Signer: Microsoft Windows Publisher

Process: [7900]C:\Windows\System32\mmc.exe
Parent: [1832]C:\Windows\System32\eventvwr.exe)
Rule: AntiExploitProtectSpecificSystemProcesses
Rule Name: Protect specific system processes with anti-exploit module
Command Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\eventvwr.msc"
Signer: <NULL>
Parent Signer: <NULL>

Process: [10168]C:\Windows\System32\sc.exe
Parent: [1480]C:\Windows\System32\svchost.exe
Rule: BlockScExecution
Rule Name: Block execution of sc.exe
Command Line: C:\WINDOWS\system32\sc.exe start pushtoinstall registration
Signer: <NULL>
Parent Signer: Microsoft Windows Publisher

For clarity, I deleted a lot of the text such as date/time, file size, user...Obviously they are all legitimate file actions within Windows System directory. The second one with mmc.exe was when I went to open Event Viewer as Admin. I'm going to re-enable the option. It is recommended anyway because all those rules are legitimate for required inter-process activity. I was just curious to see if I would get bombarded by alerts, which I wasn't.

BTW, I had completely blanked my Signed Vendors list again for a while, with Extreme protection kept enabled, and it still did not result in more alerts.

 

After disabling the OSA's option to use "internal rules for allowing safe behaviors" I've had 4 alerts. Each of them caused a delay of ~15 seconds to (1) create an Exclusion by clicking OSA's exclusion-maker & (2) restart the blocked app. No big deal. I shall leave it unchecked.

 

I thought I had the Internal rules option enabled but it wasn't, so it's enabled now and I deleted the Exclusions I created after startup a little while ago. I'll keep you posted of anything significant.

Honestly bellgamin, I would just keep that option enabled, as they are all confirmed safe and necessary rules.

 

@bellgamin @wat0114

For logging of allowed processes there is Process Logger, I'd prefer to not add that feature to OSA since the focus is to keep it simple and with only one task: block suspicious processes activity.

We work on OSA from 2017 and we continuously improve it to avoid FPs, so even with Extreme Protection profile you may not get many alerts (or none at all) if you:

1) Use only digitally signed applications
2) Do not frequently install/uninstall applications
3) Applications that you use do not execute commonly abused system processes (cmd/powershell/rundll32/regsvr32/etc)
4) If you use new signed applications make sure the signer is present in the Trusted Vendors else they will be blocked
5) You do not run .bat/.cmd scripts (or you put them in a safe -not user-writable- location like C:\WINDOWS\MyBatScripts\ and then you create specific exclusion rules to allow your .bat/.cmd scripts executed from that folder)
6) You do not use powershell (or you create specific exclusion rules for your specific tasks)

Extreme Protection is generally recommended for office/shops/business PCs and can be used to "lockdown" the system.

But if you're a Home user and meet the above 6 points then you should have no issues.

It all depends on how you use the PC.

For extra safety you can edit/remove all vendors from the Trusted Vendors and add only the vendors presents in your system and of applications that you use.

In this case make sure to disable the option "Merge TrustedVendors.db with updated list when product is upgraded"

Extreme Protection profile can generate many alerts if the user doesn't meet the 6 points above, that is why we prefer to have Basic Protection profile as default.

Basic Protection profile is the perfect balance between good additional protection (block malware delivery methods) and low false positives.

While Extreme Protection profile is the best protection that OSA can provide, but can generate more false positives.

I would recommend to keep it enabled, it allows safe process behaviors and reduces FPs.

 

@novirusthanks

thank you so much for your thorough and detailed, perfect explanation. You must have added quite a number of rules to address FP's, which is great. It just really felt odd to me that with extreme profile enabled I was seeing next to no alerts at all, and especially odd when I cleared my Trusted vendors list. Then when @bellgamin reported he all the protections enabled but was seeing very few alerts, that reinforced my concern. I thought maybe something was wrong, especially recently I switched to Windows 11, thinking it my be interfering with OSA. However, your explanation eases my concerns. Thanks again.

As for your recommendation to use Basic profile, I will stay with Extreme for the time being, since I am seeing very few alerts with it enabled, and any FP's I do get, I'll handle them easily enough with a custom made Exclusion rule. I may as well use the top tier protection level as the inconvenience of dealing with FP's is up to now insignificant. I can report any FP's to you as well.

Take care!

 

I have the Basic profile with a number of rules over and above--even in the Lockdown/Experimental section (which has grown by leaps and bounds over the past year or so). I also know which programs are habitually unsigned (HiBit, Sandboxie) so I'm vigilant like that. Can't expect OSArmor to do every little thing.

So I add a rule or two at a time and evaluate for a week or more. Don't want to compromise security for the sake of reducing false positives if it can be helped. If it's good, I back up all settings immed.

 

As for myself, I use the basic profile protection and I keep "Enabled internal rules for allowing safe behaviors". I feel safe that way as I never visit the dark web anyway

 

OK well x-nay that. I d/l CPU-Z b/c I want to bench my cpu (sometimes I wonder if it's working like it did when it was new). I have the block rule: block unsigned processes with high system priv. Tried to exclude and it kept blocking it w/one rule after another. Finally I just disabled it and then forgot about it.

Yes...that nice and friendly reminder to enable came up right on time. In the right spot too (lower right). Thanks again for implementing--very useful to me.

 

Is this checked or unchecked in default setting. Mine is unchecked now but i don't remember if i unchecked it.

 

I'm 99% sure it's unchecked by default.

 

It looks like the "Merge TrustedVendors.db with updated list when product is upgraded" option is unchecked by default. I guess that means that i never had that .db merge in my OSA App and all i ever had was the trusted vendors that were added after i ran the scan for trusted venders.

 

Just curious- a Question for those using OSArmor (at whatever profile employed- when acquiring a file from the Net, from where do you execute the file- saved and run from Desktop, saved and run from Downloads folder, or something else entirely)?

Just curious...

 

This is what I do. I use NoVirusThanks Signer Extractor to generate an up-to-date list of all the signers (vendors) that are present in my system. This helps me to build my own list of "Trusted Vendors".

 

saved and run from Desktop
-
all OSA Rules enabled - except Restrict Windows Programs
add only Trusted Vendors on my system
OSA Alerts are usually expected - e.g., for unsigned installer .tmp files.
I have a few Exclusions - e.g., for trusted unsigned program - for launching trusted program from Documents.

 

Same as @bjm_ on my side

 

I guess i could delete my trusted vendors list and then run a scan to build a .db of trusted vendors on my computer.

 

@novirusthanks -- Grazie to the nth for the excellent information!!! I have followed all your suggestions except that I still have not enabled "Enable internal rules for allowing safe behaviors". Since I am still using Win7, I want to keep OSA at flank speed.

@cruelsister In answer to your question, I save all downloads to C:\Holding -- a file that I have created on every Windows OS that I have used. I also execute all set-ups/installs from that Holding file. {In days of yore, I created Holding files on every computer I used -- Commodore 64, Apple//c, & Atari 800 -- so I still do it.}

 

@cruelsister almost exclusively form the Downloads folder.

That's probably the most secure approach. That's what I and some others did.

 

We've released OSArmor v1.8.0:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.

If you want to enable the new option:

"Block processes with uncommon chars (e.g ;#!@%[]) on file path"

You need to do it from the Configurator manually.

@wat0114

You're very welcome

And yes I could see your concerns about none/low alerts when in Extreme Protection profile, that is possible thanks to you and all users that have reported FPs during the past years.

A quick generic test to check OSA protection is to rename a .exe file into invoice.pdf.exe and run it. If it is blocked then it means OSA is working fine.

@plat1098

Yeah, that can be very useful to many users.

Thanks for suggesting it

@Dragon1952

It is checked by default, but only on fresh/new installations.

@cruelsister

Downloaded files from web browsers are saved in C:\Users\<user>\Downloads folder here.

 

Got it. Thank you.