NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    @novirusthanks, Thank you Andreas. New option: « Block processes with uncommon chars (e.g ;#!@%[]) on file path » enabled.
     
    Last edited: Aug 31, 2022
  2. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Thanks all for your responses to my query. Just trying to confirm if an issue could possibly exist.
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I just checked here and that option was already checked. Using Medium Protection.
     
  4. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    I had to manually enable the rule "block.....with uncommon chars"--on here it was in Lockdown/Experimental section near the bottom of the list. I have the Basic profile. Sounds like a good rule to have enabled.

    Edit: cruelsister: all from Downloads folder. If it seems iffy, I scan them with several things first before opening.
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Hi @novirusthanks ,

    Changed to Advanced Protection and got this with Firefox.
    Date/Time: 1/09/2022 7:26:00 AM
    Process: [3436]C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.3 (1)\plugins_nms.exe
    Process Size: 1.88 MB (1,974,504 bytes)
    Process MD5 Hash: 75BA00560539058296EEF886AE17DC17
    Parent: [1928]C:\Program Files\Mozilla Firefox\firefox.exe
    Parent Process Size: 651.33 KB (666,960 bytes)
    Rule: BlockAnyProcessExecutedFromWebBrowsers
    Rule Name: Block any process executed from web browsers
    Command Line: "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.3 (1)\plugins_nms.exe" "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.3 (1)\plugins.firefox.manifest" light_plugin_7571494CE0B94E11BB762B659A4AD71F@kaspersky.com
    Signer: Kaspersky Lab JSC
    Parent Signer: Mozilla Corporation
    User/Domain: David/DAVID-HP
    System File: False
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
    Thanks.
     
  6. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Yes. Same.
     
  7. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Did anyone notice the tooltip on the tray icon that says "Protection Enabled" or "Disabled" depending on what you did? I guess distinguishing white from yellow maybe wasn't in-your-face enough. Nice improvement--anything helps jar your memory when you disable OSA without a time frame and then don't re-enable it.
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    No, I hadn't @plat1098 . Thanks for the tip! :thumb:
     
  9. JOHNoff

    JOHNoff Registered Member

    Joined:
    Sep 10, 2021
    Posts:
    67
    Location:
    Europe
    Hi, @novirusthanks!
    It seem your program does nothing to block this files in bootexecute. I used comodo cleaning essentials 64bit autorunanlyzer and regrun reanimator from Greatis to reveal those files. In regrun i edited bootexecute registry section and before that i installed partizan driver. Then i refreshed autorun analyzer and those files appeared.
    It seems i cant block or disable those autoruns i can only dele the entries.
    What am i supose to do?? Is that specially crafted or digitally signed malware or what! Also i had to disable OSA to install Greatis software.

    Thanks!
     

    Attached Files:

  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @JOHNoff

    What program did you use in your two screenshots to show that files/data?

    From a very quick look it seems a possible error in displaying files/data (see the bad characters displayed).

    Which is the excact executable file that is not blocked?

    Maybe the issue is that you edited the bootexecute registry section via regrun? Just guessing.

    Did you scan your entire system with Microsoft Defender and/or with another AV?

    @Krusty

    Thanks for reporting the FP, will be fixed on the next build.
     
  11. JOHNoff

    JOHNoff Registered Member

    Joined:
    Sep 10, 2021
    Posts:
    67
    Location:
    Europe
    Hi NoVirusThanks,
    I used a autoruns from comodo. It was no alerts that any of this files are blocked. So, are this malware files or not or something else?
    Yes, i edited bootexecute registry section via regrun.
    Can someone reproduce this behavior on its own test pc. I use windows 11.
    I also have blackfog to protect my system.
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Halfway through the trial period and I just purchased a subscription to this software. Much to my surprise, the remaining couple of weeks was tacked onto the one year period. Very cool. Thank you, OSA.
     
  13. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Also bumped the Protection Profile from Medium to Advanced yesterday.
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Page42

    Much thanks for supporting us and glad you like OSA!

    @JOHNoff

    Made some tests on a W10 VM with the two apps you mentioned but I couldn't reproduce it.

    My guess is that the bad characters you see are caused by an issue in the program you use (but this is only a guess) or by the edits you did on bootexecute registry section via regrun.

    You may try to scan your system with one or two on-demand malware scanners (such as Norton Power Eraser, Emisoft Emergency Kit, HitmanPro, etc) and see what they show.

    Hope that helps.
     
  15. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @JOHNoff -- Norton Power Eraser (NPE) is very aggressive & sometimes gives FPs that can cause problems if acted on. If you are a knowledgeable computer user, NPE is a really great choice for a deep scan. Otherwise.......
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Hi @novirusthanks

    I'd like to report a FP when trying to play back DRM protected content from a well known sports website tsn.ca:

    Code:
    Process: [8108]C:\Windows\System32\mfpmp.exe
    Process Size: 68.95 KB (70,600 bytes)
    Process MD5 Hash: CF2F034D15E1A970F39B1C831244EEFD
    Parent: [6504]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Parent Process Size: 3.62 MB (3,795,360 bytes)
    Rule: BlockAnyProcessExecutedFromWebBrowsers
    Rule Name: Block any process executed from web browsers
    Command Line: mfpmp.exe /fac6f80e663bbfa2_b3e38a40/PMPServer {FDCF7735-DB2B-4148-BA34-A29E945C51D8} 6504 131184 =C:\Users\myusername\AppData\Local\Packages\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\AC\Temp=C:\ProgramData
    Signer: Microsoft Windows
    Parent Signer: Microsoft Corporation
    User/Domain: myusername/DESKTOP-*
    System File: True
    Parent System File: False
    Integrity Level: Low
    Parent Integrity Level: Low
    I've edited my username and Desktop name.

    FWIW, the possibly too granular Exclusion rule I created:

    Code:
    [%PROCESS%: C:\Windows\System32\mfpmp.exe] [%PROCESSCMDLINE%: mfpmp.exe /*/PMPServer {*-*-*-*-*} * =C:\Users\*\AppData\Local\Packages\*\*\Temp=C:\ProgramData] [%SIGNER%: Microsoft Windows] [%PARENTPROCESS%: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe] [%PARENTSIGNER%: Microsoft Corporation]
    I'm using "Extreme" protection profile.
     
    Last edited: Sep 7, 2022
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I got this while updating Macrium Reflect:
    Date/Time: 9/09/2022 5:24:06 AM
    Process: [1888]C:\Users\Dave\AppData\Local\Temp\_ir_vp2_temp_0\vpatch.exe
    Process Size: 473.5 KB (484,864 bytes)
    Process MD5 Hash: 9F4CC70D5D29CC467C00F630D84FC585
    Parent: [12540]C:\Users\Dave\AppData\Local\Temp\reflectPatch.exe
    Parent Process Size: 77.17 MB (80,921,480 bytes)
    Rule: BlockUnsignedProcessesAppDataLocal
    Rule Name: Block execution of unsigned processes on Local AppData
    Command Line: "__IRAFN:C:\Users\Dave\AppData\Local\Temp\reflectPatch.exe"
    Signer: <NULL>
    Parent Signer: PARAMOUNT SOFTWARE UK LIMITED
    User/Domain: Dave/DAVE-PC
    System File: False
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Three slightly different OSA FP Exclusions I've made for Macrium Reflect update routines:

    Code:
    [%PROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\vpatch.exe] [%PROCESSCMDLINE%: "*:C:\Users\*\AppData\Local\Temp\reflectPatch.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\reflectPatch.exe] [%PARENTSIGNER%: PARAMOUNT SOFTWARE UK LIMITED]
    
    [%PROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\map.exe] [%PROCESSCMDLINE%: C:\Users\*\AppData\Local\Temp\*temp*\map.exe] [%SIGNER%: Paramount Software UK Ltd] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\vpatch.exe] [%PARENTSIGNER%: <NULL>]
    
    [%PROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\BcdCheck.exe] [%PROCESSCMDLINE%: C:\Users\*\AppData\Local\Temp\*temp*\BcdCheck.exe] [%SIGNER%: Paramount Software UK Ltd] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\vpatch.exe] [%PARENTSIGNER%: <NULL>]
     
  19. JOHNoff

    JOHNoff Registered Member

    Joined:
    Sep 10, 2021
    Posts:
    67
    Location:
    Europe
    Hi novirusthanks,
    it happend twice in matter of days that OSA icon did not start at startup of my win 11 pc. The icon simply did not show up and after reboot it did!
    Can you find the cause?
     
  20. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Krusty @wat0114

    Have contacted Macrium asking them to sign also vpatch.exe

    @JOHNoff

    Are you using the latest OSArmor v1.8.0?

    I suspect that a program you use is interfering somehow with OSA startup, no other users have reported this issue (this issue was present on old OSA versions).

    What other security software or HIPS do you use?

    You can try to exclude/allow/whitelist the following folders (and their .exe files) on the other security programs you use:

    C:\Program Files (x86)\NoVirusThanks\NVT License Manager\*
    C:\Program Files\NoVirusThanks\OSArmorDevSvc\*

    Let me know if that works.
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Nice! :thumb:

    Thanks as always, @novirusthanks !
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.1:

    Code:
    https://downloads.osarmor.com/osa-personal-1-8-1-setup-test1.exe
    
    Here is what's new so far:

    ** The new protection options need to be enabled manually from the Configurator
    ** Blocking of .msp and .msu scripts may create issues with Windows updates (alerts level is set to "High" and they are disabled in all profiles)

    You can install it "over-the-top" of the installed version, reboot is not needed.

    Let me know if you find issues or FPs.
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Downloaded and installed.
    These were automatically enabled here using Advanced Protection.
     
  24. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    10Q to the nth, NVT. No incidents whatsoever. I enabled ALL protections, as per usual.
     
  25. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Question... when changes are made to Protections in Configurator, is a reboot required for them to take effect? TY
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.