NoVirusThanks OSArmor: An Additional Layer of Defense

No.

 

This block when updating PowerToys (v1.80, Medium profile):

Date/Time: 9/16/2022 9:42:56 AM
Process: [34036]C:\Windows\SysWOW64\cmd.exe
Process Size: 231 KB (236,544 bytes)
Process MD5 Hash: D0FCE3AFA6AA1D58CE9FA336CC2B675B
Parent: [19692]C:\Users\*****\AppData\Local\Temp\{D2E37A51-B924-4B45-A548-90532F515BEE}\.be\PowerToysSetup-0.62.1-x64.exe
Parent Process Size: 648.49 KB (664,056 bytes)
Rule: BlockCmdScripts
Rule Name: Block execution of .cmd scripts
Command Line: C:\WINDOWS\system32\cmd.exe /c "C:\ProgramData\Package Cache\CEEB2F4674AB44E9EBCE9175CE716612D979979C\terminate_powertoys.cmd"
Signer: <NULL>
Parent Signer: Microsoft Corporation
User/Domain: *****/LAPTOP-BFQLL77F
System File: True
Parent System File: False
Integrity Level: High
Parent Integrity Level: High

 

Here is a pre-release test 4 version of OSArmor PERSONAL v1.8.1:

Code:

https://downloads.osarmor.com/osa-personal-1-8-1-setup-test4.exe

Here is what's new compared to previous test build:

+ Added more signers to Trusted Vendors list
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

@paulderdash

The FP is fixed now, thanks for reporting it.

 

Running great so far!

 

We've released OSArmor v1.8.1:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.

 

@andrea, as usually thank you. Updated automatically without any problems.

 

Got it via internal update a couple of minutes ago. Thanks, NVT.

 

Auto-updated to v1.8.1.0 not long ago. Running well. TY!

 

Thank you @novirusthanks

 

Keeps on getting better and better and... better. Shazam!!!

 

FWIW Emsisoft warned re C:\Users\****\AppData\Local\Temp\is-RQFU0.tmp\osarmor_setup.tmp

No biggie, I just allowed it.

 

I have nearly all scripts blocked (exceptions: .msc, .bat, cmd, ps1, and msi installer) since the prev. build and I've been pleasantly surprised that I haven't had an fp yet. I find the script-blocking to be at the core of the purpose of keeping OSA around.

No performance issues at all. Somewhere along the line, one is able to type in the Search box again. Very nice.

 

Installed update over the top.
Internal automatic update didn't kick in.
I noticed that there is no button to check for updates manually.
Be nice if there was one, it would be easier to check.

 

Maybe, email notice for full release updates?
~ afaik, I'm registered for NoVirusThanks Newsletter.
https://www.novirusthanks.org/newsletter/
~ afaik, I've not received email notice for full release 1.8.1.
Maybe, email notice &or check for updates adds overhead. IDK
Edit: I've received email notice for 1.8.1.

 

@bjm
What I meant was that there is no right click on the tray icon or button in the app itself to manually check for updates.
Most of the other programs I have offer one or the other, sometimes both

 

I think you have a point. There is no differentiation between test builds and release ones on the UI. I scanned the logs but didn't see any entry of an update, just blocked apps and stuff. I assumed it updated already b/c it said 1.8.1 on the UI. But did it really, lol? And no, there's nothing update-related in the right-click menu.

Maybe this could be taken into consideration next time a build is under construction.

 

Thanks everyone for the feedbacks!

@LoneWolf

I can add an option "Check for Updates" on the right-click menu on system tray icon and/or on OSArmor GUI Help -> Check for Updates.

@plat

If you used the test build you should manually download and install the latest stable version (installing over the top is fine).

Anyway yes I get your point, will see what can be done to differentiate the test builds with stable builds.

@paulderdash

Thanks for reporting it, strange because OSArmor setup .tmp file is digitally signed.

Will try to reproduce it and see if the event can be reconsidered by them.

 

That would be great, thanks.

 

@novirusthanks

Is this FP?

Date/Time: 29/09/2022 9:34:25 pm
Process: [9812]F:\SteamLibrary\steamapps\common\Severed Steel Demo\ThankYouVeryCool\Binaries\Win64\ThankYouVeryCool-Win64-Shipping.exe
Process Size: 91.63 MB (96,082,432 bytes)
Process MD5 Hash: FF3C0AE6DE8CE0EC8639A4EDC7976E4E
Parent: [2664]F:\SteamLibrary\steamapps\common\Severed Steel Demo\SeveredSteel.exe
Parent Process Size: 443.5 KB (454,144 bytes)
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "F:\SteamLibrary\steamapps\common\Severed Steel Demo\ThankYouVeryCool\Binaries\Win64\ThankYouVeryCool-Win64-Shipping.exe" ThankYouVeryCool
Signer: <NULL>
Parent Signer: <NULL>
User/Domain:
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

 

@Graphite85

It looks like that yes it is a FP:
https://www.reddit.com/r/SeveredSteel/comments/pq946m/thankyouverycool/

However it is deifnitely a strane name for a process.

I can't whitelist it because it is unsigned and I don't have enough details to create a safe internal whitelist rule.

You can exclude it by adding this to Exclusions rules:

Code:

[%PROCESS%: F:\SteamLibrary\steamapps\common\Severed Steel Demo\ThankYouVeryCool\Binaries\Win64\ThankYouVeryCool-Win64-Shipping.exe] [%PARENTPROCESS%: F:\SteamLibrary\steamapps\common\Severed Steel Demo\SeveredSteel.exe] [%PROCESSCMDLINE%: "F:\SteamLibrary\steamapps\common\Severed Steel Demo\ThankYouVeryCool\Binaries\Win64\ThankYouVeryCool-Win64-Shipping.exe" ThankYouVeryCool]

 

Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.2:

Code:

https://downloads.osarmor.com/osa-personal-1-8-2-setup-test1.exe

Here is what's new so far:

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

@LoneWolf

The "Check for Updates" option is on OSArmor UI top menu Help -> Check for Updates.

 

Did you already fix the problem reported by Cruelsister about OSA's protection not working when files are opened in third party file managers like XYplorer? I was a bit surprised that you missed this, to be honest.

 

Oh OK, you have to open the UI and click something in order to check for updates. I thought it would be in the little right-click context menu of the tray icon. Oh well.

 

Where did she report this??

 

I think she may have reported this privately, so not in this topic. But it's a pretty huge hole, that should be fixed ASAP. Seems like OSArmor's protection somehow only kicks in when files are being launched by explorer.exe which would surprise me since it's also supposed to block child processes run by browsers, this is meant to protect against browser exploits. Of course it also protects other tools like PDF readers, Office tools and media players.