NoVirusThanks OSArmor: An Additional Layer of Defense

Oh okay that must be the case then because I searched thoroughly but couldn't find anything.

Well maybe let's see if @novirusthanks has a response to this, and if it's actually still a security hole.

 

I am running OSArmor v1.8.1 with Extreme Protection on, but it blocks EmsisoftEmergencyKit. What can I do to open the block

 

Hi pernu,

if you right-click the OSA tray icon and select Open Logs Folder, the blocked event shoud be in there. Just copy the contents and paste in this thread, removing any personal information such as your name, and include @novirusthanks at the top of the post, and report it as a False positive.

 

Thank you so much

 

You're welcome!

If you get numerous FP's, you might want to consider reducing the Protection Profile to Advanced.

 

@novirusthanks False positive.

Date/Time: 01.10.2022 16:16:51
Process: [11188]D:\Downloads\EmsisoftEmergencyKit.exe
Process Size: 278,42 MB (291 945 576 bytes)
Process MD5 Hash:
Parent: [7676]C:\Windows\explorer.exe
Parent Process Size: 4,92 MB (5 154 664 bytes)
Rule: BlockSignersNotPresentInTrustedVendors
Rule Name: Block signers not present in Trusted Vendors
Command Line: "D:\Downloads\EmsisoftEmergencyKit.exe"
Signer: Emsisoft Limited
Parent Signer: Microsoft Windows
User/Domain: xxxxx xxxx
System File: False
Parent System File: True
Integrity Level: High
Parent Integrity Level: Medium

 

Hi Guys! I would like to ask for those that employ OSA what protection level is being used? Response either here or via message would be appreciated!

 

@pernu,

to resolve the BlockSignerNotPresent roadblock, you could open the Configurator-> Trusted Vendors tab-> Edit Trusted Vendors List, and add these two for Trusted Vendors:

Code:

Emsisoft Limited
Emsisoft Ltd

make sure to save the list. This will address both the Portable installer and normal installer.

@cruelsister

I have Advanced Level plus a few more Protections enabled, so I'm essentially somewhere between Advanced and Extreme Level.

 

Hi, I use the Default profile (basic, I think) with a number of rules over and above, particularly in the Scripts section. I'm on my Windows 11 drive at the moment so can't be more specific.

Any more aggressive than what I have now gets me too much noise from block alerts.

 

As plat here above, I'm also using the default profile. I find it a good balance and not much noise.

 

That did the trick. Thank you very much

 

Advanced Protection plus an assortment of blocked extras, like all of the PUPs.

 

Hi cruelsister,

Advanced Protection +.

 

Protections profile: Medium (no other selections).

 

Protection profile: Extreme Protection with everything checked except 2 Protections (Alerts = Low). Never had a problem.

 

Extreme Protection.
Zero issues here, very few alerts.

 

Thank you all for your responses! The reason why I asked is that as OSA has a number of protection levels, one would need to know the most probable OSA security configuration employed by the user in order to do some sort of review.

Once again, thanks for being kind!

 

Review it at the default install level which is basic protection only.

 

@cruelsister -- I use Win7 with ALL rules of OSA checked. FPs are very VERY rare -- I guess I'm a clean liver. (My kidneys are also tres bien.)

 

Have you already heard anything from OSA's developer, regarding the bug that you found? Or are you still testing stuff?

 

Here is a pre-release test 2 version of OSArmor PERSONAL v1.8.2:

Code:

https://downloads.osarmor.com/osa-personal-1-8-2-setup-test2.exe

@Rasheed187

The case related to XYplorer is that OSA considers third-party file managers and other programs that meet a specific internal trust score as "not critical" so they are not fully monitored if you have the option "Enable internal rules for allowing safe behaviors" checked, this is done to reduce FPs. With this new test 2 build also XYplorer is monitored but you may expect more FPs. In the next build we plan on adding an option like "Do not monitor specific programs that meet a high trust score" or similar so if checked, XYplorer and other "not critical" programs will not be fully monitored, and allows advanced users to disable this option if needed.

@pernu

Thanks for reporting it, have added Emsisoft Limited to Trusted Vendors list.

 

NOT me. I do not choose to neuter my Rottweiler.

 

Possible FP:

Spoiler: Block execution of schtasks.exe

Date/Time: 4/10/2022 10:07:42 AM
Process: [2928]C:\Windows\System32\schtasks.exe
Process Size: 229.5 KB (235,008 bytes)
Process MD5 Hash: 76CD6626DD8834BD4A42E6A565104DC2
Parent: [11428]C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe
Parent Process Size: 23.94 MB (25,105,696 bytes)
Rule: BlockSchtasksExe
Rule Name: Block execution of schtasks.exe
Command Line: schtasks /run /TN "AMDRyzenMasterSDKTask"
Signer: <NULL>
Parent Signer: Advanced Micro Devices, Inc.
User/Domain: David/DAVID-HP
System File: True
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

Thanks!