NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Is this a new rule?

    Block processes with hidden file (+H) disk attribute

    Blocking both my games' launchers. Had to exclude both and reboot the machine but I find this to be a potentially valuable rule. Asking because this did not happen prior to this test build. Is there a changelog for this build?
     
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    png_15919.png
    [14-Dec-2021] v1.6.6.0
    + Fixed all reported false positives
    + On OSArmor UI you can view the last applied protection profile
    + Added button Contact Us on OSArmor UI on main menu Help
    + Small improvements on OSArmor UI design
    + Added more signers to Trusted Vendors list
    + Added Block unsigned processes with high privileges on user space
    + Added Block unsigned processes with system privileges on user space
    + Added Block unsigned processes modified less than 15 days ago
    + Added Block processes with hidden file (+H) disk attribute
    + Added new internal rules to block suspicious behaviors
    + Updated NVT License Manager with latest version
    + Minor improvements
    Program Files\NoVirusThanks\OSArmorDevSvc\Changelog.txt
    [03-Oct-2022] v1.8.2.0
    + Added option to manually check for updates
    + Added new internal rules to block suspicious behaviors
    + Added more signers to Trusted Vendors list
    + Fixed all reported false positives
    + Minor improvements
     
    Last edited: Oct 3, 2022
  3. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Whoa, thanks a LOT, bjm_. OK so the rule is nothing new. I will work it out insofar as false-positives go since there are other considerations. involved.

    Wow, thanks again, very much appreciated. :thumb:
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I don't think my exclusion works:
    Date/Time: 4/10/2022 2:24:17 PM
    Process: [15244]C:\Windows\System32\schtasks.exe
    Process Size: 229.5 KB (235,008 bytes)
    Process MD5 Hash: 76CD6626DD8834BD4A42E6A565104DC2
    Parent: [8508]C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe
    Parent Process Size: 1.63 MB (1,713,952 bytes)
    Rule: BlockSchtasksExe
    Rule Name: Block execution of schtasks.exe
    Command Line: schtasks /Create /TN "AMDLinkUpdate" /XML "C:\Program Files\AMD\CIM\Config\AMDLinkDriverUpdate.xml"
    Signer: <NULL>
    Parent Signer: Advanced Micro Devices, Inc.
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High


    Date/Time: 4/10/2022 2:24:17 PM
    Process: [6456]C:\Windows\System32\schtasks.exe
    Process Size: 229.5 KB (235,008 bytes)
    Process MD5 Hash: 76CD6626DD8834BD4A42E6A565104DC2
    Parent: [8508]C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe
    Parent Process Size: 1.63 MB (1,713,952 bytes)
    Rule: BlockSchtasksExe
    Rule Name: Block execution of schtasks.exe
    Command Line: schtasks /delete /TN "AMDLinkUpdate" /F
    Signer: <NULL>
    Parent Signer: Advanced Micro Devices, Inc.
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High


    Date/Time: 4/10/2022 12:17:17 PM
    Process: [1640]C:\Windows\System32\schtasks.exe
    Process Size: 229.5 KB (235,008 bytes)
    Process MD5 Hash: 76CD6626DD8834BD4A42E6A565104DC2
    Parent: [7372]C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe
    Parent Process Size: 1.63 MB (1,713,952 bytes)
    Rule: BlockSchtasksExe
    Rule Name: Block execution of schtasks.exe
    Command Line: schtasks /Create /TN "AMDLinkUpdate" /XML "C:\Program Files\AMD\CIM\Config\AMDLinkDriverUpdate.xml"
    Signer: <NULL>
    Parent Signer: Advanced Micro Devices, Inc.
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High


    Date/Time: 4/10/2022 12:17:17 PM
    Process: [10956]C:\Windows\System32\schtasks.exe
    Process Size: 229.5 KB (235,008 bytes)
    Process MD5 Hash: 76CD6626DD8834BD4A42E6A565104DC2
    Parent: [7372]C:\Program Files\AMD\CIM\Bin64\InstallManagerApp.exe
    Parent Process Size: 1.63 MB (1,713,952 bytes)
    Rule: BlockSchtasksExe
    Rule Name: Block execution of schtasks.exe
    Command Line: schtasks /delete /TN "AMDLinkUpdate" /F
    Signer: <NULL>
    Parent Signer: Advanced Micro Devices, Inc.
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for the info, but the most logical thing would be to monitor all third party file managers, since they are used to launch downloaded apps and files, so it's a huge hole if they aren't monitored. And why should it produce more false positives, I mean they are not different from Win Explorer right?
     
  6. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    I just did a bit of testing and can confirm that the Test2 version does indeed include specific blocks for Xyplorer and Xplorer2 at the Advanced Protection level. I also tried a few others including Directory Opus, and Salamander both of which also had specific block alerts when a dubious file was initiated through them.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Krusty,

    it's because your Parent Process and Command Lines from post #4525 differ from that of your post #4529.

    @novirusthanks will no doubt see this difference and address it accordingly.
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Thanks wat0114. I've added the extra exclusion and seems to have done the trick.

    Cheers.
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release test 3 version of OSArmor PERSONAL v1.8.2:

    Code:
    https://downloads.osarmor.com/osa-personal-1-8-2-setup-test3.exe
    
    Mainly just fixed FPs and some minor internal improvements.

    You can install over-the-top, reboot is not needed.

    @Krusty @plat

    FPs should be fixed now, thanks for reporting.

    @Rasheed187

    Each third-party file manager can behave differently when executing processes in many aspects compared to the Windows built-in File Explorer, supporting any third-party file manager in terms of FPs would not be that easy. Additionally, third-party file managers are generally used for better search/rename/copy/preview multimedia files (photos, videos, etc) and less to specifically run applications.

    @cruelsister

    Thanks for confirming.
     
  10. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Thanks, works fine now (on here).
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Great! Thank you, @novirusthanks . :thumb:

    Another possible FP:
    Date/Time: 6/10/2022 9:25:23 AM
    Process: [10408]C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe
    Process Size: 1.1 MB (1,156,608 bytes)
    Process MD5 Hash: 09F26574ED73CA2DEA47B81D3D57E04F
    Parent: [10440]C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe
    Parent Process Size: 6.46 MB (6,775,432 bytes)
    Rule: BlockUnsignedProcessesAppDataRoaming
    Rule Name: Block execution of unsigned processes on Roaming AppData
    Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /checknow
    Signer: <NULL>
    Parent Signer: Firetrust Limited
    User/Domain: David/DAVID-HP
    System File: False
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium


    Date/Time: 6/10/2022 9:25:23 AM
    Process: [1808]C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe
    Process Size: 1.1 MB (1,156,608 bytes)
    Process MD5 Hash: 09F26574ED73CA2DEA47B81D3D57E04F
    Parent: [10440]C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe
    Parent Process Size: 6.46 MB (6,775,432 bytes)
    Rule: BlockUnsignedProcessesAppDataRoaming
    Rule Name: Block execution of unsigned processes on Roaming AppData
    Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /justcheck
    Signer: <NULL>
    Parent Signer: Firetrust Limited
    User/Domain: David/DAVID-HP
    System File: False
    Parent System File: False
    Integrity Level: Medium
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Ok I see, so it's not that simple. I assumed that they wouldn't generate any more FPs than Windows Explorer. But people who use third party file managers as a replacement for Win Explorer will however use it to run app installers. So cool that you fixed this in at least the most popular ones.
     
  13. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Sadly my custom WAV loon was overwritten with this 3rd test build. I think I will stick to release builds for the time being, as this is still blocking Sandboxie from opening Firefox after a machine restart (rule is "block unsigned processes with System privileges). First time I've had to disable a rule altogether because trying to Exclude it wasn't successful.

    Edit: the Exclusion works in 1.8.1 so I've re-enabled this rule.
     
    Last edited: Oct 6, 2022
  14. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    [05-Oct-2022] v1.8.2.0
    all rules enabled except Restrict Windows Programs
    Code:
    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\cmd.exe /d /s /c "reg query "HKCU\Control Panel\Desktop" /v PreferredUILanguages"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Users\bjm\AppData\Local\Programs\Tutanota Desktop\Tutanota Desktop.exe] [%PARENTSIGNER%: Tutao GmbH]
    [%PROCESS%: C:\Windows\System32\reg.exe] [%PROCESSCMDLINE%: reg  query "HKCU\Control Panel\Desktop" /v PreferredUILanguages] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe] [%PARENTSIGNER%: <NULL>]
    Code:
    Process: [2220]C:\Windows\System32\reg.exe
    Process Size: 75.5 KB (77,312 bytes)
    Process MD5 Hash: 227F63E1D9008B36BDBCC4B397780BE4
    Parent: [10592]C:\Windows\System32\cmd.exe
    Parent Process Size: 283 KB (289,792 bytes)
    Rule: BlockRegExecution
    Rule Name: Block execution of reg.exe
    Command Line: reg  query "HKCU\Control Panel\Desktop" /v PreferredUILanguages
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: bjm/DESKTOP-DELL
    System File: True
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Process: [10140]C:\Windows\System32\cmd.exe
    Process Size: 283 KB (289,792 bytes)
    Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
    Parent: [4012]C:\Users\bjm\AppData\Local\Programs\Tutanota Desktop\Tutanota Desktop.exe
    Parent Process Size: 142.02 MB (148,922,672 bytes)
    Rule: BlockCmdExeExecution
    Rule Name: Block execution of Windows Command Prompt (cmd.exe)
    Command Line: C:\WINDOWS\system32\cmd.exe /d /s /c "reg query "HKCU\Control Panel\Desktop" /v PreferredUILanguages"
    Signer: <NULL>
    Parent Signer: Tutao GmbH
    User/Domain: bjm/DESKTOP-DELL
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Last edited: Oct 7, 2022
  15. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    905
    Location:
    U.S. Citizen
    Salutations and Greetings,

    youtube.com/watch?v=0HGEUiDhALM

    Opinions and Thoughts:)

    Looking forward to more videos.....
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release test 4 version of OSArmor PERSONAL v1.8.2:

    Code:
    https://downloads.osarmor.com/osa-personal-1-8-2-setup-test4.exe
    
    Fixed FPs and some minor internal improvements.

    You can install over-the-top, reboot is not needed.

    @Krusty

    Have contacted MailWasher and have reported them their update.exe file is not signed.

    Hope they will sign it on the next update.

    @bjm_

    Fixed, thanks for reporting them.

    @plat

    This should not happen since it is set to not be overwritten if it already exists, I will double check this.

    I guess it is because Sandboxie Plus is not signed:

    Code:
    Process: [6848]C:\Program Files\Sandboxie-Plus\SbieSvc.exe
    Process Size: 346.5 KB (354,816 bytes)
    Process MD5 Hash: CF2217BB1BE251770518E9B0CC6044A8
    Parent: [2600]C:\Program Files\Sandboxie-Plus\SbieSvc.exe
    Parent Process Size: 346.5 KB (354,816 bytes)
    Rule: BlockUnsignedProcsWithSystemIL
    Rule Name: Block unsigned processes with system privileges
    Command Line: "C:\Program Files\Sandboxie-Plus\SbieSvc.exe" Sandboxie_GuiProxy_00000001,2600
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: SYSTEM/NT AUTHORITY
    System File: False
    Parent System File: False
    Integrity Level: System
    Parent Integrity Level: System
    
    This will be fixed once Sandboxie Plus is signed, else you can add this exclusion rule:

    Code:
    [%PROCESS%: C:\Program Files\Sandboxie-Plus\SbieSvc.exe] [%PARENTPROCESS%: C:\Program Files\Sandboxie-Plus\SbieSvc.exe] [%PROCESSINTEGRITY%: System]
    
     
  17. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Yes, I knew this long ago. The problem was, the Exclusion wasn't working for it; it kept blocking SBIE despite the Exclusion. Only disabling that specific rule would allow SBIE to function and that is something I don't like to do.

    No big deal, just went back to 1.8.1 and will stay there until you release the latest build.
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    You are amazing, thank you!

    Did you ever hear back from Macrium?
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Yes, they said vpatch.exe will be signed for the next patch update :)
     
  20. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I only disable OSA for certain types of actions. When I do, after a while the large OSA pop-up appears & covers a sizeable corner of my laptop's small screen, often at just the wrong moment.

    Voodoo Shield's on-screen widget is MUCH smaller, MUCH less obtrusive, but it is still quite visible. Further, the change in color of OSA's icon gives quite enough notice that OSA is disabled. A visible change to the icon is the same type of notice used by most other security apps, none of which pop-up such large, obtrusive alerts.

    I've tried to endure this pop-up, but it just now covered part of the very document I was working on, & that piece of information went away before I could turn off OSA's pop-up. This has happened more than once.

    I request this pop-up be made optional in OSA's settings.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I have watched the latest Cruelsister video where she tested OSArmor against a couple of malware samples. Most of them were blocked by OSArmor, pretty cool. It wasn't able to block a certain ransomware sample, but we must not forget that OSArmor is not an AV but a behavior blocker. So as long as malware triggers certain behavior, then OSArmor should react to it. Of course it might fail against certain tricky or non-monitored bahaviors.
     
  22. Jan Willy

    Jan Willy Registered Member

    Joined:
    Jan 29, 2021
    Posts:
    226
    Location:
    Netherlands
    Interesting is also next message from Andreas, the developer:
    https://malwaretips.com/threads/an-osarmor-overview.117826/ post # 6
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK thanks, so OSArmor could have blocked these samples in Extreme Mode. Too bad that this type of stuff isn't being discussed on WSF, I'm not a fan of MT at all. But like I said, OSArmor can't block what it doesn't monitor. But I don't mean this as criticism towards Cruelsister, she clearly just wanted to see what OSArmor would block in practice.
     
  24. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
     
  25. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Using Advanced Protection Profile, just added "Block signers not present in Trusted Vendors" and "Block unsigned processes on user space". Will see how it goes.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.