NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,961
    I meant that if any malware tried to attack my comp which was very rare security suits always did their job thus the apps in question didn't even have a chance to shine. That's why I'm questioning if they can enhance security over complete, good and proven AV solutions. But let's leave that rather unanswered.
     
  2. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Then I conclude that you are a lower-risk user, as is the great majority of computer users. Lower-risk users are less of a malware target than higher-risk users. Why? Because most of the "goodies" are sequestered on the computers of higher-risk users.

    Of course, phishers & zombie-seekers will go after just about ANY user's computer. Even so, I agree with pegas that top-tier AVs will offer adequate protection against a very high percentage of malware, including phishers & zombie seekers, for lower-risk users & even for a goodly number of low-medium-risk users. However, for risks above those levels, layered protection is necessary IMO.

    I'll have a go at answering it. I will use OSArmor (OSA) as an example of specialized security apps. Why? Because OSA is the topic of this thread. And away we go:

    A- Top-tier AVs are mass-market apps -- something for everybody.

    IMO, OSA is not mass-market; neither is it for everybody. Instead OSA is for a medium-risk to higher-risk market.

    B- Many top-tier AVs encompass several types of protection including (not necessarily limited to) the following: signature-based antivirus, firewalls, AI, HIPS, & Behavior Blocker (BB).

    OSA is solely and primarily a BB.

    C- A top-tier AV seeks to be very user-friendly, minimally intrusive, & as"set-it & forget-it" as possible.

    OSA certainly does not seek to be user-difficult & intrusive -- but it can be. || OSA offers 4 user-selectable levels of Protection: Basic, Medium, Advanced, Extreme. These levels enable user to decide how many security rules OSA may apply, based on user's tolerance for alerts & his confidence in making security decisions. || Further, OSA enables user to see exactly which protective rules his selected Protection level will & will not apply. || Further yet, OSA gives an estimate of how many alerts each rule might generate (low, medium, high) so as to aid user in making his choice of Protection level.

    D- To generate fewer alerts, it is obvious that there is a close correlation between degree of protection and degree of user friendliness in terms of fewer alerts/fewer user decisions. If protection goes up, then user friendliness goes down (but not necessarily in a 1:1 relationship). And vice versa.

    Top-tier AVs must make some tweeks and sacrifices in protective levels so as to achieve fewer alerts (hence, more user friendliness). To wit, AVs largely self-determine their BB's degree of protection & number of possible alerts. || The rules monitored by the BB component of Top-Tier AVs are not usually available for user inspection. || AVs alert users for decisions before blocking possible threat detections.

    OSA comes with defaults, of course. Otherwise, OSA does NOT self-determine OSA's degree of protection & number of possible alerts. Those decisions are ENTIRELY the user's. || OSA enables users to see ALL its rules & their respective frequencies of alerts. || OSA blocks possible threats without user action. User may, of course, remove the blockage by setting an exclusion and re-doing what OSA blocked.

    =>Note: IMO, undisclosed rules are friendly to users who want set-it/forget-it security BUT undisclosed rules are UNfriendly to more advanced users who want to look under the hood when making security decisions. || OSA's "block BEFORE asking" can be a huge PITA (pain in the anatomy) when the threat wasn't a threat, even though it DID break a rule by doing some dodgy things that malware often does. However, OSA's "block first & ask questions later" is unquestionably the safer way because a threat may take full advantage of even a fairly short wait for user's response.

    E- SUMMARY:

    Top-Tier AVs, by their design and their marketing goals, will protect against a much wider spectrum of threats than OSA. || Once AVs are set-up, they seek to SELDOM rely on user's security decisions. || AVs will catch many more types of threats than does OSA.

    OSA is NOT designed to be a wide-spectrum security app, and (as such) will appeal to a much narrower market that any top-tier AV. || Instead, OSA is designed as a specialized, granular Behavior Blocker for those users who recognize a need for an extra layer of security. || OSA is designed to FREQUENTLY rely on user's decisions about its alerts. || At its higher protection settings, OSA WILL catch some types of threats that AVs do not -- if & only if such threats ever seek to attack that specific user's computer***.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ***
    Evidently, pegas' computer has never been attacked by those kinds of threats. May it ever be so (^_^)
     
    Last edited: Nov 3, 2022
  3. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,961
    @bellgamin Thanks for the comprehensive sum-up, great read this time, no offence ;-)

    It looks like. :)

    Yes but more skilled users can tweak and tighten them so you can elevate security up.

    And that may also be its bottleneck. A bad user decision can completely erase the advantage of layered protection. However, I understand your point and agree that a layered protection can be useful for certain (high) level of risk.

    I second. :)
     
    Last edited: Nov 3, 2022
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes they can improve security, because of the simple fact that AV's might sometimes fail to detect certain malware samples, it's as simple as that. So I have to disagree with Bellgamin because it's not even about low risk or high risk user.

    If these ''extra protection'' tools can't shine, then this is great news because it means that your AV did a great job. But tools like AppCheck, OSArmor and SpyShelter are designed to block or at least interfere with malware that has been able to run freely.
     
  5. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,961
    It would be interesting to see real figures on a broad scale on attacks intercepted by "Extra Protection Tools" (EPT) on systems where security suits were installed, i.e. what % of malware passed through conventional AV solutions and was crunched by EPTs.

    However not to be only sceptical of EPTs I have to admit that I have fond memories for good old Prevx (before it got acquired by Webroot).
     
    Last edited: Nov 4, 2022
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but that's what I'm trying to explain. I don't think such numbers are even that interesting. These tools might someday actually save your bacon, even if it's only once in 10 year. Often these EPT's are even freeware, so why not?

    And don't forget, corporations also don't solely rely on AV's. But they spend billions every year on EDR's, these are behavioral monitoring tools to monitor the network in case AV's fail to detect malware. Of course corporations are way more under attack than home users, but still.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Hi @novirusthanks

    I had these FP's on a Macrium Reflect Free update this morning:

    Code:
    Process: [6176]C:\Users\14038\AppData\Local\Temp\_ir_vp2_temp_0\BcdCheck.exe
    Process Size: 2.84 MB (2,982,240 bytes)
    Process MD5 Hash: F3F86F86C6F32F790A3F59CA379E6B5A
    Parent: [4064]C:\Users\14038\AppData\Local\Temp\_ir_vp2_temp_0\vpatch.exe
    Parent Process Size: 485.95 KB (497,616 bytes)
    Rule: BlockSignersNotPresentInTrustedVendors
    Rule Name: Block signers not present in Trusted Vendors
    Command Line: C:\Users\14038\AppData\Local\Temp\_ir_vp2_temp_0\BcdCheck.exe
    Signer: Paramount Software UK Ltd
    Parent Signer: PARAMOUNT SOFTWARE UK LIMITED
    
    Date/Time: 11/5/2022 6:14:39 AM
    Process: [7908]C:\Users\14038\AppData\Local\Temp\_ir_vp2_temp_0\map.exe
    Process Size: 61.45 KB (62,928 bytes)
    Process MD5 Hash: C70AD749E3B0D5CC28385C4768D9E50B
    Parent: [4064]C:\Users\14038\AppData\Local\Temp\_ir_vp2_temp_0\vpatch.exe
    Parent Process Size: 485.95 KB (497,616 bytes)
    Rule: BlockSignersNotPresentInTrustedVendors
    Rule Name: Block signers not present in Trusted Vendors
    Command Line: C:\Users\14038\AppData\Local\Temp\_ir_vp2_temp_0\map.exe
    Signer: Paramount Software UK Ltd
    Parent Signer: PARAMOUNT SOFTWARE UK LIMITED
    Strange thing is, these two signers are in my Trusted Vendors list.
     
  8. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    Hi,

    I would like to make a feature request for OSArmor. Can you please make it so that Resuming Protection does Not require a password ? I agree that it requires a password when Disabling protection, but often I forget to Resume Protection, like when going online, when I realize that OSArmorp's protection is off. And I need to quickly resume protection.
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @wat0114

    Strange indeed, can you send me via email your TrustedVendors.db file?

    So I can take a look at it.

    @lunarlander

    Sure, will add that on the next build.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Sure, I just sent it to the support email address.

    Not sure if it means anything, but I did notice the double space between the K and the L in "Paramount Software UK Ltd". If I reduce it to a single space and re-scan, it adds it back with the double space.
     
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @wat0114

    Thanks, file received.

    Looks like your TrustedVendors.db file is missing the vendor name with a single space between K and L.

    You should have all these 3 vendors related to Macrium Reflect:

    Code:
    PARAMOUNT SOFTWARE UK LIMITED
    Paramount Software UK  Ltd
    Paramount Software UK Ltd
    
    They are present in the default TrustedVendors.db file.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Oh wow, so there should be one with a double space and a single space as well. Thanks!
     
  13. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release test 5 version of OSArmor PERSONAL v1.8.2:

    Code:
    https://downloads.osarmor.com/osa-personal-1-8-2-setup-test5.exe
    
    Here is what's new compared to previous build:

    You can install over-the-top, reboot is not needed.

    @lunarlander

    With this new build when you right-click on system tray icon -> Protection -> Enable Protection it will not ask for the password.

    It also fixes the issue related to Group Policy Editor not being blocked if started via search bar -> gpedit
     
  14. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    Just updated to pre-release test 5 version a short time ago. Still, get Emsisoft alerts, which I have previously mentioned about before in this thread.

    NVT_OSArmor_v1.8.2 test5_Added Trusted Vendors_01.JPG

    NVT_OSArmor_v1.8.2 test5_Emsisoft_alert_01.JPG

    NVT_OSArmor_v1.8.2 test5_Emsisoft_suspicious behavior alert_01.JPG
     
  15. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Updated to test 5. Runs grrrreat!!! No alert by G-Data AV when I installed test 5. I thought FPs by an AV were a fault of the AV, not OSA. Am I missing something here?
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I don't recall getting that, but I exclude other security softs from Emsisoft scanning and monitoring.
     
  17. SRT

    SRT Registered Member

    Joined:
    Feb 28, 2021
    Posts:
    70
    Location:
    USA
    Eset work's fine, with Windows 10 no alerts.
     
  18. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    A false positive, I think... Anyway, I decided to exclude it.

    NVT_OSArmor_false positive_01.JPG

    NVT_OSArmor_false positive_02.JPG
     
  19. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    How do I purchase a new license with my 20% discount? Mine expired today and I do not remember the code for the 20% off. If memory serves, the discount code(s) will be applied for future purchases as well.

    Spent the last hour trying to purchase...frustrated already!

    Thanks,
    Robert
     
    Last edited: Dec 2, 2022
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I got an email the other day saying my account would automatically be deducted next week.
     
    Last edited: Dec 2, 2022
  21. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Do not remember if I got an email but, I had an opportunity to renew in November with the 20% discount applied. However, I had about 3 weeks before my expiration date so I cancelled it.

    Why so tedious? I just want to pay for another year with the 20% discount and be done!

    Thanks
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Don't know why, but my license expires 14/01/2023 and they are charging me on 15/12/2022.

    PS: Not to rub it in but I was lucky to grab OSA while there was a 50% discount for sale.
     
  23. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    See, Krusty. The software works so well but, the licensing and repurchase with a discount leaves a lot to be desired.

    Yeah, Krusty I know about the 50% discount. But it came after I already purchased with the 20% discount.:(
     
    Last edited: Dec 2, 2022
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Robert, have you tried emailing them? Maybe also send a PM to @novirusthanks ?

    sales@novirusthanks.org
     
  25. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Did not email. PMed Andreas yesterday; still no reply. I am not going to lose any sleep over NVT not being operational as I have other security measures in place.

    But, another layer of defense! And, NVT has always worked in harmony with my other protection protocols.

    Robert
     
    Last edited: Dec 2, 2022
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.