NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Perfect, thanks alot! :thumb:
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Cool! :thumb:
     
  3. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release test 7 version of OSArmor PERSONAL v1.8.2:

    Code:
    https://downloads.osarmor.com/osa-personal-1-8-2-setup-test7.exe
    
    Here is what's new compared to previous build:

    + Improved Password-protect power options with Windows Admin Credentials

    You can install over-the-top, reboot is not needed.

    Let me know if you find issues or FPs.

    @lunarlander

    If possible please test this new version when you have time, it should fix the issue you had.
     
  4. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    344
    Location:
    Finland
    UBO blocks those google ads by default. But as we know, a millons of users does not use any kind of ad blockers.
    Some security softwares warns about invalid cerfificate, "Do you still want to allow it to run?" Of course you click YES, because you don't care. I want to get OBS installed right now.
    Then it drops variant of Redline Stealer, formbook etc stealers, detected(or not) by your favorite security software. So a user might think blah blah, yet another false positive. Your favorite AV solution warns about it, but you still allow it, stupid antivirus, the careless aka happyclicker might think.
    Then your credentials are stolen and maybe you're part of a botnet.
     
  5. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,961
    @moredhelfinland Sorry to ask but how does this relate to the thread topic or am I missing something?
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I just got this:

    Date/Time: 11/01/2023 8:15:29 AM
    Process: [2164]C:\Windows\System32\WerFault.exe
    Process Size: 557.33 KB (570,704 bytes)
    Process MD5 Hash: 738BD47A7E909FCF691AA67A06252E67
    Parent: [9348]C:\Windows\System32\RuntimeBroker.exe
    Parent Process Size: 100.87 KB (103,288 bytes)
    Rule: BlockProcessesFromRuntimeBroker
    Rule Name: Block any process executed from runtimebroker.exe
    Command Line: C:\WINDOWS\system32\WerFault.exe -u -p 9348 -s 1740
    Signer: Microsoft Windows
    Parent Signer: Microsoft Windows
    User/Domain: Dave/DAVE-PC
    System File: True
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  7. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Hmmm.... the year-end special price didn't happen, right?
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
     
  9. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Ouch! I missed it. My license expired a couple of days ago so I will just live without OSA for a while -- I haven't had an infection in many years.
     
  10. Jan Willy

    Jan Willy Registered Member

    Joined:
    Jan 29, 2021
    Posts:
    226
    Location:
    Netherlands
    Even full priced, it's more than worth.
     
    Last edited: Jan 11, 2023
  11. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I agree. Also, the price is quite low BUT the amount is not my problem. I'm just a bit upset because I received no notice of the sale even though I visit Wilders regularly. I suppose I didn't check closely enough. So I shall wait a while.
     
  12. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,961
    Yes but on the other hand you still need a conventional AV solution so OSA is a supplement that naturally can't be priced as a full featured AV. Anyway considering its capabilities and comparing it to other solutions being supplements to AVs it would still be worth even for a few bucks more, I think.
     
  13. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    We've released OSArmor v1.8.2:
    https://www.osarmor.com/download/

    Here is the changelog:

    If you have automatic updates enabled then OSArmor should auto-update in the next hours.

    Else you can install it "over-the-top" of the installed version, reboot is not needed.

    * If you used test builds you should manually update to this final version (install over-the-top is fine).

    If you find false positives or issues please let me know.

    A few information:

    We added this new option "Allow known safe third-party processes behaviors" so users/companies have the option, if required, to disable the internal rules to allow known and safe third-party software behaviors (can be used to create personalized exclusion rules only for the third party software you have installed).

    We also added this new option "Do not monitor non critical programs" (may be renamed in future) so users can choose to monitor any program (such as third-party file managers, etc) instead of monitoring only critical programs.

    The above two options (enabled by default, at the moment) will help in reducing false positives, especially the first one.

    The option "Enable internal rules to allow safe behaviors" now handles only system-related processes behaviors (highly recommended to have it enabled).

    @Krusty

    The FP is fixed now, thank you for reporting it.

    @bellgamin

    Sent you a PM.
     
  14. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    OSA has just been auto-updated to v1.8.2 here. Thanks.
    I have disabled the new settings "Allow known safe third-party processes behaviors" and "Do not monitor non critical programs" because I want OSA to monitor all process behaviors and programs.
    I have enabled the three options "Block execution of msi installer scripts/msp scripts/msu scripts", which are supposed to trigger quite a lot of alerts. Well, let's wait and see...
     
    Last edited: Jan 14, 2023
  15. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Why should I want to block execution of msi installer scripts?
     
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Great, thanks! :thumb:
     
  18. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @Krusty -- Great links -- thanks MUCHLY!!! I read the articles carefully. Here is a quote that gives me pause:
    That info caused me to conjecture a case for a user I shall call Fred. Let's suppose that one of Fred's long-time, often-used apps receives a malware msi update. OSA blocks it. Now what?

    The fact that OSA blocked the malware means 2 things to Fred:
    1- OSA is grumbling about an update to a favorite, steady, dependable app -- so Fred thinks that it's probably an FP.
    2- That msi file was okayed by Fred's real-time AV so that makes it even more likely that it's an FP.
    3- So Fred temporarily inactivates OSA, re-executes the msi update, then re-activates OSA. POOF! Fred's computer is infected.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    My point: most folks have a top tier AV nowadays. Even "lazy users" will have Microsoft Defender at work, whether they asked for it or not.

    Thus, OSA's alerts will almost surely cover files that have passed by a reputable top tier AV. Of course that is precisely why OSA exists -- to catch malware that somehow gets past all of the user's other security apps. ==>Thereby comes the problem, I think.

    Namely, the problem is that a relatively small number of "everyday users" will be sufficiently experienced to deal with an OSA alert where a "long-used application" is involved AND all of the user's other security is silent.

    IMO, someone needs to write a tutorial for OSA: "How to interpret OSA's alerts & what to do about them." That tutorial should be packaged with OSA's Help file.
     
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I have made the same changes to my Advanced Protection settings. As you stated, Buddel, let's wait and see.
     
  20. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Hmm, I didn't get the latest 1.8.2 via the internal updater; I had to manually download and install it. :'(

    I'm going to allow both new rules to stay enabled. There's so little on here besides Windows, let's see if there are fp/s. Haven't had one in a while unless I'm triggering one on purpose. :)
     
  21. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Yesterday I had to exclude OSArmor from blocking SandboxieCrypto.exe. Not sure if the blocking was due to me disabling the new (1.8.2) option to allow known safe third-party processes behaviors, or if it was due to the added new internal rules to block suspicious behaviors. This is the only difference I have experienced since 1.8.2 was installed over top.
     
  22. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    I had to exclude OSArmor from blocking schtasks.exe that tried to update MS Office when I opened Word this morning. The option to block the execution of schtasks.exe is still enabled here, but I excluded the parent process that tries to keep MS Office up to date. I'm pretty sure it's got something to do with me disabling the option "Allow known safe third-party processes behaviors". No other issues so far.
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I've disabled, "Do not monitor non critical programs" but have kept, "Allow known safe third-party processes behaviours" enabled. Not a peep from OSA on my systems so far. :thumb:

    I'm using Advanced + Protection.
    Great question! I'm going to have to leave it to someone far more in the know than I to attempt an answer.
     
  24. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Can a Trusted Vendor program do anything? Or, da rules are da rules?
     
    Last edited: Jan 16, 2023
  25. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    You know, nowadays, legit programs can and are hijacked with greater frequency so I've gone ahead and followed suit--disabling "Do not monitor non-critical programs" from the OSA settings. Thanks for the prudent tip, Krusty!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.