NoVirusThanks OSArmor: An Additional Layer of Defense

~ was Reason: Block any process executed from web browser?
~ my event: may be related to Edge update.

Spoiler: BlockAnyProcessExecutedFromWebBrowsers

Code:

Process: [8900]C:\Program Files\Sandboxie-Plus\SandboxieCrypto.exe
Process Size: 147.45 KB (150,992 bytes)
Process MD5 Hash: F34A9E8781EA643C074CCEF963BCAD79
Parent: [3560]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Parent Process Size: 3.7 MB (3,879,368 bytes)
Rule: BlockAnyProcessExecutedFromWebBrowsers
Rule Name: Block any process executed from web browsers
Command Line: "C:\Program Files\Sandboxie-Plus\SandboxieCrypto.exe"
Signer: Tonalio GmbH
Parent Signer: Microsoft Corporation
User/Domain: Edge/Sandboxie
System File: False
Parent System File: False
Integrity Level: Untrusted
Parent Integrity Level: Untrusted

-

Code:

[%PROCESS%: C:\Program Files\Sandboxie-Plus\SandboxieCrypto.exe] [%PROCESSCMDLINE%: "C:\Program Files\Sandboxie-Plus\SandboxieCrypto.exe"] [%SIGNER%: Tonalio GmbH] [%PARENTPROCESS%: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe] [%PARENTSIGNER%: Microsoft Corporation]

testing:

 

Yes.

Spoiler: BlockAnyProcessExecutedFromWebBrowsers

Date/Time: 1/14/2023 6:03:19 PM
Process: [2516]C:\Program Files\Sandboxie\SandboxieCrypto.exe
Process Size: 120.34 KB (123,224 bytes)
Process MD5 Hash: 046C8A7665250501F7A6E3D084C0E44B
Parent: [6836]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Parent Process Size: 3.01 MB (3,154,200 bytes)
Rule: BlockAnyProcessExecutedFromWebBrowsers
Rule Name: Block any process executed from web browsers
Command Line: "C:\Program Files\Sandboxie\SandboxieCrypto.exe"
Signer: Invincea, Inc.
Parent Signer: Google LLC
User/Domain: ANONYMOUS LOGON/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: Untrusted
Parent Integrity Level: Untrusted

 

@novirusthanks -- Reference your post #3035.

I am having a problem getting results from https://osarmor.onfastspring.com/account. Each time I try, it asks for my account's email address and, after I do so, gives the following result:

I have retried 3 times but have not received such an email, even after over 24 hours.

I have my own domains (12 of them) since 1995 & use SpamAssassin on all of them. I have configured SpamAssassin to never delete spam but, instead, to redirect it to a special email account. I examine that spam account every time I check mail so that no valid email will be accidentally deleted. Further, I long ago whitelisted both OSA & FastSpring. Thus, I cannot understand why FastSpring's email to me has not been received.

QUESTION: May I have a fix for this situation, please?

 

Just published an article on OSArmor blog:

Microsoft OneNote (.One File Extension) Attachment Delivers AsyncRAT

@bjm_

Trusted Vendors List is only used in case option "Block signers not present in Trusted Vendors" is checked, and only allows the execution of a process signed by a vendor present in the list if it doesn't match other internal or custom block rules.

@Buddel

Yes, it should have shown-up because you disabled the option "Allow known safe third-party processes behaviours".

If possible, can you send me via PM the blocked event? Just wanted to take a look at it.

@bellgamin

Sure, will add a new FAQs on the help file.

Also planning to make new video tutorials that explains how to do things with OSArmor.

The Account Management portal is entirely handled by FastSpring, you need to enter the email address used during the order and after some minutes you should get an email from them (generally should be immediate).

If you don't get the email, you may try to check the "Spam" or "Promotions" folders, and in case is not present, you may retry later or the next day.

One user reported similar issues, and the next day he started to get the emails correctly.

If can help, the sender email is from fastspring (dot) com domain.

Let me know if in case you still don't get their email.

 

PM sent.

 

I had similar issues a while back. Just tried again a couple of minutes ago. I did get emails from FastSpring for my OSA and SH accounts almost instantly.

 

I have done this multiple times on multiple days. No email comes.

As noted in my comments, I have my own domains and total control of how my email is handled. No FastSpring email has been killed as "spam" or "Promotions. Further, several days ago I whitelisted FastSpring for "send" & "all headers" - no email has been sent by FastSpring despite several requests over several days.

Sigh. I hope you can find the problem & get it fixed.

 

Quick question, when I uninstall OSArmor, does it disable (revert) all of the "protections" that it has enabled if I forgot to disable them before uninstalling?

 

OSA works in real time, so I'm going to say removing OSA removes its protection/s.

 

Hi @ Wilders

Anyone know where I can obtain last freeware version of OSArmor v1.4.3

Thank you

Terry

 

I downloaded for my daughter 2x years ago from this site: https://www.neowin.net/news/osarmor-143/

 

Hi Antarctica

Thanks for your kind reply, however it only downloads the latest version?

Thanks

Terry

 

Hi Terry,
Sorry about that, it worked like two years ago but I haven't tried to download it recently...

 

https://www.download82.com/download/windows/osarmor/

 

Hi Pliskin

Thanks. That's the one.

Terryy

 

You're welcome.

 

Here is a pre-release test 2 version of OSArmor PERSONAL v1.8.3:

Code:

https://downloads.osarmor.com/osa-personal-1-8-3-test2.exe

What's new so far:

You can install over-the-top, reboot is not needed.

Let me know if you find issues or FPs.

 

Reference my comment #4657 above -- @novirusthanks sent me a PM that nicely resolved my requests.

 

This might not be related to your progam, but i am looking for a way to protect my pc from this kind of possible threat. I am trying to delete it with Blackfog and it takes 5 seconds to delete a very small file (275b). I think its persistant, it will be gone while i connect to internet.
@novirusthanks, please advise if you have any info what this is. Thanks!

 

@novirusthanks

this Test 2 version is working fine for me so far. I also wanted to mention the the Parent/Process Integrity option for Exclusions looks to be an excellent added security feature. I tried a test and it works as expected. Thanks

 

V1.8.3 installed automatically and running fine so far. Thank you.

 

Yes, here too, installed automagically. The thing is, I was in this game and suddenly it was minimized and the nice message that OSA updated came up in the lower corner.

So, I unchecked this setting to automatically install updates. Unless there's an alternative that doesn't disrupt anything. Maybe just the notification in the lower right?

 

Thanks for the heads-up! I was running Test 2 so manually downloaded and updated to 1.8.3.

 

Just installed OSArmor 1.8.3 on a new windows 11 installation (all windows updates applied), and it crashes upon startup saying " OSArmorDevSvc Not Running... Please try and reboot the system or restart the OSArmor service or alternately reinstall the latest OSArmor version". I restarted the PC, still not working. I even reinstalled it, and it's still crashing.

 

1.8.3 is the latest version.