NoVirusThanks OSArmor: An Additional Layer of Defense

Sorry, I meant 1.8.3. I did edit my post to reflect that. Thanks for catching that. =)

 

... and here is the official changelog for version 1.8.3

+ Added more signers to Trusted Vendors list
+ Added popup menu option "Copy to Clipboard" on Protections tab
+ Added Process Integrity and Parent Process Integrity on Exclusions Helper
+ Added new internal rules to block suspicious behaviors
+ Improved installer and uninstaller scripts
+ Added Block execution of Winget (Windows Package Manager)
+ Updated FAQs (Help.txt) with new questions and answers
+ Fixed all reported false positives
+ Minor improvements

 

With some delay:

We've released OSArmor v1.8.3:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.

@plat

Good point, I can add an option "Show a notification when application has been updated" or similar - checked by default.

So if it is unchecked, the notification will not be displayed.

What do you think?

@Bowhunter26

Can you check if NVTLicenseManager service is running (via Services app)?

What other security software you have installed? Maybe something is preventing NVTLicenseManager or OSArmorDevSvc services to run?

Is Controlled Folder Access enabled?

Let me know.

@Buddel

Thanks for sharing the changelog.

@JOHNoff

Please provide more information, I don't use Blackfog application so can't be of help about its usage.

@wat0114

Great, thanks for testing them and yes, can improve exclusion rules.

 

Well, you still want the notification, just not the disruption. Is there any way to separate the little notice from minimizing something like a game to desktop?

If not, OK. But I'd def. want to know if an update to OSA happened. Oh wait, the notice only stays up a few seconds. Hmmm. OK, if there's no other alternative...

 

Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.4:

Code:

https://downloads.osarmor.com/osarmor-personal-1-8-4-test1.exe

What's new so far:

You can install over-the-top, reboot is not needed.

Let me know if you find issues or FPs.

 

Looks like I'll have to "bide a wee" until the next release build to see if/how the update notification feature works.

 

Odd that when I ran the latest installer it said I was installing v1.8.3, but it really was v1.8.4

 

We've released OSArmor v1.8.4:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.

@plat

I've ran some tests and the "application has updated" notification didn't show as long as [1] there is a full-screen mode application and [2] the option "Don't display alerts when an application is in full-screen mode" is enabled.

If you uncheck the new option "Show a notification when product has been updated" then the "application has updated" notification will never be displayed.

@Tarnak

Thanks for reporting it, we fixed it in this release.

 

Auto updated to v1.8.4 today. All's good and thank you.

 

@novirusthanks

it auto updated for me to v1.8.4.0, but closed the GUI and displayed only the license activation window when doing so. The only way to get the GUI taskbar icon to display again was to reboot, then all was fine. Not sure if it's supposed to update this way, but just wanted to let you know.

 

It auto updated with no reboot on two computer on my side. Strange the difference from one instrument to the other…

 

The previous version updated for me same as yours. Not sure why the difference this time. I'm running Win 11 21H2

 

No problems here with the latest automatic update (Windows 11 Pro, version 22H2). Thanks!

 

Hi,
after recent blackfog update i decided to do a clean win 11 install. Installed blackfog again and its blocking execution of nsg59a6.tmp.exe file. Why osa does not make any blocked events about this kind of file? Only blackfog detecting it. Is that a virus file or exploit?

Thanks!

 

When updating to Glasswire v3.3.495 earlier today, I got this exception:

Date/Time: 3/10/2023 4:42:02 AM
Process: [58672]C:\Windows\System32\net1.exe
Process Size: 179.5 KB (183,808 bytes)
Process MD5 Hash: 55693DF2BB3CBE2899DFDDF18B4EB8C9
Parent: [37372]C:\Windows\System32\net.exe
Parent Process Size: 58.5 KB (59,904 bytes)
Rule: BlockNetNet1Execution
Rule Name: Block execution of net\net1.exe
Command Line: C:\WINDOWS\system32\net1 stop gwdrv
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: <MyName>/LAPTOP-GXXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High

 

when i start up, i got this. Is it a false one?

Date/Time: 10-3-2023 19:30:32
Process: [14108]C:\Windows\System32\cmd.exe
Process Size: 316 KB (323.584 bytes)
Process MD5 Hash: 791545E6E3C5EB61DD12CCFBAE1B9982
Parent: [8248]C:\Windows\explorer.exe
Parent Process Size: 4,78 MB (5.012.152 bytes)
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "C:\Windows\System32\cmd.exe" /C rd /S /Q "C:\ProgramData\bomgar-scc-0x640b1d88" & reg.exe delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bomgar_Cleanup_ZD3526259837 /f
Signer: <NULL>
Parent Signer: Microsoft Windows
User/Domain: Denis/DESKTOP-TP3IBRB
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

 

Looks like just a cleanup script for a remote support tool you had installed.

 

I did have a remote support with Kaspersky! So how do i clean it up? Thanks for the input cruelsiter

 

If you get that at every startup, open Task Manager/Startup Tab and see if that command is listed as Enabled, and if so kill it. You can also peek into your Startup folder directly to view what is hanging out there (both should take care of the pesky registry entry.

But looks to me to be benign. and just in need for some housekeeping.

 

Thanks cruelsister

 

My Pleasure! And just out of curiosity, do you have any current restrictions on Powershell? The reason I ask (and have no clue if this would be the case here) is that Kaspersky fequently uses ps scripts in the uninstall routine, and blocking powershell may result in an incomplete removal.

 

Kaspersky’s is nog blocking it, when i clean the pc after Windows update i close AdGuard. And yes it was off with the chat! I am using this from 2017 with no problems.

 

Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.5:

Code:

https://downloads.osarmor.com/osarmor-1-8-5-personal-setup-test1.exe

What's new so far:

You can install over-the-top, reboot is not needed.

Let me know if you find issues or FPs.

@wat0114

No it is not supposed to update that way, it should auto-update automatically without showing the Activator GUI or requiring user intervention.

Will see if I can replicate a similar behavior here.

Thank you for reporting it.

@JOHNoff

You may want to check the .tmp.exe file hash on VirusTotal and you can check it to see if it is digitally signed and if it belongs to a trusted installer/uninstaller of another application (I guess this is the case).

@Tarnak

Thanks for reporting the FP, it is fixed now.

@denis

It seems related to BeyondTrust (previously Bomgar) Remote Support Software:

It may be related to the recent support request you had.

What the command does is deleting a folder and registry entry, so it looks like to be part of an uninstallation routine process.

As suggested by @cruelsister, you can check Task Manager on the Startup tab to see if there is a remnant entry, you may also want to check if there is an entry on Control Panel -> Programs > Programs and Features so in case you can uninstall the program from there if it is still installed and you don't need it anymore.

Other places to look for are the Startup folders:

Code:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Anyway, it is a FP event (not malicious) and has been fixed now, thank you for reporting it.

 

@novirusthanks, thank you. Installed over the top, so far so good