NoVirusThanks OSArmor: An Additional Layer of Defense

Thanks so much for the program update. Installed seamlessly on two machines and running fine.

 

On my windows 11 the os armor logs could not be found. Even readme.txt could not be opened. Why?

 

And in the osarmor settings, exclusion could not be opened, button not working while i click on.

 

We've released OSArmor v1.8.7:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

If you find false positives or issues please let me know.

@JOHNoff

Those are very strange issues, I guess they are caused by another program.

What other security software do you use?

 

@novirusthanks, thanks Andrea. Automatic update on two computers, no problem so far

 

@novirusthanks
Fing desktop, Screenphantom, Glasswire, Keyscrambler, Malwarebytes Nebula Agent. This are the programs i have right now installed on Microsoft Surface tablet.

 

I have no idea what happened but your program is now again working. Have you done something? Really strange!

 

I just got this after updating Tweaking.com/Windows Repair with PatchMyPC:

Spoiler: Block reg.exe from hijacking Registry startup entries

Date/Time: 8/06/2023 12:39:27 PM
Process: [15248]C:\Windows\System32\reg.exe
Process Size: 75.5 KB (77,312 bytes)
Process MD5 Hash: 227F63E1D9008B36BDBCC4B397780BE4
Parent: [13716]C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Repair_Windows.exe
Parent Process Size: 7.06 MB (7,403,152 bytes)
Rule: BlockRegExeHijackingRegistryStartupEntries
Rule Name: Block reg.exe from hijacking Registry startup entries
Command Line: "C:\Windows\System32\reg.exe" DELETE HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment /v SAFEBOOT_OPTION /f
Signer: <NULL>
Parent Signer: Tweaking LLC
User/Domain: David/DAVID-HP
System File: True
Parent System File: False
Integrity Level: High
Parent Integrity Level: High

 

Hello.

I was casually testing Core Isolation/Memory Integrity against a new threat in the form of a subverted Zemana driver and was scanning thru my system 32/drivers folder. No Zemana driver got on here (yay, well done CI) but I did notice the two OSA drivers sporting a time stamp of this date June 18th.

Was there an update in the background somewhere?

Spoiler

Edit: kind of looked around the UIs (both) to see if there was a setting to inform whether an update was applied. Didn't find it but maybe I missed it? Didn't we discuss notifying users when a new updates installs?

 

@plat

If you right-click the .sys files and select Properties, then Digital Signature and check when the file was signed you should see like:

OSArmorDevDrv.sys on 8 October 2018
osadevprotect.sys on 20 April 2018

That are the real build dates of the OSA drivers, what you see in the Explorer may be the last access date or similar (that is different from the real build date).

File creation/modification/access date shown on Explorer or on File Properties can be updated/modified by the OS in some circumstances.

To know the exact build date of a signed exe/dll/sys just check the date of when it was digitally signed via Digital Signature peoperties.

Hope that helps.

// Edit

@plat

Forgot to reply about the update notification, when OSA is updated it shows a notification window if this option is enabled in OSA Configurator:



The last version is v1.8.7 and it was released on 30 May 2023:
https://www.osarmor.com/changelog/

 

@novirusthanks : thanks a lot for the detailed explanation! Yes, OK the setting was there (didn't check under Notifications, my fault) and the box was ticked to notify whenever an update is applied.

I guess it came as a surprise b/c normally, you don't expect drivers to change the dates unless they've been updated. But OK, as long as this was expected, there are no problems at all! Working fine.

 

This thread has been quiet for quite a while now. No 'Test' builds, @novirusthanks ?

Thanks.

 

I let my license laps. I'm waiting until black friday, hoping for a deal.

 

Hopefully just an FP. I got this when Brave browser automatically updated::

Spoiler: Block unsigned processes with system privileges

Date/Time: 27/07/2023 5:37:36 AM
Process: [7516]C:\Program Files\BraveSoftware\Brave-Browser\Application\115.1.56.14\Installer\setup.exe
Process Size: 3.77 MB (3,955,200 bytes)
Process MD5 Hash: 942FF0EE4CE5EFA7E0302D04DCFC86FD
Parent: [7756]C:\Program Files (x86)\BraveSoftware\Update\Install\{C8EDBA9E-D621-4031-8F1F-A82A99124A8E}\CR_B38E4.tmp\setup.exe
Parent Process Size: 3.77 MB (3,955,200 bytes)
Rule: BlockUnsignedProcsWithSystemIL
Rule Name: Block unsigned processes with system privileges
Command Line: "C:\Program Files\BraveSoftware\Brave-Browser\Application\115.1.56.14\Installer\setup.exe" --delete-old-versions --system-level --verbose-logging
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System

 

I'm a bit confused because I never used it: NovirusThanks exists again ? OsArmor has a free version ?

 

The latest version is a subscription only product.

 

@Krusty

Working on the new version, should have a test build in the next week.

Regarding the FP about Brave, the issue is that Brave executable:

Process: [7516]C:\Program Files\BraveSoftware\Brave-Browser\Application\115.1.56.14\Installer\setup.exe

Is not digitally signed and it "requests" to run with System privileges.

You may want to contact Brave and ask them to digitally sign the setup.exe file.

 

Nice!

Done.

Thank you.

 

It used to be freeware, to be honest I'm still using it on Win 10, since it's good enough for me. Of course the newer paid versions have been improved quite a lot. It's a tool that will block many malware from either running at all, or not correctly. I haven't had many false positives, but it depends on what apps you're using I guess.

 

Thank you. I always bought the OS licenses, and some software too, it's not a money question, but for many years I used very good security sofywares freeware, and now I don't like the idea of have to pay an annual subscription. I could buy a lifetime license.

 

I was recently reading about some attack, and I wonder if the cc.exe process is also monitored by OSArmor? I couldn't find it in the freeware version, but maybe it has been added in the paid version.

I'm also not into yearly payments, mostly because I'm worried about apps not working anymore if the developer abandons the app, which of course is less of a problem when the app is developed by a huge company. But I can understand that developers need to make a steady amount of money.

 

Hi. An issue I've had with OS Armor in the past is when installing a legitimate program/software if the installer runs any scripts OS Armor blocks them and causes the software installation to break. How can I avoid that?

 

I finally heard back from Brave:

I won't be joining another forum just for this.

 

Temporarily disable protection until your installation is complete.

 

BTW, my mistake. The cc.exe process isn't a standard Windows OS process, but it's used by certain malware, so I misunderstood. So obviously OSArmor won't monitor this.