NoVirusThanks OSArmor: An Additional Layer of Defense

OSA opens Exclusions.db in Windows Editor. It would be great if OSA opened Exclusions.db in the user's standard app for db files (Notepad++ in my case). This also applies to CustomBlock.db, IgnoredNotifications.db and TrustedVendors.db, of course.

 

On Windows 10 22H2 I downloaded wushowhide from Major Geeks. Attempted to just run it to give it a try. OSArmor blocked it.
I have no idea whether this old program is even ok to use these days. Here is OSA log:

I forgot to mention that virustotal and windows defender did not complain.
I suspect that the LOLbins alert is perfectly reasonable here. But just need some confirmation from the experts that it will be ok to to exclude it.

 

During Chrome update this happened.
Date/Time: 10/10/2023 7:38:18 PM
Process: [15164]C:\Windows\System32\cmd.exe
Process Size: 283 KB (289,792 bytes)
Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
Parent: [9812]C:\Program Files\Google\Chrome\Application\chrome.exe
Parent Process Size: 2.91 MB (3,054,880 bytes)
Rule: AntiExploitProtectWebBrowsers
Rule Name: Protect web browsers with anti-exploit module
Command Line: C:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.14\plugins_nms.exe" chrome-extension://ahkjpbeeocnddjkakilopmfdlnjdpcdm/ --parent-window=0" < \\.\pipe\chrome.nativeMessaging.in.942365b76064252e > \\.\pipe\chrome.nativeMessaging.out.942365b76064252e
Signer: <NULL>
Parent Signer: Google LLC
User/Domain: Bxxxx/Bxxxx
System File: True
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

 

@Buddel

Yes should be doable, wrote it in the todo list.

@act8192

Using of msdt.exe to load a diagcab file can be also used by a malicious actor, thus why OSA blocked it (LOLBin).

Personally I don't know that program, but if you trust it you may eventually disable OSA temporarily while it is being installed or while it performs specific actions, and then re-enable OSA protection.

For logging what is blocked without blocking it, you can enable Passive Logging.

I would not recommend to exclude the event in the Exclusions.db file since I guess it is not something you may need to run frequently.

@Dragon1952

Thanks for reporting it, the FP will be fixed in the new version.

@Rasheed187

If you uncheck the option "Do not monitor non critical programs" then any program will be monitored (not just standard Windows processes).

But it may increase false positives.

@Krusty

Thanks for reporting back about Brave.

I guess they fixed it in new versions (no other users reported it), probably it was just missed that file to be signed.

@Graphite85

As suggested by Krusty, you can temporarily disable OSA protection until the new program has been fully installed.

You can do so by right-click on OSA tray icon -> Protection -> Disable Temporarily -> 10 Minutes

And after 10 minutes OSA protection will be automatically re-enabled (hopefully 10 minutes will be enough for the new program to install in the system).

 

@novirusthanks

I sent you an email, but you didn't respond. My license was due for renewal on 11/12 October as per attached screenshot. I cannot get the "onfastspring" account to accept my amended card payment details. Looks like I won't be using OSArmor going forward.

 

Spoiler: same for Edge

Date/Time: 10/13/2023
Process: [4324]C:\Windows\System32\cmd.exe
Process Size: 283 KB (289,792 bytes)
Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
Parent: [8952]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Parent Process Size: 3.94 MB (4,131,264 bytes)
Rule: AntiExploitProtectWebBrowsers
Rule Name: Protect web browsers with anti-exploit module
Command Line: C:\WINDOWS\system32\cmd.exe /d /s /c ""C:\Program Files\Malwarebytes\Anti-Malware\mbambgnativemsg.exe" chrome-extension://ihcjicgdanjaechkgeegckofjjedodee/ --parent-window=0" < \\.\pipe\LOCAL\edge.nativeMessaging.in.7aa4b3290f4e14e4 > \\.\pipe\LOCAL\edge.nativeMessaging.out.7aa4b3290f4e14e4
Signer: <NULL>
Parent Signer: Microsoft Corporation
User/Domain: bjm/DESKTOP-DELL
System File: True
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

Edit:

Spoiler: Edge extension

Date/Time: 10/14/2023
Process: [10252]C:\Windows\System32\cmd.exe
Process Size: 283 KB (289,792 bytes)
Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
Parent: [7580]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Parent Process Size: 3.94 MB (4,131,264 bytes)
Rule: AntiExploitProtectWebBrowsers
Rule Name: Protect web browsers with anti-exploit module
Command Line: C:\WINDOWS\system32\cmd.exe /d /s /c ""C:\Program Files\Malwarebytes\Anti-Malware\mbambgnativemsg.exe" chrome-extension://ihcjicgdanjaechkgeegckofjjedodee/ --parent-window=0" < \\.\pipe\LOCAL\edge.nativeMessaging.in.d0d2f3d0931042 > \\.\pipe\LOCAL\edge.nativeMessaging.out.d0d2f3d0931042
Signer: <NULL>
Parent Signer: Microsoft Corporation
User/Domain: bjm/DESKTOP-DELL
System File: True
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

 

Same for Brave too.

 

I just got this:

Spoiler: BlockUnsignedProcessesAppDataRoaming

Date/Time: 14/10/2023 10:33:14 AM
Process: [13396]C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe
Process Size: 1.1 MB (1,156,608 bytes)
Process MD5 Hash: 09F26574ED73CA2DEA47B81D3D57E04F
Parent: [11752]C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe
Parent Process Size: 6.46 MB (6,775,432 bytes)
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /checknow
Signer: <NULL>
Parent Signer: Firetrust Limited
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium


Date/Time: 14/10/2023 10:33:14 AM
Process: [5552]C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe
Process Size: 1.1 MB (1,156,608 bytes)
Process MD5 Hash: 09F26574ED73CA2DEA47B81D3D57E04F
Parent: [11752]C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe
Parent Process Size: 6.46 MB (6,775,432 bytes)
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /justcheck
Signer: <NULL>
Parent Signer: Firetrust Limited
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

 

Getting this now each time I open Edge:

Spoiler: AntiExploitProtectWebBrowsers

Date/Time: 14/10/2023 11:23:12 AM
Process: [17576]C:\Windows\System32\cmd.exe
Process Size: 283 KB (289,792 bytes)
Process MD5 Hash: 00837EC16FD4063B27D4327B5AE85657
Parent: [16772]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Parent Process Size: 3.94 MB (4,131,264 bytes)
Rule: AntiExploitProtectWebBrowsers
Rule Name: Protect web browsers with anti-exploit module
Command Line: C:\WINDOWS\System32\cmd.exe /d /s /c ""C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 23.1\plugin-nm-server-v2.exe" chrome-extension://eolheccophlcbnkkbelcgminoojochgj/ --parent-window=0" < \\.\pipe\LOCAL\edge.nativeMessaging.in.6e89ce9dde5e5d28 > \\.\pipe\LOCAL\edge.nativeMessaging.out.6e89ce9dde5e5d28
Signer: <NULL>
Parent Signer: Microsoft Corporation
User/Domain: David/DAVID-HP
System File: True
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

I tried excluding it but that did not work.

 

Now same when opening Brave!

 

The "Command Line" Path rule may have to be simplified as, for example:

Code:

Command Line: C:\WINDOWS\System32\cmd.exe /d /s /c ""C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager ??.?\plugin-nm-server-v?.exe" chrome-extension://eolheccophlcbnkkbelcgminoojochgj/ --parent-window=*

 

I need to disable both of these for the Kaspersky Password Manager to work in Edge or Brave.

 

Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test1.exe

What's new so far:

You can install over-the-top, reboot is not needed.

Let me know if you find issues or FPs.

@bjm_ @Dragon1952 @Krusty

FPs should be fixed now, please confirm.

@Tarnak

We'll find a solution for the payment issues.

@Krusty

About MailWasher "updater.exe" unsigned and blocked by OSArmor:

I contacted them and they said you may be using an older version because the recent versions have all the .exe files signed.

So you may want to update to a newer version to avoid that blocks.

Or you can add this exclusion rule:

Code:

[%PARENTPROCESS%: C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe] [%PARENTSIGNER%: Firetrust Limited] [%PROCESS%: C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe] [%PROCESSCMDLINE%: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /checknow]

But I would recommend to update to the latest version.

 

Hi @novirusthanks ,

Unfortunately, I am using the free version and as far as I'm aware it is the latest version available for the free users.

That rule seems to have worked. Nice! Thank you.

 

I've installed your test above and still get this with Edge and Brave:

Spoiler: Rule: BlockAnyProcessExecutedFromWebBrowsers

Date/Time: 17/10/2023 10:22:17 AM
Process: [14412]C:\Windows\System32\cmd.exe
Process Size: 283 KB (289,792 bytes)
Process MD5 Hash: 00837EC16FD4063B27D4327B5AE85657
Parent: [3260]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Parent Process Size: 3.94 MB (4,131,264 bytes)
Rule: BlockAnyProcessExecutedFromWebBrowsers
Rule Name: Block any process executed from web browsers
Command Line: C:\WINDOWS\System32\cmd.exe /d /s /c ""C:\Program Files (x86)\Kaspersky Lab\Kaspersky Password Manager 23.1\plugin-nm-server-v2.exe" chrome-extension://eolheccophlcbnkkbelcgminoojochgj/ --parent-window=0" < \\.\pipe\LOCAL\edge.nativeMessaging.in.6a667417a224d38b > \\.\pipe\LOCAL\edge.nativeMessaging.out.6a667417a224d38b
Signer: <NULL>
Parent Signer: Microsoft Corporation
User/Domain: David/DAVID-HP
System File: True
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

 

Did not work on Machine #2 though.

 

I installed over the top and restarted but i still show version 187.

 

I just checked mine and it shows v1.8.8. Not Test v1 though.

 

I started the Test install but i guess i started doing something else and never finished the install. The test got blocked and i didn't get around to starting the install again.

 

@Krusty

Use this new exclusion rule (should work on any PC):

Code:

[%PARENTPROCESS%: C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe] [%PARENTSIGNER%: Firetrust Limited] [%PROCESS%: C:\Users\*\AppData\Roaming\Firetrust\MailWasher\updater.exe] [%PROCESSCMDLINE%: "C:\Users\*\AppData\Roaming\Firetrust\MailWasher\updater.exe" /checknow]

I just replaced your PC name with * so it matches any PC name.

@Dragon1952

Try to install again, should work fine by installing it over-the-top, or do you get error messages?

Let me know.

 

Here is a pre-release test 2 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test2.exe

@Krusty

FP should be fixed, please confirm if possible (test it with both Edge and Brave).

@Krusty

I have installed MailWasher Free 7.12.173 and it looks like updater.exe is signed:




I checked the MD5 hash of the updater.exe present in your OSArmor blocked event:



It is unsigned and it seems probably related to an old version.

 

Test build 2 running fine.
Just installed Mullvad browser without any problems but cannot run it as it is unsigned. Have tried adding an exclusion but still will not run. Is it possible to add an exclusion rule?

 

That did the trick!

I downloaded the latest MaiWasher installer and installed over the top but I still got the block from OSA, but as mentioned, the exclusion works so I'm not too worried about it.

Can confirm FPs for Kaspersky Password Manger in Edge and Brave are fixed.

Thank you.

 

@Krusty

Great, thanks for confirming

//EDIT:

About MailWasher, that's strange, I made some tests and in my VM updater.exe is signed and not blocked by OSA.

As an additional test, can you open this folder:

Code:

C:\Users\David\AppData\Roaming\Firetrust\MailWasher\

Right-click on the file updater.exe, then select Digital Signatures tab to see if it shows "Firetrust Limited" as signer? Like shown in my previous screenshot.

My guess is that somehow maybe the file updater.exe didn't got overwritten during the install of the new MailWasher version (just a guess anyway).

@Dark Star 72

You can try to add this custom exclusion rule:

Code:

[%PROCESS%: C:\Users\ianhi\Desktop\Mullvad Browser\Browser\mullvadbrowser.exe] [%PROCESSMD5HASH%: C9446C50EB54E444A2581E3DB3DB3308]

Unfortunately since mullvadbrowser.exe is unsigned and located in a user-writable folder, you should match also the process MD5 hash for extra safety. Please note that the MD5 hash may change in case a new version of the browser is released or updated, and in this case you may need to add another exclusion rule with the new process MD5 hash (%PROCESSMD5HASH%) value.

To avoid this, I would recommend to move the \Mullvad Browser\ folder on C:\Program Files\Mullvad Browser\ (or directly install the web browser on Program Files folder, that is a non user-writable folder) and then you may use an exclusion rule that matches only the process name, example:

Code:

[%PROCESS%: C:\Program Files\Mullvad Browser\Browser\mullvadbrowser.exe]

 

There appears to not be a Digital Signature tab in Properties.