NoVirusThanks OSArmor: An Additional Layer of Defense

... I've got a feeling an uninstall / reinstall could be in order.

 

this feels new with 1.8.8 test 2

Spoiler: BlockSuspiciousProcesses

Date/Time: 10/18/2023
Process: [13732]C:\Users\bjm\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Process Size: 3.94 MB (4,130,720 bytes)
Process MD5 Hash: 0BE8ED912EAE9AFFC157DA92F89AAC8E
Parent: [1644]C:\Windows\System32\svchost.exe
Parent Process Size: 54.02 KB (55,320 bytes)
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "C:\Users\bjm\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe" /reporting
Signer: Microsoft Corporation
Parent Signer: Microsoft Windows Publisher
User/Domain: bjm/DESKTOP-DELL
System File: False
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: System

 

Here is a pre-release test 3 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test3.exe

@bjm_

The new FP is fixed.

@Krusty

That's strange then, looks like as if updater.exe was not overwritten with the new version (that is digitally signed).

Maybe a complete uninstall of MailWasher and then a clean install of the latest free version should fix it (make sure to first backup emails, config, etc).

 

Tried that but the updater is still the unsigned version. Are you sure you didn't download the free trial of the Pro version?

 

I'm still getting this from MailWasher, even after adding exclusions:

Spoiler: Rule: BlockUnsignedProcessesAppDataRoaming

Date/Time: 20/10/2023 10:33:33 AM
Process: [12784]C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe
Process Size: 1.1 MB (1,156,608 bytes)
Process MD5 Hash: 09F26574ED73CA2DEA47B81D3D57E04F
Parent: [8780]C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe
Parent Process Size: 6.88 MB (7,211,600 bytes)
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /justcheck
Signer: <NULL>
Parent Signer: Firetrust Limited
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

It happens when MailWasher automatically checks daily for updates.

This was yesterday's block:

Spoiler: Rule: BlockUnsignedProcessesAppDataRoaming

Date/Time: 19/10/2023 10:33:27 AM
Process: [16000]C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe
Process Size: 1.1 MB (1,156,608 bytes)
Process MD5 Hash: 09F26574ED73CA2DEA47B81D3D57E04F
Parent: [11084]C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe
Parent Process Size: 6.88 MB (7,211,600 bytes)
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /justcheck
Signer: <NULL>
Parent Signer: Firetrust Limited
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: High
Parent Integrity Level: High

It is becoming a pain in my arse. I don't know why this has only just started recently with the new test builds.

 

@novirusthanks
Is it possible to define a REGEX match on multiple variables within the same rule?

EDIT:
If an application launched from the desktop is blocked by OSArmor while the 'Do not display alerts when the application is in full screen mode' option is enabled, no alert will be displayed.

 

@Krusty

I have downloaded the free version from this link:

Code:

https://www.mailwasher.net/download-mailwasher-free

File hash details below:

Code:

File: mailwasher_pro_setup_7_12_173_free.exe
File size: 27,7 MB (29.014.224 bytes)
MD5 checksum: E89341D96834FED0BE958BEF9EEC5365
SHA1 checksum: 9F7414C574944FFDB858CC93D6DE5898DF7D529E
SHA256 checksum: 37996CF5F4211965BFC4CFA5E503F2C58E3789DD31E847D360532497895E3E39
SHA384 checksum: 6910BD1C922BDEA9D5041C44D077164AD6AE7650F9D342A518514C7548583923095D31C728EC2876B777C5638BFA5CEC
SHA512 checksum: 806A395155C0E78472097B1A600A72B6F034AA37538BC0EC4D3CAB183CE055B36B0B6119B1C335B61D23887BFD14A414D65D50F50A7254C362E1D3C45B1C1113

I tried to install it again in a VM and the file updater.exe is signed as per my previous screenshot.

Regarding the other two blocks, please add this new exclusion rule:

Code:

[%PARENTPROCESS%: C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe] [%PARENTSIGNER%: Firetrust Limited] [%PROCESS%: C:\Users\*\AppData\Roaming\Firetrust\MailWasher\updater.exe] [%PROCESSCMDLINE%: "C:\Users\*\AppData\Roaming\Firetrust\MailWasher\updater.exe" /justcheck]

It has a new command-line "/justcheck" that is different compared to the previous block.

@busy

Can you provide an example?

At the moment it is possible to use regular expressions like this:

Code:

; Block processes using regular expressions (PCRE) -> abc123.exe
[REGEX:%PROCESSFILENAME%: ^abc[0-9]*\.exe]

; Another example to match two aliases using regular expressions:
[REGEX:%PROCESSFILENAME%: ^abc[0-9]*\.exe] [REGEX:%PARENTFILENAME%: ^test[0-9]{3}\.exe]

Here you can find available aliases/variables and some examples:
https://www.osarmor.com/custom-block-rules/

If there is no active full screen mode window it should display an alert if a process is blocked.

Will run some tests and see if I can reproduce the issue.

 

@novirusthanks
On Windows 10: Right-click the desktop > Personalize > Background > Change the existing background type. (from Picture to Slideshow or Solid Color)
After changing it, the desktop class will change from Progman to WorkerW. After this change, no alert will be displayed for blocks on the desktop.

REGEX only works when used in the first variable.

Code:

[%PROCESS%: *test1*] [%PROCESSCMDLINE%: *test1*] [%RULENAME%: SUCCESS test1]
[%PROCESS%: *test2*] [REGEX:%PROCESSCMDLINE%: .*test2.*] [%RULENAME%: FAIL test2]
[REGEX:%PROCESS%: .*test3.*] [REGEX:%PROCESSCMDLINE%: .*test3.*] [%RULENAME%: FAIL test3]
[REGEX:%PROCESS%: .*test4.*] [%PROCESSCMDLINE%: *test4*] [%RULENAME%: SUCCESS test4]

Tested with osa-1-8-8-personal-test3

 

Here is a pre-release test 4 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test4.exe

Just some minor improvements and some FPs fixed.

@busy

Thanks a lot for including all the details.

Will run some tests the next days and will update here.

 

@novirusthanks
Instead of changing the background, you can try opening Task View. (WinKey + Tab)

 

Here is a pre-release test 5 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test5.exe

Improved parsing of Custom Blocks and Exclusions rules.

@busy

Thanks for the additional details.

This new test 5 version should fix the regex issue, please confirm if it works fine for you.

Will update soon about the full-screen mode detection improvement.

 

@novirusthanks
I've tested it with test5 and I can confirm that it works. Thank you.

 

Some blocks with Test 5, i.e. 3 in total. I captured 2 of them.

 

Thank you. That seems to have been the answer, but I don't know why updater.exe isn't signed on my installs, even after uninstalling and reinstalling. Anyway, I'm OK with exclusions.

It might help if you uploaded the logs from those blocks.

 

Here is a pre-release test 6 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test6.exe

Improved detection of full-screen mode.

@busy

This new test 6 version should fix the full-screen issue, please confirm if it works fine for you.

@Tarnak

Please send me the log files so I can check them.

 

Thank you, it works fine now.

 

@novirusthanks

Logs sent.

 

@novirusthanks

The "Block execution of processes on Documents folder" setting also prevents execution from ImDisk drives.

Code:

Date/Time: 23/10/2023 12:51:23
Process: [7508]\Device\ImDisk0\EchoArgs.exe
Process Size: 0 bytes (0 bytes) [Actual: 4 KB (4096 bytes)]
Process MD5 Hash: D41D8CD98F00B204E9800998ECF8427E [Actual: 4752DEFE9A9E02A1D286341EBA7EA9C4]
Parent: [4152]C:\Windows\explorer.exe
Parent Process Size: 5.08 MB (5,329,808 bytes)
Rule: BlockProcessesOnDocuments
Rule Name: Block execution of processes on Documents folder
Command Line: "R:\EchoArgs.exe"
Signer: <NULL>
Parent Signer: Microsoft Windows
User/Domain: user/domain
System File: False
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

 

Here is a pre-release test 8 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test8.exe

What's new compared to the previous build:

+ Repeat the "Protection Disabled" reminder after 10 minutes if window is closed
+ Improved retrieval of process file path in particular situations
+ Fixed all reported false positives
+ Minor improvements

@Tarnak

Thanks, should be fixed now.

Please confirm if possible.

@busy

Interesting issue, should be fixed now:



Please confirm if possible.

 

Just out of interest, I have noticed something unusual, recently, when I scanned the OSArmor execs with Emsisoft, is that it has taken longer:



Comparison of today's scan log and an earlier one:

 

Running Test 8, and no issues. But, then maybe I don't know [any] better.

 

@novirusthanks
Thank you, the problem is solved.

 

Here is a pre-release test 9 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test9.exe

+ Added more signers to Trusted Vendors list
+ Improved internal rules to detect suspicious behaviors
+ Improved internal rules to allow safe behaviors
+ Improved detection of particular threats
+ Improved installer and uninstaller scripts
+ Improved support for Windows 11
+ Updated internal libraries

If you find issues or FPs please let me know.

 

Just tried installing, and got a this:

 

Did it again, but this time I got the image: