NoVirusThanks OSArmor: An Additional Layer of Defense

Just got Test 9 installed, after first disabling OSArmor, briefly. No popup, this time, around.

 

Here is a pre-release test 12 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test12.exe

+ Added Block particular processes to prevent DLL sideload
+ Improved retrieval of signer from a digitally signed process

If you find issues or FPs please let me know.

The new protection option "Block particular processes to prevent DLL sideload" (disabled by default in all profiles) is mostly useful for businesses and may generate some alerts for legit apps for home users.

However it can help in blocking particular processes to prevent DLL sideload, example:








The above two samples were used in ATP attacks and use legit and signed processes to side-load a malicious DLL.

If you plan on enabling this new option let me know if you get some new alerts.

@Tarnak

Please do same with this new build: uninstall or disable OSA, then install this new build.

Then try again to run this new build setup to see if it gets blocked.

 

@novirusthanks

Did as you requested, and no popups. Looks OK.

 

See, all good.

 

Just updated my other laptop with Test 12 without disabling OSA beforehand. There was no problem doing so.

 

Longer isn't a surprise if the longer-running scan really did scan so many more files ... but the question has to be: were there really 40682 files in one scan versus 45 in the other? If NoVirusThanks can't explain that huge difference I think you should ask Emsisoft why this happened.

 

Here is a pre-release test 13 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test13.exe

+ Minor fixes and improvements

If you find issues or FPs please let me know.

@Tarnak

Thanks for confirming.

@JNicoll23

I guess it may have scanned also other things in the system (maybe a system scan was in progress and it merged the results or something similar?).

 

Just tried scanning Test 13 exec, and this is it counting up the #

I did try getting a explanation from Emsisoft one time, as it was doing the same thing for another software that I run. But, they weren't helpful with an explanation.

 

Besides MailWasher (which I will revisit), I'm running Advanced Protection + with no exclusions. Very nice!

 

I've never seen that happen; if it did happen it's a bug & Emsisoft need to be told.

If the .exe concerned is uploaded to VirusTotal & scanned, I wonder if it gives any clues.

 

Was that "one time" recent? Back in the days when Emsi still had their forum I would have expected an interesting discussion about this, and do not think Emsi would have failed to explain, but nowadays when individuals make private contact with Emsi support there's no wy for that to happen.

 

My Win 8.1 machine is still running an older version of EAM (though does still get signature updates).
I downloaded the test8 and test13 files and scanned them. The GUI does not show any counting -
indeed one might wonder if EAM had hung ... but Process Hacker shows one core running a2service
flat out. Here are the scan reports:

----------------
Emsisoft Anti-Malware Home - Version 2021.9
Last update: 25/10/2023 11:56:25
Initiated by: SAMSUNG-NP350\Dxxxxxxxxx
Computer name: SAMSUNG-NP350
OS version: Windows 8.1x64

Scan settings:

Scan type: Custom Scan
Objects: C:\Users\Dxxxxxxxxx\Downloads\osa-1-8-8-personal-test8.exe

Detect PUPs: On
Scan archives: On
Scan mail archives: Off
ADS Scan: On
Direct disk access: Off

Scan start: 25/10/2023 12:37:47

Scanned 1
Found 0

Scan end: 25/10/2023 12:42:39
Scan time: 0:04:52
----------------


----------------
Emsisoft Anti-Malware Home - Version 2021.9
Last update: 25/10/2023 11:56:25
Initiated by: SAMSUNG-NP350\Dxxxxxxxxx
Computer name: SAMSUNG-NP350
OS version: Windows 8.1x64

Scan settings:

Scan type: Custom Scan
Objects: C:\Users\Dxxxxxxxxx\Downloads\osa-1-8-8-personal-test13.exe

Detect PUPs: On
Scan archives: On
Scan mail archives: Off
ADS Scan: On
Direct disk access: Off

Scan start: 25/10/2023 12:43:33

Scanned 1
Found 0

Scan end: 25/10/2023 12:48:27
Scan time: 0:04:54
----------------

Interesting counts, don't you think?

 

@stapp

Those scans of the two versions, are minutes apart. Maybe, that is why the scan times are the same.

 

Last month is recent. BTW, that other software was VoodooShield/CyberLock.

 

That's certainly better than the older EAM where one sees nothing. But I see from your wee film (perhaps not going to threaten Barbie's financial success) that Emsi have left-justified the displayed info, so for long internal file paths one is quite likely not to see the changes happening even further off-screen to the right. Displays like that are best split over two lines with a left-justfied top one & a right-justified lower one.

The mystery now is why Tarnak's test8 scan yesterday only showed 45 items scanned.

I have a vague (very vague, maybe misremembered) recollection that the number, at least in older versions of EAM, is not necessarily the number of files examined; it might include eg lots of registry keys it finds referenced in code. Or maybe records in a database or something as well.

 

@novirusthanks

Reported during NVIDIA driver installation.
545.92-notebook-win10-win11-64bit-international-dch-whql-g.exe

Spoiler: FP?

Code:

++== Passive Logging ==++

Date/Time: 26.10.2023 22:10:38
Process: [19728]X:\CustomPath\Users\user\AppData\Local\Temp\CFB390C8-B40A-403C-B33F-454BD30EB9D3\DismHost.exe
Process Size: 143,98 KB (147.432 bytes)
Process MD5 Hash: D38444BF347AC72C89980672D9E285BE
Parent: [15980]C:\Windows\System32\Dism.exe
Parent Process Size: 282,46 KB (289.240 bytes)
Rule: BlockParticularProcessesPreventDLLSideload
Rule Name: Block particular processes to prevent DLL sideload
Command Line: X:\CustomPath\Users\user\AppData\Local\Temp\CFB390C8-B40A-403C-B33F-454BD30EB9D3\dismhost.exe {FB2C7884-A852-4F82-ABC9-15B4C23CF345}
Signer: Microsoft Windows
Parent Signer: Microsoft Windows
User/Domain: user/domain
System File: False
Parent System File: True
Integrity Level: High
Parent Integrity Level: High

 

@busy

Yes it is an FP, thank you for reporting it.

Have a question: what Windows OS are you using (please include also build number and if 32-bit or 64-bit)?

I see also this "X:\CustomPath\", is it a custom Windows OS installation?

 

@novirusthanks
dism: C:\Windows\WinSxS\amd64_microsoft-windows-d..ervicing-management_31bf3856ad364e35_10.0.19041.3570_none_d350939fc2f48f21\Dism.exe (Windows 10 22H2 19045.3570 64-bit)

No, the TMP/TEMP environment variable is set to a different directory.

 

@busy

Thanks a lot for the details, will fix the FP in the next test build.

 

Here is a pre-release test 16 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test16.exe

+ Fixed all reported false positives
+ Minor improvements

If you find issues or FPs please let me know.

//EDIT: Just made a quick test of OSA on W11 23H2:





@busy

The FP should be fixed now, let me know in case you notice it again.

 

I just got this when booting my laptop:

Spoiler: Rule: BlockUnsignedProcsWithSystemIL

Date/Time: 31/10/2023 6:31:40 AM
Process: [9780]C:\$Extend\$Deleted\01BA000000016CEA52A9E383
Process Size: 3.56 MB (3,735,552 bytes)
Process MD5 Hash: D41D8CD98F00B204E9800998ECF8427E
Parent: [5884]C:\Program Files\BlackFog\BlackFog Privacy\PrivacySvc.exe
Parent Process Size: 1.13 MB (1,182,248 bytes)
Rule: BlockUnsignedProcsWithSystemIL
Rule Name: Block unsigned processes with system privileges
Command Line: BlackFogSetup.exe /qn
Signer: <NULL>
Parent Signer: BlackFog, Inc.
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System

 

Here is a pre-release test 19 version of OSArmor PERSONAL v1.8.8:

Code:

https://downloads.osarmor.com/osa-1-8-8-personal-test19.exe

+ Fixed all reported false positives

If you find issues or FPs please let me know.

@Krusty

Interesting event, it should be fixed now.