NoVirusThanks OSArmor: An Additional Layer of Defense

@Buddel

Not yet, had to release the new version sicne it has some important improvements.

Will add it on the next week.

@wat0114

Yes depending on user's PC usage and on OSA's protections enabled, FPs may still happen with time.

Anyway, we work to reduce them as much as possible

 

Thank you very much.

 

@busy and everyone:

From today (Monday) you can use the coupon code CYBER2023 for 25% OFF on OSArmor PERSONAL (it works also for future renewals).

It is valid for this Cyber Week until 02 December.

 

Nice! Great deal, Andreas.

 

Much appreciated, especially the works for future renewals part!

 

I should renew around Christmas, so does it mean the coupon code will be valid?

 

If you buy now, the same discount will be valid when you extend the license next year.

 

Thanks, I guess I had misunderstood.

 

I may have misunderstood as well. My license expires 10 months from now, in September of 2024. If I purchase a license now, using coupon code CYBER2023, will it be valid when I go to use it in Sept '24? Hopefully Andreas can clarify? I always purchase ESET NOD32 licenses well in advance and they are activated when installed, not when purchased. Sounds like this OSArmor PERSONAL deal is not that way? Thank you.

 

@Page42

The license is valid for 1 year from the date of purchase.

Copied from the FAQs page (Billing tab):
https://www.osarmor.com/faqs/

Regarding the discount, it is automatically applied to future renewals (you will pay the same discounted amount every year when it is renewed).

 

Tanks Andreas for clarifying the situation. Unfortunately no deal for me, I just checked and my actual license ends 13/01/2024...

 

Even in your case it's an attractive offer. Not only for the next license period but also for the periods after that.

 

Here is a pre-release test 4 version of OSArmor PERSONAL v1.9.1:

Code:

https://downloads.osarmor.com/osa-personal-1-9-1-test4.exe

Here is what's new so far:

If you find issues or FPs please let me know.

@Buddel

It is now possible to reset the number of blocked processes.

 

Thank you.

 

I just found this on my laptop:

Spoiler: Rule Name: Block unsigned processes with system privileges

Date/Time: 6/12/2023 3:09:52 PM
Process: [9272]C:\Windows\Temp\3B0A82B8-B9A2-458E-AA17-590835133244\MpRecovery.exe
Process Size: 255.64 KB (261,776 bytes)
Process MD5 Hash: 63123D8BE1C81B35DED1725D8670D53E
Parent: [4840]C:\Windows\Temp\3B0A82B8-B9A2-458E-AA17-590835133244\MpSigStub.exe
Parent Process Size: 897.42 KB (918,960 bytes)
Rule: BlockUnsignedProcsWithSystemIL
Rule Name: Block unsigned processes with system privileges
Command Line: C:\WINDOWS\TEMP\3B0A82B8-B9A2-458E-AA17-590835133244\MpRecovery.exe
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

Not using a Test build currently as I'm testing tweaks by SysHardener.

 

Again:

Code:

Rule Name: Block unsigned processes with system privileges
Date/Time: 6/12/2023 6:09:46 PM
Process: [13708]C:\Windows\Temp\E0B4394D-6D1F-4718-89DD-1D19F83786D1\MpRecovery.exe
Process Size: 255.64 KB (261,776 bytes)
Process MD5 Hash: 63123D8BE1C81B35DED1725D8670D53E
Parent: [12124]C:\Windows\Temp\E0B4394D-6D1F-4718-89DD-1D19F83786D1\MpSigStub.exe
Parent Process Size: 897.42 KB (918,960 bytes)
Rule: BlockUnsignedProcsWithSystemIL
Rule Name: Block unsigned processes with system privileges
Command Line: C:\WINDOWS\TEMP\E0B4394D-6D1F-4718-89DD-1D19F83786D1\MpRecovery.exe
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

Is it safe?

 

Just now getting multiple alerts...the same as Krusty. Mpxxxx is Microsoft Defender I believe.

v1.9.0.0

 

Date/Time: 12/6/2023 10:22:59 AM
Process: [7604]C:\Windows\SysWOW64\cmd.exe
Process Size: 231 KB (236,544 bytes)
Process MD5 Hash: D3348AC2130C7E754754A6E9CB053B09
Parent: [12892]C:\Windows\SysWOW64\cmd.exe
Parent Process Size: 231 KB (236,544 bytes)
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Program Files (x86)\Google\GoogleUpdater\121.0.6116.0" "
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Here is a pre-release test 5 version of OSArmor PERSONAL v1.9.1:

Code:

https://downloads.osarmor.com/osa-personal-1-9-1-test5.exe

Here is what's new so far:

Code:

+ Fixed all reported false positives
+ Added more signers to Trusted Vendors list
+ Added "Reset Stats" button on "Blocked Processes" section
+ Improved parsing of Custom Blocks and Exclusions rules
+ Improved retrieval of signer from a digitally signed process
+ Improved internal rules to detect suspicious behaviors
+ Minor improvements

You can install this test build 5 over-the-top of the currently installed version (reboot is not needed).

If you find issues or FPs please let me know.

@Krusty @Roberteyewhy

The reported FPs (related to Microsoft Defender) should be fixed in this new test build 5.

Let me know if you notice them again.

@Dragon1952

Please use this new test build 5 and make sure you have enabled the option "Allow known safe third-party processes behaviors" on Configurator -> Settings -> General tab.

Let me know if you notice it again.

 

Same here. This is the reason why I hope it will soon be able to unassociate more dangerous/suspicious file extensions such as ONE and PUB as well as old MS file extensions including DOC and XLS.

 

Date/Time: 12/5/2023 12:01:36 PM
Process: [6688]C:\Program Files (x86)\0patch\Agent\0patchTest64.exe
Process Size: 8 KB (8,192 bytes)
Process MD5 Hash: AEF51DCC3D6984C2650FB5FFCD35C1C6
Parent: [3564]C:\Program Files (x86)\0patch\Agent\0patchServicex64.exe
Parent Process Size: 495.49 KB (507,384 bytes)
Rule: BlockUnsignedProcsWithSystemIL
Rule Name: Block unsigned processes with system privileges
Command Line: 0patchTest64.exe
Signer: <NULL>
Parent Signer: ACROS računalniški inženiring d.o.o.
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 12/5/2023 12:01:36 PM
Process: [6676]C:\Program Files (x86)\0patch\Agent\0patchTest32.exe
Process Size: 7.5 KB (7,680 bytes)
Process MD5 Hash: AC4C38362493431F8BB43FC7A3420AC5
Parent: [3564]C:\Program Files (x86)\0patch\Agent\0patchServicex64.exe
Parent Process Size: 495.49 KB (507,384 bytes)
Rule: BlockUnsignedProcsWithSystemIL
Rule Name: Block unsigned processes with system privileges
Command Line: 0patchTest32.exe
Signer: <NULL>
Parent Signer: ACROS računalniški inženiring d.o.o.
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 12/5/2023 10:34:03 AM
Process: [16904]C:\Windows\System32\cmd.exe
Process Size: 283 KB (289,792 bytes)
Process MD5 Hash: 00837EC16FD4063B27D4327B5AE85657
Parent: [7072]C:\Windows\explorer.exe
Parent Process Size: 5.08 MB (5,329,808 bytes)
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: "C:\Windows\system32\cmd.exe"
Signer: <NULL>
Parent Signer: Microsoft Windows
User/Domain: xxxxxxxx
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: Medium
Passive Logging: False

 

Date/Time: 12/6/2023 5:22:21 PM ***** Here is a pre-release test 5 version of OSArmor PERSONAL v1.9.1
Process: [7472]C:\Windows\SysWOW64\cmd.exe
Process Size: 231 KB (236,544 bytes)
Process MD5 Hash: D3348AC2130C7E754754A6E9CB053B09
Parent: [10820]C:\Windows\SysWOW64\cmd.exe
Parent Process Size: 231 KB (236,544 bytes)
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Program Files (x86)\Google\GoogleUpdater\121.0.6116.4" "
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

@Dragon1952

Thanks for reporting them.

The alerts related to 0patch will be handled on the next build (I also contacted 0patch and asked if they can sign also that two .exe files since they are unsigned).

The alert on #4923 is because you opened cmd.exe and we can't fix it, you should exclude the event if you'd like to allow opening of cmd.exe via explorer.

The alert on #4924 is very strange, I see it is fixed and I can't reproduce it, I tried this:

1- I installed Google Chrome 119 (older version)
2- Then I installed OSA build 5 and then opened Chrome
3- It started to update to 120 and it went fine, no alerts from OSA

Do you have any more info about this?