NoVirusThanks OSArmor: An Additional Layer of Defense

...and one more for good measure.

 

Thanks for the info, will check it out.

 

I'm using OSA with Harmony Endpoint. Very powerful combo. In OSA i enabled all "suspicious" protections and basic lolbin stuff, Harmony Endpoint takes cares the rest.
Tested this combo against various bazaar samples about a week. I do not download or run anything from "user space folders". I just save pictures, videos etc to custom folders.
I was kinda impressed, when running some .exe samples, OSA reacted really fast "suspicious process detected". Before mighty Harmony Endpoint even reacts. I was like...wow.

Just one feature in OSA is that it really needs some more tampering protections(self protection mechanism). It's easy terminate OSA processes. When testing some malwares, they "kill" all the runnin processes which are not protected(chrome,outlook etc).

 

After enabling medium protection, I am getting a repeated block. I don't know what is making this run.
Here is a Microsoft doc about the cmdlet:
https://learn.microsoft.com/en-us/p...t/disable-computerrestore?view=powershell-5.1

Code:

Date/Time: 4/17/2024 10:09:39 AM
Process: [16032]C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Process Size: 413.5 KB (423,424 bytes)
Process MD5 Hash: 61732DBA77466B624C014B67A1E1348E
Parent: [4904]C:\Windows\SysWOW64\cmd.exe
Parent Process Size: 239.5 KB (245,248 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell.exe  "Disable-ComputerRestore -Drive \"C:\""
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Is "Enable OSArmor self-defense (process termination)" enabled?

 

I cannot update my payment method over on FastSpring. Any ideas what I'm doing wrong. FastSpring tells me...talk to my credit card. My credit card tells me...talk to FastSpring.
My Appsvoid sub expires in May. My OSArmor sub expires in December.

Spoiler: unexpected error

 

Maybe reach out to @novirusthanks.

 

I got this short time ago, but then I had problems with my Opera browser. It locked up, and I had to reboot the laptop.

Finally, here it is, and I chose ignore.

 

We have released OSArmor v1.9.9:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

If you find false positives or issues please let me know.

@shmu26

It looks like something in the system (e.g a Windows Update or a system process or a service of a backup software) is doing that activity.

You should not see the alerts in this new build.

@bjm_

We resolved the issue via email, thanks for reporting that.

@Tarnak

FP fixed.

@moredhelfinland

We have an option (enabled by default) to protect OSA processes from termination (only Task Manager is allowed to terminate them).

We intentionally didn't add other particular/advanced tampering protections because a process to damage OSA has to [1] run in the system and [2] gain admin privileges.

It already covers protection from tampering done by abusing system processes.

 

Auto updated a short time ago to v1.9.9.0 , and scanned for New Trusted Vendors.

 

OSArmor has been updated to v2.0.0.0.

Changelog:
+ Save log files in YYYY-MM-DD.log format
+ Save date/time in log files in YYYY-MM-DD HH:mm:ss format
+ Save also date/time in UTC
+ Added more JSON data on HTTP POST request (Enterprise version)
+ Minor improvements

Source: https://www.osarmor.com/changelog/

 

Got it now...

 

Hi @novirusthanks ,

Just seen a message from OSA on starting Windows that OSA service wasn't running and suggested I start the service, restart my machine, or reinstall the latest version. I've seen it once or twice before with recent builds. A system restart gets it going.

Not a big deal, but if I didn't catch the pop up I may not have noticed that OSA wasn't running.

I've installed the latest version of the top for now.

Thanks.

 

We have released OSArmor v2.0.1:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

If you find false positives or issues please let me know.

This update was focused mainly on the Enterprise version but we made improvements also to Personal and Business versions.

@Krusty

Please let me know if you notice that again with this new v2.0.1 version.

 

Got it a short time ago...

 

I don't know what this is about, that just popped:

Code:

Date/Time: 2024-06-11 21:52:44
Date/Time UTC: 2024-06-11 11:52:44
Action: Process Blocked
OSArmor Version: 2.0.1.0
Process: [12732]C:\Windows\System32\cmd.exe
Process Size: 283 KB (289,792 bytes)
Process MD5 Hash: 2B40C98ED0F7A1D3B091A3E8353132DC
Parent: [20680]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: BlockCmdScripts
Rule Name: Block execution of .cmd scripts
Command Line: C:\windows\system32\cmd.exe  /S /D /c" dir /a /b /s install.cmd"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False


Date/Time: 2024-06-11 21:52:28
Date/Time UTC: 2024-06-11 11:52:28
Action: Process Blocked
OSArmor Version: 2.0.1.0
Process: [18656]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 445 KB (455,680 bytes)
Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
Parent: [20680]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell  -Command "(gc version.txt ) -replace ']', '' | Out-File -encoding ASCII version.txt"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False


Date/Time: 2024-06-11 21:52:27
Date/Time UTC: 2024-06-11 11:52:27
Action: Process Blocked
OSArmor Version: 2.0.1.0
Process: [5616]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 445 KB (455,680 bytes)
Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
Parent: [20680]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell  -Command "(gc version.txt ) -replace 'Microsoft Windows \[Version 10.0.', '' | Out-File -encoding ASCII version.txt"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Now, I know what the above is about. Just got this warning from CyberLock/VoodooShield. The timing fits.





PS. Added another image

 

@Tarnak
swsetup folder is related to HP computers i think...for me it seems that HP driver or what ever install/uninstall cmd "script" gets blocked by CL. I know, this is annoying, when some legit softwares uses scripts for uninstalling/installing stuff.
One example, one of my test PCs, i ran freeware PC MARK 10 to test my security software performance. It was kind of a nightmare to get the test completed. CL and OSArmor blocked powershell script used by PC MARK 10.
PC MARK 10, one of the test uses in build chromium(old version), massive alarms from CL / OSA. In the end, i whitelisted whole friggin PC mark directory, which is, security wise very bad move.

 

@moredhelfinland

Yes, I have a HP Probook laptop.

I have decided to exclude and unblock, and allow the script to run. No ill effects noticed.



P.S. Maybe, I should have chosen ignore in this instance. @novirusthanks can advise?

 

Just updated:

Changelog:

[16-Jun-2024] v2.0.2.0

+ Added more signers to Trusted Vendors list
+ Added more JSON data on HTTP POST request
+ Fixed all reported false positives
+ Minor improvements