NoVirusThanks OSArmor: An Additional Layer of Defense

ExecutionPolicy Unrestricted <-- should allways blocked. Legit powershell scripts does not use that command.
What i do with OSA, disable "Block Suspicious and Uncommon Powershell Commands"
And enable "Block encoded and malformed Powershell Commands".
I've been testing this Avira Antivirus Pro + Custom OSA protections enabled, and it works really good.
I'm really impressed Avira's APC(Avira Protection Cloud) and even more impressed it's "Sentry" security component. Very powerfull, when signature check/APC(cloud) fails for some reason, The Sentry kicks in: Win64.Drop.xxx. detections.
Avira with OSA(custom protections enabled) and systemwide antikeylogger(im using keyscrambler) is to go. And for firewall, i'm using Netlimiter and it's "Blocker", because it's only one with Comodo Firewall that actually can send halt/stop to a program that wants to connect outside.

 

@moredhelfinland,

And how does it compare to your Main PC?
And Test PC, Sophos Home Premium?
How would you rate Avira's APC(Avira Protection Cloud? Any Con's?

And Between Netlimiter and Comodo Firewall, which one did you install first?
Netlimiter Fitlers,......
Also,how did you configured, Comodo Firewall?

Make it a great one, that is today!

 

@Moose World
Sophos home is good, very good. I especially like its Mitre ATT&CK implementation. I don't know any other av's(for home use that is) that uses mitre attack matrix. But Sophos is very resource hungry. And the home premium gets component updates later(especially hmpa) vs their EDR solution. So EDR gets the newest components, and home users later on(even several months!).
As for Avira, im really impressed how powerfull it actually is. It's APC and Sentry components are very, very good. But i noticed that when you run Avira on "lousy" (dual core, 2 threads) PC, there's no Sentry component running, maybe because of PC is too slow. But i still get Win64.xxx sentry detections.
And firewall, Netlimiter Blocker is good, it's uses its own kernel mode driver, which is always a big plus and it sent pause/halt to any program that wants to connect outside.
Somethin like this:
Install VLC media player
Check updates
With WFC(VLC reports, no internet connection available, you need to run VLC twice)
With Glasswire(connection accepted, allow or block popup window comes too late)
With Netlimiter Blocker(VLC checkin updates...still checkin....until i allow or not, no stupid "internet connection not availabe")
Always use systemwide antikeylogger, im using Keyscrambler. My friend got his steam account stolen, even he's using NOD32. NOD32 detected the infostealer(keylogger) next day, but the his steam account and all he types was sent to a hacker. So...always use systemwide antikeylogger.

 

@moredhelfinland
Keep us updating on variouses things, information and knowledge = learning for the future.
Hopefully, not making the same Mistakes! Thank you for sharing,.....

 

Another block today:

Spoiler: Rule: BlockExecutionMsiUnsigned

Date/Time: 2024-12-27 10:04:26
Date/Time UTC: 2024-12-26 23:04:26
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [7820]C:\Windows\System32\msiexec.exe
Process Size: 68 KB (69,632 bytes)
Process MD5 Hash: 78912EA8790DE51D2C7CEB9B8C572346
Parent: [14864]C:\Program Files\Patch My PC\Patch My PC Home Updater\PatchMyPC-HomeUpdater.exe
Parent Process Size: 27.54 MB (28,882,744 bytes)
Rule: BlockExecutionMsiUnsigned
Rule Name: Block execution of unsigned MSI installers
Command Line: "msiexec" /i "C:\ProgramData\Patch My PC\GadgetPackSetup.msi" /qn REBOOT=ReallySuppress
Signer: <NULL>
Parent Signer: Patch My PC, LLC
User/Domain: David/DAVID-HP
System File: True
Parent System File: False
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

Adding an exclusion did not work.

@novirusthanks ,

What happened to the new versions you mentioned?

 

... On second thoughts, I should have not allowed this update. The new gadget icons look terrible!

 

new install v2.0.3.0 @ Maximum Protection
Exclude or Ignore?

Spoiler: Process Blocked

Date/Time: 2025-01-01 10:46:34
Date/Time UTC: 2025-01-01 15:46:34
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [11704]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 440 KB (450,560 bytes)
Process MD5 Hash: 9D8E30DAF21108092D5980C931876B7E
Parent: [6596]C:\Windows\System32\cmd.exe
Parent Process Size: 316 KB (323,584 bytes)
Rule: BlockSuspiciousUncommonPowerShellCommands
Rule Name: Block suspicious and uncommon PowerShell commands
Command Line: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ExecutionPolicy Bypass "(Get-ItemProperty 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileDescription"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: bjm/HPbjm
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False
Date/Time: 2025-01-01 10:46:34
Date/Time UTC: 2025-01-01 15:46:34
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [2792]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 440 KB (450,560 bytes)
Process MD5 Hash: 9D8E30DAF21108092D5980C931876B7E
Parent: [1952]C:\Windows\System32\cmd.exe
Parent Process Size: 316 KB (323,584 bytes)
Rule: BlockSuspiciousUncommonPowerShellCommands
Rule Name: Block suspicious and uncommon PowerShell commands
Command Line: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ExecutionPolicy Bypass "(Get-ItemProperty 'C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\PresentationCore.dll').VersionInfo | format-list"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: bjm/HPbjm
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

 

Another block today:

Spoiler: Rule Name: Block any process executed from runtimebroker.exe

Date/Time: 2025-01-03 06:41:30
Date/Time UTC: 2025-01-02 19:41:30
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [8356]C:\Windows\System32\SIHClient.exe
Process Size: 393.52 KB (402,960 bytes)
Process MD5 Hash: B73B84BBAD7DA1264E6E3B1A9A5B3831
Parent: [1692]C:\Windows\System32\RuntimeBroker.exe
Parent Process Size: 100.42 KB (102,832 bytes)
Rule: BlockProcessesFromRuntimeBroker
Rule Name: Block any process executed from runtimebroker.exe
Command Line: C:\WINDOWS\System32\sihclient.exe /cv N5f8opsJSEunZNaogUHxlg.0.1
Signer: Microsoft Windows Publisher
Parent Signer: Microsoft Windows
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: Medium
Passive Logging: False

 

v2.0.3.0 @ Maximum Protection
Exclude or Ignore?

Spoiler: Process Blocked

Date/Time: 2025-01-13 03:00:34
Date/Time UTC: 2025-01-13 08:00:34
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [17796]C:\Windows\System32\directxdatabaseupdater.exe
Process Size: 172 KB (176,128 bytes)
Process MD5 Hash: 56BF8AE456A58843D4B53B869529BED1
Parent: [18724]C:\Windows\System32\conhost.exe
Parent Process Size: 0 bytes (0 bytes)
Rule: BlockLOLBinsAndOtherSophisticatedAttacks
Rule Name: Block LOLBins and other sophisticated attacks
Command Line: C:\windows\system32\directxdatabaseupdater.exe -DatabaseComplete {4C71ED7A-8862-45E8-B0E3-36F84B0A5704}
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: Unknown
Passive Logging: False

 

Here's the latest block:

Spoiler: Block processes with uncommon chars

Date/Time: 2025-01-22 10:00:33
Date/Time UTC: 2025-01-21 23:00:33
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [14532]C:\ProgramData\Patch My PC\Firefox%20Setup%20134.0.2.exe
Process Size: 65.62 MB (68,812,448 bytes)
Process MD5 Hash: 56323F63647774D09FE92781084B1B17
Parent: [13292]C:\Program Files\Patch My PC\Patch My PC Home Updater\PatchMyPC-HomeUpdater.exe
Parent Process Size: 27.54 MB (28,882,744 bytes)
Rule: BlockProcessesWithUncommonCharsOnFilePath
Rule Name: Block processes with uncommon chars (e.g ;#!@%[]) on file path
Command Line: "C:\ProgramData\Patch My PC\Firefox%20Setup%20134.0.2.exe" -ms
Signer: Mozilla Corporation
Parent Signer: Patch My PC, LLC
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

@novirusthanks , are you still with us??

 

@Krusty

I have PM'd him many times when testing, but the last time he communicated with me by a PM, was May 31, 2024.

Something has happened it seems.

 

Oh dear!

 

Thanks for sending the FPs everyone!

Will release a new OSA version within some days, just finishing an update for another service.

The upcoming version will fix all FPs posted here and sent via email.

@Tarnak

I always monitor this thread on Wilders, but don't login on the account so may take some time to reply via PM.

For anything urgent or that needs a fast response, please send an email.

@bjm_

About the blocks of powershell, it seems a process (cmd.exe) is using powershell.exe to get the file version information of msedge.exe:

Code:

Command Line: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ExecutionPolicy Bypass "(Get-ItemProperty 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileDescription"

And then of PresentationCore.dll:

Code:

Command Line: "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ExecutionPolicy Bypass "(Get-ItemProperty 'C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.11\PresentationCore.dll').VersionInfo | format-list"

Don't know why it is required to spawn cmd.exe -> powershell.exe for such a simple task that can be easily done programmatically via Windows APIs.

My guess is that should be a FP, and an application installed in your PC that has Admin privileges already, requested these information via cmd.exe -> powershell.exe

I would personally ignore them and keep them blocked if there are no issues (there should not).

About the other block of directxdatabaseupdater.exe, it is a FP and will be fixed on the upcoming new version.

 

@novirusthanks

 

The OSA service failed to start after restarting one of my machines. I've seen that happen on my desktop, but that is the first time I've seen it on my laptop.

 

Same occurred here on desktop. Reboot required to initiate service / GUI.

 

Block

Spoiler: Rule Name: Block execution of suspicious command-line strings

Code:

Date/Time: 2025-01-26 21:25:31
Date/Time UTC: 2025-01-26 11:25:31
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [11996]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Process Size: 3.74 MB (3,923,496 bytes)
Process MD5 Hash: 7F0FEC67361E0512BCA1D5C4F8BFF9A1
Parent: [8848]C:\Program Files\Internet Explorer\iexplore.exe
Parent Process Size: 816.99 KB (836,600 bytes)
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=8 -- "file:///D:/Users/KrisTwo/Downloads/scoped_dir11092_391533625/Hasleo_Backup_Suite_Free_250121%20(1).exe"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: KrisTwo/DESKTOP-XXXXXXXX
System File: False
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False

 

Does OSArmor report self-signed certificates as invalid?
https://kurtzimmermann.com/

Spoiler: InvalidCert

Date/Time: 2025-01-29
Date/Time UTC: 2025-01-29
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [7564]C:\Users\bjm\OneDrive\Desktop\HDCleanerX64\HDCleaner.exe
Process Size: 3.68 MB (3,863,480 bytes)
Process MD5 Hash: 47A86402B836BB052A4D563F3EA04689
Parent: [9928]C:\Windows\explorer.exe
Parent Process Size: 5.32 MB (5,575,576 bytes)
Rule: BlockProcessesSignedWithInvalidCert
Rule Name: Block processes signed with an invalid certificate
Command Line: "C:\Users\bjm\OneDrive\Desktop\HDCleanerX64\HDCleaner.exe"
Signer: <NULL>
Parent Signer: Microsoft Windows
User/Domain:
System File: False
Parent System File: True
Integrity Level: High
Parent Integrity Level: Medium
Passive Logging: False

 

@novirusthanks

Hello, any news about the new version ? Is there an estimated release date?

Thanks

 

I got these while updating MalwareBytes:

Spoiler: Rule: BlockParticularProcessesPreventDLLSideload

Date/Time: 2025-04-04 13:31:49
Date/Time UTC: 2025-04-04 02:31:49
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [9432]C:\ProgramData\Malwarebytes\MBAMService\ctlrupdate\MBUpdateDlg.exe
Process Size: 384.55 KB (393,784 bytes)
Process MD5 Hash: 05C4054BB9249EF9ED229A0095428A4D
Parent: [4824]C:\ProgramData\Malwarebytes\MBAMService\ctlrupdate\mbupdatr.exe
Parent Process Size: 5.87 MB (6,151,184 bytes)
Rule: BlockParticularProcessesPreventDLLSideload
Rule Name: Block particular processes to prevent DLL sideload
Command Line: "C:\ProgramData\Malwarebytes\MBAMService\ctlrupdate\MBUpdateDlg.exe"
Signer: Malwarebytes Inc.
Parent Signer: Malwarebytes Inc
User/Domain: Dave/DAVE-PC
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: System
Passive Logging: False


Date/Time: 2025-04-04 13:31:07
Date/Time UTC: 2025-04-04 02:31:07
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [5328]C:\ProgramData\Malwarebytes\MBAMService\ctlrupdate\mbupdatr.exe
Process Size: 5.87 MB (6,151,184 bytes)
Process MD5 Hash: 40134650E830CFED90D0FA543D6A4FE9
Parent: [5828]C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Parent Process Size: 9.05 MB (9,484,384 bytes)
Rule: BlockParticularProcessesPreventDLLSideload
Rule Name: Block particular processes to prevent DLL sideload
Command Line: "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\config\UpdateControllerConfig.json" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\staging" /db:no /su:yes
Signer: Malwarebytes Inc
Parent Signer: Malwarebytes Inc.
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 2025-04-06 01:45:33
Date/Time UTC: 2025-04-06 05:45:33
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [10700]C:\Windows\System32\AtBroker.exe
Process Size: 148 KB (151,552 bytes)
Process MD5 Hash: 70831CD9A12D2C0D096B92FE2BD534D5
Parent: [27512]C:\Windows\explorer.exe
Parent Process Size: 2.65 MB (2,774,080 bytes)
Rule: BlockLOLBinsAndOtherSophisticatedAttacks
Rule Name: Block LOLBins and other sophisticated attacks
Command Line: C:\Windows\System32\ATBroker.exe /start livecaptions
Signer: <NULL>
Parent Signer: Microsoft Windows
User/Domain:
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False

 

Date/Time: 2025-04-07 16:29:15
Date/Time UTC: 2025-04-07 20:29:15
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [17504]C:\Windows\System32\reg.exe
Process Size: 108 KB (110,592 bytes)
Process MD5 Hash: 47FC2471604EB7D760938BF31456B12D
Parent: [17460]C:\Windows\System32\cmd.exe
Parent Process Size: 332 KB (339,968 bytes)
Rule: BlockRegExecution
Rule Name: Block execution of reg.exe
Command Line: reg query HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /v "Update Revision"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 2025-04-16 11:18:02
Date/Time UTC: 2025-04-16 15:18:02
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [1708]C:\Program Files\CCleaner\CCleaner64.exe
Process Size: 43.75 MB (45,875,504 bytes)
Process MD5 Hash: F116A86B8E6235CC551F30E1559D8D1D
Parent: [3492]C:\Program Files\Google\Chrome\Application\chrome.exe
Parent Process Size: 3.37 MB (3,533,920 bytes)
Rule: BlockAnyProcessExecutedFromWebBrowsers
Rule Name: Block any process executed from web browsers
Command Line: dummy /ccupdate
Signer: Gen Digital Inc.
Parent Signer: Google LLC
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: Untrusted
Passive Logging: False

 

Date/Time: 2025-04-16 11:32:26
Date/Time UTC: 2025-04-16 15:32:26
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [1324]C:\Windows\SysWOW64\cmd.exe
Process Size: 247.5 KB (253,440 bytes)
Process MD5 Hash: 65EF08A8AA419946BD4665142DC0742E
Parent: [7772]C:\Program Files\Dell\DELLOSD\DELLOSD.exe
Parent Process Size: 1.46 MB (1,531,992 bytes)
Rule: BlockCmdExeExecution
Rule Name: Block execution of cmd.exe
Command Line: "C:\Windows\System32\cmd.exe" /c powercfg.exe /setacvalueindex SCHEME_CURRENT SUB_VIDEO VIDEOIDLE 7200
Signer: <NULL>
Parent Signer: Wistron Corporation
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 2025-04-16 11:34:29
Date/Time UTC: 2025-04-16 15:34:29
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [16336]C:\Windows\System32\reg.exe
Process Size: 108 KB (110,592 bytes)
Process MD5 Hash: 47FC2471604EB7D760938BF31456B12D
Parent: [16688]C:\Windows\System32\cmd.exe
Parent Process Size: 332 KB (339,968 bytes)
Rule: BlockRegExecution
Rule Name: Block execution of reg.exe
Command Line: reg query HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /v "Update Revision"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False