NoVirusThanks OSArmor: An Additional Layer of Defense

OSArmor vs Eicar Test-Virus

http://sendvid.com/0my3ponu

 

"
Date/Time: 25/12/2017 10:57:00
Process: [1824]C:\apcupsd\bin\apcupsd.exe
Parent: [892]C:\Windows\System32\services.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "c:\apcupsd\bin\apcupsd.exe" /service
Signer:
Parent Signer:"

v1.3 this occurs but under v1.4 it works fine so anothe FP done

 

Belarc Advisor gets stuck at "Updating the profile of the computer". Desktop become unresponsive. OSA is silent. Belarc Analysis afaik calls powershell. Since, I return desktop control when Belarc Advisor gets stuck with forced shutdown. I'll leave further observe to you. 1.4 rules default. Thanks

 

Suggestion: It would be good to see another icon in the task bar when protection is disabled.

 

Thanks! Very good to know.

Will add my request to the others to be able to scroll thru the Configurator.

 

+ 1

 

i cant start CentBrowser
C:\Users\USERNAMEAppData\Local\CentBrowser\Application\chrome.exe

How do I exclude ?

this is not working

[%PROCESS%: C:\Users\USERNAME\AppData\Local\CentBrowser\Application\chrome.exe] [%PARENTPROCESS%: C:\Users\USERNAME\AppData\Local\CentBrowser\Application\chrome.exe] [%PROCESSCMDLINE%: /param1 /param2]

 

@liba What rule blocked CentBrowser? Could you possibly post the content of your log folder?

 

Process: [3048]C:\Users\test\AppData\Local\CentBrowser\Application\chrome.exe
Parent: [1668]C:\Windows\explorer.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\test\AppData\Local\CentBrowser\Application\chrome.exe"
Signer:
Parent Signer:

 

This means that unsigned executables from the AppDataLocal folder are blocked. Could you disable this rule in OSArmor and try again to start CentBrowser?

 

Use both rules:

Code:

[%PROCESS%: C:\Users\*\AppData\Local\CentBrowser\Application\chrome.exe] [%PARENTPROCESS%: C:\Users\*\AppData\Local\CentBrowser\Application\chrome.exe]
[%PROCESS%: C:\Users\*\AppData\Local\CentBrowser\Application\chrome.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe]

If you still get blocked processes, use these:
[%PROCESS%: C:\Users\*\AppData\Local\CentBrowser\Application\*.exe] [%PARENTPROCESS%: C:\Users\*\AppData\Local\CentBrowser\Application\*.exe]
[%PROCESS%: C:\Users\*\AppData\Local\CentBrowser\Application\chrome.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe]

Only disable the rule "Block execution of unsigned processes on Local AppData" as a last resort. Try exclusions first.

 

In a few days will upload the new v1.4 pre-release build.

@guest

Yes, it uses the rules creation schema from SOB.

We have developed a private service-only app for companies based on SOB technology.

We have no plan yet to update SOB GUI, but who knows

@bjm_

Have downloaded Belark software and will see what happens.

@Buddel

Sure we'll add it, we'll change the tray icon to grey color when protection is disabled.

@plat1098

We'll try to do something about that too.

@liba

The first two exclusion rules suggested by @mood should work just fine.

 

Brilliant! Thank you!

 

My issues with this and Heimdal Pro have seemed to have disappeared. Thank you for all the updates/fixes. Cheers!

 

http://www.thewindowsclub.com/osarmor-blocks-suspicious-processes-windows-pc

 

Interesting article, @ArchiveX However, the author does not seem to be good at counting:
It comes preloaded with more than 30 security policies that help in distinguishing between the normal and bad behavior of a process.
It's not just 30 policies; it's twice that number.

 

yes i was aware of that

Rules aren't very complicated to implement in the actual SOB, you made a clear and precise documentation; it is just extremely laborious when you have hundreds of them to make

 

Hi @novirusthanks ,

Checking the release notes for all releases it looks like we are still waiting for Secure Boot compatibility?

Thanks.

 

Dec 18, 2017

Yes, as[low]ap....

 

On a side note, does it make sense to run ERP 4 and OSArmor together? Would be an interesting combo, but there may be considerable "overlap". Maybe @novirusthanks can shed some light on this.

 

I asked whether VoodooShield + OSarmor would be redundant. Based on the replies, it apparently wouldn't. If that's the case, then OSarmor + EXE radar pro should be fine too.

 

VS and OSA are somewhat different, so I don't see an "overlap" here. However, ERP and OSA use the same "skeleton", so they are very similar. It is my understanding that OSA is some kind of pre-configured ERP, which is perfectly suitable for less computer-savvy users, whereas ERP is much more complex and therefore only suitable for more advanced users. Due to their similarity, there might be considerable "overlap".

 

OAS blocks by default via set rules unless you create a exclusion
ERP ask by default.

in theory OAS should block certain actions while ERP will ask about those not blocked by OAS.

 

So it's basically the same app? OSA blocks a certain action by default, whereas ERP asks the user whether this action should be blocked or not? So, if you don't want to be asked, ERP is redundant? Or, if you want to asked, OSA is redundant? Hm... maybe you're right. I really don't know. The question is whether or not it makes sense to use both apps on the same machine.

 

the true power of ERP is not what it ask/block/allow by default, it always was it granularity via its extraordinary rules editor.
I always considered ERP as the king of anti-exe because you could create very complex rules (for any apps/processes) very easily then lock the system then only allowed rules are authorized.