NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Nitty Kutchie

    Nitty Kutchie Registered Member

    Joined:
    Apr 10, 2015
    Posts:
    132
    Just asking why are we in February looking at a test made in December.( This report is generated from a file or URL submitted to this webservice on December 15th 2018 20:05:20 ).
    Just asking is that valid?
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,741
    Location:
    U.S.A.
    For those concerned and using OSArmor, just submit your version of OSArmorDevSvc.exe to Hybrid-Analysis for a scan. I assume it already has been scanned once and a report is available.
     
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,318
    Location:
    .
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,741
    Location:
    U.S.A.
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,741
    Location:
    U.S.A.
  6. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    7,363
    With statements like that, I don't think anyone here can take anything you say seriously. Do you have a list of these "spyware executables?" :argh:
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,378
    Location:
    U.S.A. (South)
    Understand that statement wasn't directed this way however...

    No one including yourself can deny that they have raised the highest of suspicions surpassing their own bar of aggression by forcing things onto users (or else stance they took).

    It would indeed serve all of us very well to substantiate those hidden intrusions even beyond their common telemetry which for many crossed a line that set off a massive alarm with their once dedicated users.
     
  8. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    7,363
    In my opinion, it has a lot more to do with wanting people to be using the latest OS than spying on people. That's why I've been using 10 since it was released, on multiple computers.
     
  9. guest

    guest Guest

    @Wolfram I don't care much what is going out my system because nothing suspicious is going in.
    I don't waste my time getting paranoid because an app is connecting out especially one I installed myself...

    Not saying I don't use my Win FW like average joe, I set it to block all outgoing connections unless I create the rule personally or if I use binisoft WFC, it prompted me for it; and I didn't make one for OSA. So basically I don't mind much of this issue of yours.

    And if I was you, I would try to replicate the issue as I told you with another setup on a VM.
    (I didn't force you to do it on real machine)...

    Until then, I wont take your previous observations seriously.
    And I won't waste anymore my time on paranoia issues.

    Don't trust, don't like, don't use.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,741
    Location:
    U.S.A.
    As far as the Win 10 firewall goes, it will auto create rules for all Win Store apps. If one doesn't like that, uninstall the apps via System Settings -> Apps and Features. You can also control App and Windows connections via Privacy options and disable Apps to run in the background essentially blocking their startup. Or simple use software like O&O ShutUp 10 to control what Win 10 can do.
     
  11. RioHN

    RioHN Registered Member

    Joined:
    Mar 14, 2017
    Posts:
    70
    Location:
    Here
    @Wolfram
    I've just tested this on an old XP VM. I can confirm that OSArmor running on xp does indeed attempt to connect out as the developer acknowledged. I've attached a screenshot showing some of the DNS queries made by OSA before connecting out to the addresses. The hosts were all legitimate certificate authorities which included Verisign, DigiCert, GlobalSign etc.
    I also tested on win7x64 and can confirm no such outbound connections occured in the time that I tested.

    I assume the difference is simply a change in how the API/s in use function between WinXP and Win7. I see Win7 cryptographic services include extra functionality that XP misses like 'Automatic Root Certificate Update Service'; so perhaps it's svchost that connects out on Win7 onwards and a call to the API by user applications queries a local database instead of the certificate authorities directly.

    It's worth noting that as the developer pointed out, these connections are initiated via an API call and therefore it's Microsoft code connecting out. It appears to be OSArmor itself making the connection because OSArmor loads a system DLL into it's process space and calls functions from it, as all applications do.
     

    Attached Files:

  12. guest

    guest Guest

    That seems more plausible, thanks for testing.
    As I always say, people shouldn't draw quick conclusions without proper knowledge/understanding on how things works.
     
  13. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,548
    Location:
    New Mexico, USA
    Okay, my dumb question of the month. I just upgraded to Win 10 (Pro). It's a clean machine right now. Nothing but my word processor and related software on board. I want to stay lean as far as security goes. Would OSarmor and NVT Syshardener be enough along with Win 10's own security? Should I add something else, like Comodo Cloud AV? All that assumes of course the software between my ears is working too.
     
  14. guest

    guest Guest

    Nothing else to add, just take time to learn about the various LOLbins blocks repercussions of the Advanced Settings and consider to create Custom Blocks (which is an important feature).
    If you plan to use Windows Firewall, unless you like to block all outgoing connections and create your own rules, consider the use of some front-end GUI like Binisoft WFC.
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,693
    Location:
    Hawaii
    Well said, itman!!!
     
    Last edited: Feb 14, 2019
  16. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    145
    Location:
    Wigan
    @guest

    "Besides, this OS is still supported: for Windows Embedded POSReady 2009, Extended support will end on April 9, 2019. Microsoft ditto."

    In August 2018, Microsoft ignored its specification that Windows XP was intended to run on pre-SSE2 processors with the result that older PCs reported illegal instructions on restarting after patching. Uninstalling the offending patches and reinstating the previous software restored order. It bodes ill for the future of Windows that Microsoft's use of its own standards is so sloppy. Curiously, the team responsible for Internet Explorer continued to maintain pre-SSE2 compatibility for IE8.
     
  17. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    145
    Location:
    Wigan
    OSArmor continues to cause system hangs. It seems to help if the final section (Microsoft Processes, Java, etc.) of anti-exploits is unchecked and the advanced settings are at default. Also only selecting anti-exploits for those applications actually in use also seems to help. I regret the need to mention this but that is what happens.
     
  18. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Sometimes when I'm using a weaker laptop for one reason or another, or I don't feel like dealing with that, I just go on without any security software as that not only speeds up the system, even when talking about light software, but also saves really A LOT of time (it adds up) when dealing with all that software. Just keep your OS and programs updated and you're done, I've said this many times, malware is not going to suddenly appear on your PC. Even on my main one, I have not blocked a single malware with memprotect, pumpernickel or NVT ERP. They were all there for peace of mind and following processes and what they do. But I would have been (and am) completely fine without them. Ofc make sure you know what you're doing :D My gigantic bat with custom tweaks also helps a ton
     
  19. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    231
    Location:
    Island of Woman
    os armor makes some connections (I've seen it making a connect in older versions) and apparently uses werfault.exe according to spy shelter, but I trust NVT and I spotted this some time ago and not seeing it anymore. Notice it also goes to its site since its opted by default
    @andrea
    windows 1809 latest update as of today
    a problem: now with latest update when in rules adjustment mode I am getting this error:

    os armor version 1.4.2.
    access violation at address 0000000000000595F96 in module OSarmordevcfg.exe read of address 00000000000000706FF360

    same exact issue with sys hardener at main GUI
    sys hardener version 1.5
    access violation at address 0000000000000005AD7A6 in module syshardener.exe. read of address 00000000007CD5F5C0

    probably some admin priviledge issue or windows exploit protection?

    as posted above also there are system freezes if the system is configured in a particular way but there are usually gone in a particular setup, in my case I got freezes when I tweaked change behavior of Uac prompt for administrators in sys hardener (thicked square, better don't change anything), ran HD cleaner with all cleaning settings (maybe because it clears log files and perhaps some rules) on and rebooted or enabled secure desktop with tight security settings: better to have it off or don't touch UAC from defualt. Anyway I think the problems is with UAC settings and OS armor. Also I don't like how OS armor interacts with ERP, first wait for one then another then wait for Uac etc: it means I have to accept a program I don't want to run just to be able to get to the next prompt: not so secure. All this jumping between ERP, OS armor and UAC takes alot of time (prompts look like stuck) and I have fast hardware, I think OS armor ERP should be one program (NVT could add that registry blocker and system process blocker - anti rootkit - added on top, one big behaviour blocker) and better integrated with UAC
    best
    Lucid
     
    Last edited: Feb 14, 2019
  20. guest

    guest Guest

    @lucd OSA isn't supposed to be used with ERP (it was clearly said by the dev right from the start) , OSA is meant to be a beginner hassle free program, while ERP is for "advanced" users who want more control. So obviously there won't be a fusion between the two (unless the devs change their mind), ERP already does what OSA does and with much more control over processes.
     
  21. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    231
    Location:
    Island of Woman
    thanks for your informative reply @guest
    there are some default block options in ERP, like block processes executed from usb, I'd personally like to see more ,,automatic noob-friendly rules" in that section (maybe from os armor too), and in doing so ERP would resemble more a os armor/ERP hybrid so I could ditch os armor and cut in half wait time
     
    Last edited: Feb 15, 2019
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,741
    Location:
    U.S.A.
    Actually, the purpose of Automatic Root Certificate Update Service is:
    https://social.technet.microsoft.co...ic-root-certificates-update?forum=winserverDS

    Since XP is not longer a supported OS, it is not receiving Win Updates. Therefore the Windows Root CA store is never updated. So any responsible security software current supporting XP; there aren't many that do so, will have to verify software code signing certs. via manual lookup to the issuing root CA server.

    Again, this whole discussion of OSArmor "dialing out" has progressed from the ridiculous to the sublime.
     
    Last edited: Feb 14, 2019
  23. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    I love OSA. Can't wait to test v 1.5 which will be even better.
     
  24. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,318
    Location:
    .
    Hmm, me run ERP 3.1 with OSA.
     
  25. guest

    guest Guest

    Yes, I did too. "Not supposed" doesn't mean you are forbidden to do so.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.