NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    948
    I installed it on top of v1.4.3 Beta build 2 - no problems so far.

    PS: Thanks for the update, Andreas. :)
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,440
    Location:
    Canada
    Updated release working great as usual. Thanks again, Andreas!
     
  3. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,597
    Location:
    Deep Into The Blues Baby..
    Hello, On my laptop I have windows 7 and the only defense program I use is Emsisoft Anti-Malware
    will this enhance everything and are there any conflicts? thank you
     
  4. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    420
    Location:
    Germany
    No conflicts.
     
  5. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    115
    Location:
    Brooklyn, NY
    v.1.4.3 b. 2 since past Sunday afternoon running like a charm. Installed after deletion of prev. build and imported saved rules with lightning speed. Thanks for latest build. :)
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,447
    Location:
    Hawaii
    Installed on top. NP!
     
  7. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    128
    Location:
    Wigan
    I too am pleased with OSArmor 1.4.3. I do have a few qualifications to that comment. They concern my now successful attempts to overcome my previously commented tendency for OSArmor to cause Windows 7 to hang when OSArmor is used on slow hardware. I only tick Anti-Exploit options for software which is actually installed but have found that all the items in the section headed 'Microsoft processes, Java, etc.' can be ticked. I am still still not completely sure about which Advanced options can be ticked. However, using the default options PLUS ticking the UAC related options and the option to 'Block suspicious process elevation attempts' seem to be trouble free.

    With regard to Windows XP, my experience has been the above comments hold true but no Advanced UAC related options should be ticked as they create a tendency to make Windows XP hang. I guess that this mechanism does not exist in Windows XP. However, the option to 'Block suspicious process elevation attempts' seems to be trouble free with Windows XP.

    I hope that these remarks might provide helpful evidence about what goes on inside OSArmor.
     
    Last edited: Mar 27, 2019
  8. Yim

    Yim Registered Member

    Joined:
    Mar 28, 2019
    Posts:
    1
    Location:
    Texas
    When you use Microsoft RDP to log into a computer and install OS Armor 1.4.3, OS Armor will block itself from opening the "Configurator" or "Exclusions" tab. After you have logged into the computer locally and open those options then they will open when the computer is accessed by RDP. I would like to install your software into about 40 computers by remote desktop and it is inconvenient to go in person to each customer location to configure it.

    Date/Time: 3/27/2019 8:41:11 PM
    Process: [4992]C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorExcHlp.exe
    Process MD5 Hash: 59689B14A803CD6459F1D84C1ADDD135
    Parent: [2848]C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevUI.exe
    Rule: EnableOSArmorSelfDefense
    Rule Name: Enable OSArmor self defense (basic)
    Command Line: "C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorExcHlp.exe" {{{%PROCESS_START%}}}C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevCfg.exe{{{%PROCESS_END%}}}{{{%PARENT_START%}}}C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevUI.exe{{{%PARENT_END%}}}{{{%CMDLINE_START%}}}"C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevCfg.exe"{{{%CMDLINE_END%}}}{{{%SIGNER_START%}}}NoVirusThanks Company Srl{{{%SIGNER_END%}}}{{{%PARENTSIGNER_START%}}}NoVirusThanks Company Srl{{{%PARENTSIGNER_END%}}}
    Signer: NoVirusThanks Company Srl
    Parent Signer: NoVirusThanks Company Srl
    User/Domain:..........
    System File: False
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: Medium


    Date/Time: 3/27/2019 8:41:05 PM
    Process: [3456]C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevCfg.exe
    Process MD5 Hash: FFC25B45A5251AE5CF05B3B1DC14DDE1
    Parent: [2848]C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevUI.exe
    Rule: EnableOSArmorSelfDefense
    Rule Name: Enable OSArmor self defense (basic)
    Command Line: "C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevCfg.exe"
    Signer: NoVirusThanks Company Srl
    Parent Signer: NoVirusThanks Company Srl
    User/Domain: ...........
    System File: False
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: Medium
     
  9. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    154
    Location:
    Poland
    problem with block processes executed from suspicious folders
    with Jupiter notebook, exclusions won't work have to edit REGEX (ruls is on the 4th or 5th row in the main menu, but I think this important process should be carefully excluded)
    @andrea plz add exclusion for jupiter notebook and python modules, ppl can't work with their computers and this is very important and famous process, anaconda installs in C:\user\ so no wonder its blocked, python is the best language (lol) and more ppl will use it in future



    @loungehake
    I confirm, on any Windows with UAC there is hang
    try to mess with UAC, I have 2 slow pcs that I left for sentiment and OS armor is fast as a rocket, if the UAC is too restrictive it will hang, I suspect secure desktop+something else, reset UAC to default and don't mess with it after, some rules need editing with regex otherwise they never work properly

    best
     
    Last edited: Apr 5, 2019
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,478
    Location:
    Under a bushel ...
    Note: The dev is @novirusthanks, not 'andrea' ...
     
  11. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    Andreas is his nickname...but not his forum handle.
     
  12. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    128
    Location:
    Wigan
    The attached screenshot shows my OSArmor Advanced Settings for UAC on Windows 7/10 computers. The hanging issue seems to have greatly improved as OSArmor has progressed from version 1.4 through version 1.4.3. I no longer anticipate the issue happening, even with the WIndows 7(64bit) system running on the prehistoric AMD Sempron 3000+ single core 64bit processor.
     

    Attached Files:

  13. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    154
    Location:
    Poland
    previous info on memory error related to adopting some policy measures that then caused an error, it wasn't fault of os armor and other no virus thanks products, but bad user interaction

    that said, I was curious if no virus thanks would help against malware penetrating VMs (hyperjacking), ie transferable memory from host to guest, if any process is at the centre of the set of policies adopted by NoVirusthanks
     
    Last edited: Apr 21, 2019
  14. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    NVT products like most anti-exe don't have memory protection.
     
  15. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    103
    Location:
    Bulgaria
    Hi,

    A user in our forum has problems when trying to run SoftEther VPN. Until this is fixed how should the exclusion look like to get it to work?

    Here are the logs:

    https://justpaste.it/4udb7

    Probably for this one:

    it should be something like this?

    [%PROCESS%: C:\Windows\SysWOW64\cscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cscript.exe "C:\Users\gangosan\AppData\Local\Temp\*\*.vbs"] [%PARENTPROCESS%: C:\Users\gangosan\AppData\Local\Temp\*\*.exe]

    Thanks!
     
  16. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    420
    Location:
    Germany
    Please implement very usefull function - indication of the initial state
    1.png
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    14,096
    It can be a little bit more strict else you are allowing "too much":
    Code:
    Parent Signer is mentioned in each alert so we add it here too:
    [%PROCESS%: C:\Windows\SysWOW64\cscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cscript.exe "C:\Users\gangosan\AppData\Local\Temp\*\*.vbs"] [%PARENTPROCESS%: C:\Users\gangosan\AppData\Local\Temp\*\*.exe] [%PARENTSIGNER%: SoftEther Corporation]
    
    The path in the command-line of the alert is always "VPN_" + "4 random characters" / "winfire" + "12 random characters". We change the exclusion accordingly:
    [%PROCESS%: C:\Windows\SysWOW64\cscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cscript.exe "C:\Users\gangosan\AppData\Local\Temp\VPN_????\winfire_????????????.vbs"] [%PARENTPROCESS%: C:\Users\gangosan\AppData\Local\Temp\*\*.exe] [%PARENTSIGNER%: SoftEther Corporation]
    
    Now the path of the Parent Process. "VPN" + "4 random characters" + "vpnsetup.exe":
    [%PROCESS%: C:\Windows\SysWOW64\cscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cscript.exe "C:\Users\gangosan\AppData\Local\Temp\VPN_????\winfire_????????????.vbs"] [%PARENTPROCESS%: C:\Users\gangosan\AppData\Local\Temp\VPN_????\vpnsetup.exe] [%PARENTSIGNER%: SoftEther Corporation]
    
    If other users are launching the software too, we exchange the name of the user with a wildcard:
    [%PROCESS%: C:\Windows\SysWOW64\cscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cscript.exe "C:\Users\*\AppData\Local\Temp\VPN_????\winfire_????????????.vbs"] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\VPN_????\vpnsetup.exe] [%PARENTSIGNER%: SoftEther Corporation]
    
     
  18. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    103
    Location:
    Bulgaria
    Last edited: Apr 29, 2019
  19. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    154
    Location:
    Poland
    by accident I found that changing screen display's hertz (nvidia) rate causes os armor, exe radar pro and simple wall to silently stop working 100% (do nothing but run in memory), although the programs appear to work perfectly fine. On os armor and exe radar pro I receive one stream error prompt, but if you ignore this chances are you'll never know they don't work anymore. Had to do a full reinstall to make them work again
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,515
    Location:
    U.S.A.
    Nice bypass find.
     
  21. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    no issues for OSA on 1903
     
  22. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    154
    Location:
    Poland
    they actually do but not directly, since you block an executable that has code caving or process hollowing (and similar in-memory operations). Wondering now what excubits memprotect and memory guard (appguard) can do for me, can I add them to NVT products?
     
    Last edited: Jun 3, 2019
  23. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    No they don't, blocking an executable on disk isn't preventing process hollowing happening in memory.
    It is not because you use a condom that you can prevent HIV to destroy your immune system.
    The mechanism of blocking LOLbins to be executed isn't the same as blocking code injection. If it was, no one would need anti-exploits.
    Don't mix mechanisms, after you will have some people that will believe diehard erroneous stuff, like considering that post-exploitation softs are same as anti-exploits softs...

    Yes you can add them, If you use NVT softs, I would suggest you to use Memprotect rather than AppGuard, anyway AG isn't destined for home users anymore.
     
  24. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    154
    Location:
    Poland
    I said not directly haven't I? Maybe I have choosen word poorly, its not the program for that, it would make OS slow which is against what they promote - low system impact. NVT can be part of that mitigation as it stop execution tout court unless we are thinking about two different attacks (which can be considered an anti-exploit though it wouldn't be accurate, there are some options in osarmor which use this terminology and Andreas believes OSA or ERP can stop such malware or its execution chain, they just don't focus on it) and I wouldn't rely on it alone.

    thanks
     
    Last edited: Jun 3, 2019
  25. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,694
    Location:
    Europe then Asia
    Some people are totally oblivious of the attack chain concept, it is not because you use a certain mechanism at step 1 that it is also effective at step 2.

    Taking the analogy, if the condom (anti-exe) is faulty, you get HIV (code injection)
    If you have a cure (memory protection soft) that prevent the destruction of the immune system (code injection) , you won't care much of using a condom.
    Got it?

    Not saying, if the attack is fileless, or don't use LOLbins, what your anti-exe can do? Nothing.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.