NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    For hackers, it is better to use built-in Windows functionalities and a programming language with low-level code capability (Assembly and to lesser extent C, though binary and its hex representation are possible but unpractical). Python is becoming more popular due to its simplicity. Sizeable embedded engine downloads (compared to PowerShell and .Net installation) are an issue, which in itself is suspicious, and using many modules is noisy. The main goal is to leave as few traces as possible and quickly gain full access to the host through stealthy operations. It could be said that hackers often prefer to adopt the ‘travel light’ philosophy and focus on OS vulnerabilities. The appeal of Python or JavaScript based malware comes from its great availability in forms of tutorials/books/open source code. In 1 day you can create a keylogger and the next day your very first reverse shell. In Python subprocess and os.system passes the command and arguments to your system's shell
     

    Attached Files:

    Last edited: Jun 4, 2019
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,342
    Location:
    U.S.A. (South)
    Interesting. Thanks for the explanation.

    It is a cakewalk for bad actors who dissect windows to the core and then form up their wares to local test then send it out the door via airwaves of the net.
     
  3. xperator

    xperator Registered Member

    Joined:
    May 28, 2012
    Posts:
    40
    Hey, @novirusthanks
    I have a huge problem with OSArmor. I must say I do like your product and I use it on my friends and families computers but It's unfortunate how I can't use it on my own system.
    I use Github Desktop and Git based command lines, and every time i install OSArmor it makes those programs extremely slow and unresponsive.

    Here are what I've tried so far:
    • I tried unchecking different rules in configurator to see which one is the culprit, but I couldn't find any.
    • I tried adding every Git/Github desktop process to the exclusion list, as an individual process, or as a directory (using a wildcard)
    • I tried disabling OSArmor, using normal disable and passive logging (with a restart), still have the problem even though it's supposed to be disabled.
    The only way I can make this issue go away is to completely uninstall OsArmor. Then I can use Github services normally.

    I did check the logs, and I did find a record at some point saying that OSArmor blocked a powershell process (with Github Desktop as it's parent), and it's detection type was "blocking suspicious cmd-line activities" or something like that. But it's just weird that even though I unchecked every single rule in configurator & disabled the app, the issue still existed.

    So I think it's some sort of process/command line checking that goes through every single running app that doesn't go away even if you disable OSArmor and all it's security rules. That is why the issue resolves only after you uninstall the app.

    I'm running Windows 10 Home edition and I use the built-in Windows Defender, If you need more info tell me.

    Would like some helps with this, thanks.
     
    Last edited: Jun 7, 2019
  4. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    you set these rules? should be the last rule in image block suspicious cmd-line strings
     

    Attached Files:

  5. xperator

    xperator Registered Member

    Joined:
    May 28, 2012
    Posts:
    40
    (I assume you talking to me) As I described in my post, I did uncheck every single rule on the list, also tried to disabling OS Armor and still I had the issue.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,965
    Location:
    The Netherlands
    BTW, I decided to combine OSArmor with EXE Radar and so far no problems whatsoever. OSArmor is really quite impressive, if it works as designed it should be very hard for malware to do any serious damage.
     
  7. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    @guest so an attack like netwire or doppelganging will be different from powershell empire types of attacks?
    from what I see netwire has to be downloaded first, but its not a lolbin even if it uses legitimate processes like lolbins do
    netwire creates: rundll.exe, schtasks.exe, more.com, cmd.exe, vbc.exe
    it also relied on svchost.exe and installUtil.exe
     
    Last edited: Jun 15, 2019
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,642
    Location:
    U.S.A.
    Last edited: Jun 15, 2019
  9. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    yeah but its difficult to spot the differences, they attack the API directly so I guess they are the same and contrary to lolbins that go trough 78 windows exes (and setup.exe as external process)
    found this on lolbins btw. and some (if not all) are covered by OSA: the number of blocked mechanisms is more than than lolbin count (+1000 more hidden rules), but not all processes are displayed in the interface I think (need to verify), obviously you can write custom rules to remedy
    https://github.com/api0cradle/LOLBAS/blob/master/LOLBins.md
    https://github.com/pwndizzle/CodeExecutionOnWindows

    the fileless synack ransomware makes me worried, thankfully as per usual it is done via email which makes it easily avoidable for security aware ppl
     
    Last edited: Jun 15, 2019
  10. Brocke

    Brocke Registered Member

    Joined:
    Mar 16, 2008
    Posts:
    2,260
    Location:
    USA,IA
    Does OSA offer updating from version to version yet ?
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,998
    Location:
    Among the gum trees
    Not yet.
     
  12. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    128
    Location:
    LA
    I wonder when 1.5 beta will be out?
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,965
    Location:
    The Netherlands
    Guys, I would like to make two comments. First of all, I noticed that OSArmor blocks the stupid Software Reporting Tool that is launched by crappy Chrome, I should have installed it way sooner LOL. But nice to see that it actually does work.

    However, I was browsing the file system via Vivaldi and when I opened EXE files, they could all run as a child process from Vivaldi. But shouldn't OSArmor block this? I assumed that OSArmor simply blocks child processes created by all apps that are protected by the anti-exploit module. But now I'm not so sure.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,455
    Shouldn't assume. Look at list of options you can check and uncheck and do you see the word child?
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,600
    Location:
    Hawaii
    I do not see the word "child" on OSA's anti-exploit tab. Is it there & I missed it? Are you implying that OSA DOES, or does NOT, have a weakness in the area pointed out by Rasheeed?
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,455
    I am saying don't assume what isn't stated. Because some proecess isn't a child doesn't necessarily mean it is or isn't protected. Even if it's a child, if it fits the osa rules it's protected.
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    Maybe user-initiated processes have an allow rule? That would make a real lot of sense, seeing as OSA default settings are not designed for security paranoids, but for regular users.
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    17,610
    Users are using a browser to download applications and want to launch them afterwards (chrome.exe will be the parent process of the launched process)
    It will probably lead to tons of complaints, if all files will be blocked.

    The browsers are mentioned in the Anti-Exploit-category, not in a "block all child-processes"-category.
    But this doesn't mean that everything will be allowed. The location of the file is important.
    Launching of files from a temporary folder or the Public folder is suspicious and the Anti-Exploit module will block it.
    ...to verify it, use "Ctrl+O" and navigate to the corresponding folders and try to launch applications.

    Specific internal rules are activated which are protecting the browser:
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,600
    Location:
    Hawaii
    @mood -- thanks for the 410 link/quote. That settles my concerns.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,965
    Location:
    The Netherlands
    Good point, I guess I was overthinking things. Because it's indeed no different than downloading and directly opening the file via the browser. So the anti-exploit part apparently is a bit more smart. Of course, EXE Radar would still block the EXE files from launching anyway. BTW, I had to exclude Media Player Classic, because sometimes OSArmor would block certain video files. So more proof that it's indeed working as designed.
     
  21. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    952
    What rule is blocking MPC?
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,965
    Location:
    The Netherlands
    I guess it's protected automatically by the anti-exploit module. Apparently it found the command-line to be suspicious on my system, but of course it was a false alarm. And I'm not sure, but certain apps like Vivaldi and Chrome seem to act a bit slower sometimes, not sure if it's caused by OSArmor. I might have to disable it, EXE Radar provides good enough protection anyway.
     
  23. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,623
    Last edited: Jun 29, 2019
  24. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,623
    Version 3 of NVT-ERP is not working in my Windows10 pro since I got 1809 a week or so ago.
    So I uninstalled it and am thinking of installing OSArmour.
    I use built-in Windows Defender (firewall and controlled folders is off)
    I read few pages here, some is over my head, and I can't seem to find answers for:
    - I have MBAE running - should I uninstall it before OSA comes in?
    - Does OSArmour issue alerts that I can respond to? Should I be reading OSA log file instead?
    - What are LOLbins that I see mentioned in few recent pages?
     
    Last edited: Jul 4, 2019
  25. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    633
    Location:
    Canada
    I am running MB 3 which includes MBAE and never had any problems installing OSArmour while MB3 was running.

    OSArmour will alert you if it blocks something, however I can't remember if you can respond to it as I've only had one block several months ago.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.