NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,600
    Location:
    Hawaii
    Today OSA popped an alert that it had blocked an activity based on the Rule: "Block processes executed from C Sharp compiler (csc.exe)." This rule is unchecked by default -- probably to hold down FPs confusing to neophytes (like me). Obviously, I long ago decided to put a check mark by this rule because -- well, I figured, "Let's see what develops."

    OSA's log indicated the alert was caused when *something* tried to get microsoft.net to execute *something*. I let the block stand to see if anything got broken. Nothing did so -- end of story as far as asking you folks to analyze the situation (In any event, I have NOT given you enough info to do that, & it would be against Wilder's rules to do so, I think).

    No, the only reason I posted this blurb is that I am curious as to why NVT might have included such a rule, even if it is unchecked by default. Ergo........

    QUESTION: Why do you think NVT put this rule in OSA? is executing a process using csc.exe something that malware tries to exploit from time to time? Or...what? (I'm just looking for opinions & comments because I'm curious.)
     
  2. guest

    guest Guest

    Because it is one of the hundreds exploitable LOLbins Windows is plagued with.

    My Custom Block list Is filled with them.
     
  3. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,600
    Location:
    Hawaii
    Has your custom block list triggered many alerts in all the time you have used OSA?
     
  4. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    554
    Location:
    US
    I do not have any alerts from OSA v1.4.3. Like guest, in Custom Block-Rules, it's "filled with them."

    Aloha,
    Robert
     
  5. guest

    guest Guest

    @bellgamin if you execute a process that correspond to a block rule, alert you will have.

    For example if you block mmc.exe, then try to run some Windows admin tools, you will see an alert.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,641
    Location:
    U.S.A.
    Csc.exe is used to compile .Net sub-assemblies. It can and has been misused by malware creators:

    https://attack.mitre.org/techniques/T1500/
    https://attackiq.com/blog/2018/05/21/application-whitelist-bypass/

    I used to monitor it with a HIPS rule but gave that up out of frustration. Every time there is a Windows update to .Net, it runs csc.exe in the background compiling sub-assembies. It will continue to run until all are recompiled. This also may bridge one or more boot sessions. Also, a major .Net upgrade is not the only thing that can trigger this activity. Even an unrelated security update can trigger it since everything in Windows these days uses .Net.

    Hence the reason OSArmor has it unchecked by default. There are better ways to monitor misuse of .Net such as PowerShell Constrained Language mode.
     
    Last edited: Aug 11, 2019
  7. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    554
    Location:
    US
    Oh yeah, I forgot. I Disable Protection first. Otherwise, mmc.exe will not run and I will get an Alert.

    Robert
     
  8. guest

    guest Guest

    i bet you can create a custom rule to allow mmc.exe to be started only by a specific trigger.
     
  9. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    554
    Location:
    US
    Yes. I am to tired right now.:'(

    Thanks, itman too.

    ~Off topic comments removed
    Robert
     
    Last edited by a moderator: Aug 11, 2019
  10. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    554
    Location:
    US
    Sorry, Peter and Admin's. I am tired and stupid.

    Back OT. itman, csc.exe (Visual C+Command-Line Compiler) is monitored. .NET framework is restrained, as is WU.

    OSA is a valuable component and just compliments my Security Protocols—it's free too.

    Robert
     
    Last edited: Aug 11, 2019
  11. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,600
    Location:
    Hawaii
    @itman -- How does one attain "PowerShell Constrained Language mode"? The only 2 PowerShell items in OAS are: (a) Block execution of PowerShell encoded commands, and (b) Block execution of Powershell malformed commands. I assume you are NOT talking about those, right?

    @Roberteyewhy -- You're correct -- OAS is free. Unfortunately!!! Oh yes, I truly believe it is VERY unfortunate that NVT (Andreas) has chosen to put his good security stuff out for free. That makes great bargains out of apps like OAS but it gives NVT no incentive to maintain his apps, except for his good will. I would gladly pay for a PRO version of OAS that NVT updates periodically.
     
  12. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,033
    +1:thumb:
     
  13. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    554
    Location:
    US
    Well, you still have to input,correctly, in Custom Block-Rules. Who cares about PowerShell? I just Disable Protection. I too would pay for OSA Pro. I paid for AppGard Solo.

    I mean no disrespect.

    Thanks, Buddel.;)

    Robert
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,641
    Location:
    U.S.A.
    As I recollect OSArmor does the reg. key hack to set an environment variable to do so unless things have changed.

    PS_Constrained.png
     
    Last edited: Aug 11, 2019
  15. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    949
    Are you sure you aren't talking about Syshardener?
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,641
    Location:
    U.S.A.
    You might be correct on that. One or the other has the mitigation.
     
  17. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    554
    Location:
    US
    That's why I have it in AG. I only have 3 unchecked in OSA. 1 is Chrome. But, I run it in Application Guard. Nothing allowed in Security Policy Editor.

    To me, I have to have balance, otherwise, what's the sense...everything works.

    Robert
     
    Last edited: Aug 11, 2019
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,641
    Location:
    U.S.A.
    Great product if you have a Pro+ version and your hardware supports VBS. Neither apply to me.
     
  19. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    554
    Location:
    US
    Correct about the hardware. Otherwise, in WD Core Isolation does not work. Same with Windows Sandbox or others. One has to have Virtualization in the BIOS. Otherwise, Hyper V cannot be engaged.

    That's why so many members here at Wilder's are so 'knowledgeable'.:shifty:

    Win 10 Pro x64 v1903

    Robert
     
    Last edited: Aug 11, 2019
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,641
    Location:
    U.S.A.
    That's not the issue. It's enabled in the BIOS. It worked in 1803 and no ver. since. Memory isolation won't set with message about hardware incompatibility. I am far from the only one with the issue. Appears you need TPM motherboard support.
     
  21. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    554
    Location:
    US
    Correct. WD>Core Isolation>Memory integrity ,v1903, mine does not work. AG Solo already has Memory Protection. Even WD cannot access lsass or Lsalso

    Robert
     
    Last edited: Aug 11, 2019
  22. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    37
    <nit-picking mode on>

    Typo or misunderstanding?

    There is no such language as C+, there is a C++ (CPlusPlus) but csc.exe
    is the compiler for C# (CSharp) which is a different language.
     
  23. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    554
    Location:
    US
    Alright. Tired of being misunderstood.

    You are better then me!

    I do not want to post anymore.

    Robert[
     
  24. guest

    guest Guest

    it is in system hardener if i recall well

    OSA/ERP doesnt need much updates, the security mechanism is stable and efficient, you will just have GUI bugs fixes.
     
  25. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,600
    Location:
    Hawaii
    Agree -- to a degree. In an earlier post, you reported that you have many custom rules. Would any of those rules be useful to others? If so, a PRO version could gradually add such rules to the "Advanced" tab" of OSA's configurator.

    Hey, Robert -- please stay on board. Your comments add to the knowledge base. It's not just you -- people often disagree with me, too. That's okay -- they have a right to be wrong, right?. (kidding) :rolleyes:
     
    Last edited: Aug 11, 2019
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.