NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,965
    Location:
    The Netherlands
    Thanks guys, then it might be something else. Because even after disabling OSA I sometimes still get crashes. PC's are weird things aren't they? Will try to check the Windows Reliability Monitor, thanks for the tip @ Stapp.
     
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,597
    Location:
    Hawaii
    Why not give Kerish Doctor a brief trial. If it finds/fixes your problem, keep it. If not, off with his head.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,965
    Location:
    The Netherlands
    No thanks, I don't believe in these kind of tools, eventhough I've read very positive things about it. I think I have already found the culprit. I use this tool called ResizeEnable, and if your run it and then kill it, it keeps certain .dll files in memory, and apparently Win Explorer doesn't like this. So I don't think that OSA is the problem, will soon enable it again.

    https://www.raymond.cc/blog/how-to-resize-an-unresizable-window-or-dialog-box/2/
     
  4. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,777
    Location:
    Hollow Earth - Telos
    Date/Time: 8/27/2019 12:11:19 AM
    Process: [9536]C:\Windows\SysWOW64\cmd.exe
    Process MD5 Hash: AD7B9C14083B52BC532FBA5948342B98
    Parent: [12684]C:\Users\User\Downloads\ZaarSetup_1_001_1023_000.exe
    Rule: BlockPowerShellMalformedCommands
    Rule Name: Block execution of PowerShell malformed commands
    Command Line: "C:\Windows\system32\cmd.exe" /C C:\Windows\system32\REG.EXE QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" >> "C:\ProgramData\CheckPoint\Zaar\Logs\installer\reg_version.txt"
    Signer:
    Parent Signer: Check Point Software Technologies Ltd.
    User/Domain: User/User-PC
    System File: True
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,597
    Location:
    Hawaii
    HELP!!! I use MBAE (MalwareBytes Anti-Exploit). MBAE updates automatically. Unfortunately, OSA blocks the update every time. I click the button to add an exclusion but it still breaks the update. Moreover, MBAE's updates use slightly different files names for each update so prior exclusions do not work.

    The only commonality of MBAE's files names is that they ALL include "MBAE" in the the file name.

    Is there a way to write an exclude rule for OSA so that OSA will no longer block any file that has "MBAE" in the file name?
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    17,324
    What exactly has been blocked? (see logfile - process, parent, command line, etc.)
     
  7. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    947
    @bellgamin

    You say it uses different file names for each update.

    Go to logs and see where the differences are. When you create an exclusion replace the places those differences where with an asterisk *

    For example,

    C:\users\temp\fer-h2.tmp\setup.exe
    C:\users\temp\ghr-5h.tmp\setup.exe

    Becomes,

    C:\users\temp\*\setup.exe
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,597
    Location:
    Hawaii
    @mood -- Okay, I had not looked at OSA's logs. It seems my problem ensued because I put a check mark by 2 Advanced Rules, both of which require OSA to block execution of unsigned processes from a Temp file. OSA notates both those rules that they can cause FPs. Here is the log entry..................
    I don't want to take the time to learn how to write rules so I suppose my best course of action would be to (regretfully) uncheck the 2 Advanced Rules that block execution of unsigned processes from a Temp file. Agree?
     
    Last edited: Aug 30, 2019
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    17,324
    3 Variants:
    Code:
    (1)
    [%PROCESS%: C:\Windows\Temp\*-*.tmp\mbae-setup-*.tmp]
    [%PARENTPROCESS%: C:\Windows\Temp\mbae-setup-*.exe]
    [%PROCESSCMDLINE%: "C:\Windows\TEMP\*-*.tmp\mbae-setup-*.tmp"*C:\Windows\TEMP\mbae-setup-*.exe"*]
    
    (2)
    [%PROCESS%: C:\Windows\Temp\*-*.tmp\mbae-setup-*.tmp]
    [%PARENTPROCESS%: C:\Windows\Temp\mbae-setup-*.exe]
    [%PARENTSIGNER%: Malwarebytes Inc]
    
    (3)
    [%PROCESS%: C:\Windows\Temp\*mbae-setup*]
    [%PARENTSIGNER%: Malwarebytes Inc]
    
    But sooner or later you might run into more blockings as some "forget" to digitally sign the temporary files.
    And as you don't want to create rules each time, unchecking the 2 Advanced Rules is a good idea.
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,597
    Location:
    Hawaii
    @mood -- THANKS!!!!!!! I unchecked.
     
  11. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,619
    OSA blocks wscript.exe. Nice. But how can I just READ a javascript file without triggering this block? I don't want to run it. I'm new to OSA, so forgive me for this very basic question which probably was answered in the previous 110 pages.
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,597
    Location:
    Hawaii
    Quick & dirty solution: right click OSA in system tray > left click Protection > left click one of the "Disable" choices.

    After you're done with the javascript file, be sure to re-enable OSA's protection.
     
  13. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    367
    Location:
    USA
    I usually just add a .txt at the end, then remove it when I'm done.
     
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,619
    Yes. True. I did that also. But the readable text is totally mangled - there are no carriage returns making it next to impossible to read.
     
  15. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,619
    Thanks, Bill. Great, except for one problem. If wscript.exe wants to execute that darn .js file, it'll be a disaster. I'm forgetting how these things work - I was always able to read/edit such files without them being executed. Maybe it was just .bat or .cmd files. I'm loosing my mind slowly, I think.
     
  16. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,031
    I've just added OSA to my security mix again. I'm pretty sure it is possible to block certain file types, such as *.pif and *.scr. What does the custom block rule in OSA look like for blocking certain file types? Thanks.

    Edit:
    I've just tried [%PROCESS%: *\*.scr] and it works.
    However [%PROCESS%: *\*.doc] for old Word files does not work. Hm...
     
    Last edited: Sep 14, 2019 at 9:40 PM
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.