NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,156
    Location:
    The Netherlands
    Thanks guys, then it might be something else. Because even after disabling OSA I sometimes still get crashes. PC's are weird things aren't they? Will try to check the Windows Reliability Monitor, thanks for the tip @ Stapp.
     
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,690
    Location:
    Hawaii
    Why not give Kerish Doctor a brief trial. If it finds/fixes your problem, keep it. If not, off with his head.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,156
    Location:
    The Netherlands
    No thanks, I don't believe in these kind of tools, eventhough I've read very positive things about it. I think I have already found the culprit. I use this tool called ResizeEnable, and if your run it and then kill it, it keeps certain .dll files in memory, and apparently Win Explorer doesn't like this. So I don't think that OSA is the problem, will soon enable it again.

    https://www.raymond.cc/blog/how-to-resize-an-unresizable-window-or-dialog-box/2/
     
  4. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,858
    Location:
    Hollow Earth - Telos
    Date/Time: 8/27/2019 12:11:19 AM
    Process: [9536]C:\Windows\SysWOW64\cmd.exe
    Process MD5 Hash: AD7B9C14083B52BC532FBA5948342B98
    Parent: [12684]C:\Users\User\Downloads\ZaarSetup_1_001_1023_000.exe
    Rule: BlockPowerShellMalformedCommands
    Rule Name: Block execution of PowerShell malformed commands
    Command Line: "C:\Windows\system32\cmd.exe" /C C:\Windows\system32\REG.EXE QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" >> "C:\ProgramData\CheckPoint\Zaar\Logs\installer\reg_version.txt"
    Signer:
    Parent Signer: Check Point Software Technologies Ltd.
    User/Domain: User/User-PC
    System File: True
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,690
    Location:
    Hawaii
    HELP!!! I use MBAE (MalwareBytes Anti-Exploit). MBAE updates automatically. Unfortunately, OSA blocks the update every time. I click the button to add an exclusion but it still breaks the update. Moreover, MBAE's updates use slightly different files names for each update so prior exclusions do not work.

    The only commonality of MBAE's files names is that they ALL include "MBAE" in the the file name.

    Is there a way to write an exclude rule for OSA so that OSA will no longer block any file that has "MBAE" in the file name?
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,826
    What exactly has been blocked? (see logfile - process, parent, command line, etc.)
     
  7. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,006
    @bellgamin

    You say it uses different file names for each update.

    Go to logs and see where the differences are. When you create an exclusion replace the places those differences where with an asterisk *

    For example,

    C:\users\temp\fer-h2.tmp\setup.exe
    C:\users\temp\ghr-5h.tmp\setup.exe

    Becomes,

    C:\users\temp\*\setup.exe
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,690
    Location:
    Hawaii
    @mood -- Okay, I had not looked at OSA's logs. It seems my problem ensued because I put a check mark by 2 Advanced Rules, both of which require OSA to block execution of unsigned processes from a Temp file. OSA notates both those rules that they can cause FPs. Here is the log entry..................
    I don't want to take the time to learn how to write rules so I suppose my best course of action would be to (regretfully) uncheck the 2 Advanced Rules that block execution of unsigned processes from a Temp file. Agree?
     
    Last edited: Aug 30, 2019
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,826
    3 Variants:
    Code:
    (1)
    [%PROCESS%: C:\Windows\Temp\*-*.tmp\mbae-setup-*.tmp]
    [%PARENTPROCESS%: C:\Windows\Temp\mbae-setup-*.exe]
    [%PROCESSCMDLINE%: "C:\Windows\TEMP\*-*.tmp\mbae-setup-*.tmp"*C:\Windows\TEMP\mbae-setup-*.exe"*]
    
    (2)
    [%PROCESS%: C:\Windows\Temp\*-*.tmp\mbae-setup-*.tmp]
    [%PARENTPROCESS%: C:\Windows\Temp\mbae-setup-*.exe]
    [%PARENTSIGNER%: Malwarebytes Inc]
    
    (3)
    [%PROCESS%: C:\Windows\Temp\*mbae-setup*]
    [%PARENTSIGNER%: Malwarebytes Inc]
    
    But sooner or later you might run into more blockings as some "forget" to digitally sign the temporary files.
    And as you don't want to create rules each time, unchecking the 2 Advanced Rules is a good idea.
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,690
    Location:
    Hawaii
    @mood -- THANKS!!!!!!! I unchecked.
     
  11. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,636
    OSA blocks wscript.exe. Nice. But how can I just READ a javascript file without triggering this block? I don't want to run it. I'm new to OSA, so forgive me for this very basic question which probably was answered in the previous 110 pages.
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,690
    Location:
    Hawaii
    Quick & dirty solution: right click OSA in system tray > left click Protection > left click one of the "Disable" choices.

    After you're done with the javascript file, be sure to re-enable OSA's protection.
     
  13. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    393
    Location:
    USA
    I usually just add a .txt at the end, then remove it when I'm done.
     
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,636
    Yes. True. I did that also. But the readable text is totally mangled - there are no carriage returns making it next to impossible to read.
     
  15. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,636
    Thanks, Bill. Great, except for one problem. If wscript.exe wants to execute that darn .js file, it'll be a disaster. I'm forgetting how these things work - I was always able to read/edit such files without them being executed. Maybe it was just .bat or .cmd files. I'm loosing my mind slowly, I think.
     
  16. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,066
    I've just added OSA to my security mix again. I'm pretty sure it is possible to block certain file types, such as *.pif and *.scr. What does the custom block rule in OSA look like for blocking certain file types? Thanks.

    Edit:
    I've just tried [%PROCESS%: *\*.scr] and it works.
    However [%PROCESS%: *\*.doc] for old Word files does not work. Hm...

    Later edit:
    Tried to block certain .exe files and it worked like a charm.
    Tried then to block .pdf files and it did NOT work. Maybe OSA uses some kind of a global rule that allows the execution of certain file types, such as .doc, .xls and .pdf, so that individual rules do not have any effect whatsoever.
     
    Last edited: Sep 15, 2019
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,826
    It depends "what happens" if a file is launched.

    In the case of executables in the directory C:\test this rule works:
    Code:
    [%PROCESS%: C:\test\*.exe]
    
    But replacing of *.exe with *.bat doesn't work because launching of for example C:\test\batch.bat is invoking C:\Windows\System32\cmd.exe and the .bat file is mentioned in the command-line.
    Code:
    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\cmd.exe /c*C:\test\*.bat*]
    
    Now launching of .bat files will be blocked in this directory.

    If a doubleclick on a pdf-file is launching the pdf-reader SumatraPDF, this rule can be used to "block" pdf-files in the directory C:\test:
    Code:
    [%PROCESS%: C:\Program Files\SumatraPDF\SumatraPDF.exe] [%PROCESSCMDLINE%: "C:\Program Files\SumatraPDF\SumatraPDF.exe" "C:\test\*.pdf"]
    
    You only need to find out what process is launched and how the command-line looks like after launching of files to create proper rules to block them.
     
  18. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,066
    OK, thanks. I thought that if the custom rule [%PROCESS%: *\*.scr] for all scr files works, [%PROCESS%: *\*.doc], [%PROCESS%: *\*.pdf] etc. should also work, but this is obviously not the case. As mentioned in your post, blocking pdf, doc files etc. is only possible when using a custom rule that contains both the process and the processmdline.
     
  19. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    390
    Location:
    united kingdom
    It's because .scr files are actually executable files in their own right. They execute directly just like an .EXE file and don't rely on another program to launch.
     
  20. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,066
    This makes perfect sense to me. Thanks very much for your explanation.:thumb:
     
  21. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    390
    Location:
    united kingdom
    You're very welcome. :)
     
  22. kerykeion

    kerykeion Registered Member

    Joined:
    Jun 30, 2010
    Posts:
    278
    Location:
    Philippines
    Question, does OSA block "Nodersok" on default settings?
     
  23. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,858
    Location:
    Hollow Earth - Telos
    Blackfog app might help.
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,622
    Location:
    Canada
    It blocks .hta scripts so as long as that setting's a default it should block Noderosk.
     
  25. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    145
    Location:
    Wigan
    Some time ago I reported that OSArmor caused Windows 7 (64bit) to hang. I have now conclusively found that the problem was caused by using Agnitum Outpost Firerwall Pro 9.3 and am confident that OSArmor was not to blame. OSArmor behaves extremely well with Windows XP, Windows 7 and Windows 10.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.