NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    213
    Location:
    Bulgaria
    Ransim is quite old. Most of the solutions should be able to block it nowadays.
     
  2. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,720
    Location:
    USA Trump Town
    this ok to run with windows defender??
     
  3. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    522
    Location:
    Lunar module
    OSA has no conflicts with any antivirus.
     
  4. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    160
    Location:
    Wigan
    I am continuing to use Windows 7 but NOT for banking and other privacy sensitive functions. I have ticked ALL the OSArmor 1.4.3 protections along with a substantial number of additional SysHardener protections (done with considerable caution after first doing a system backup). SMB v1 seems to be tickable without loss of function and this is known to be insecure.

    My assumption is that doing these things with OSArmor and SysHardener 1.5 creates a mass of tripwires which almost no exploits will get past unhindered. Am I being being overoptimistic?

    The only blocks by OSArmor protections seen so far are when I initiate a system operation for which an exclusion has not yet been setup. Normal usage such as web browsing has not yet tripped a protection. MBAE 1.13.1.127 is also deployed.
     
    Last edited: Feb 15, 2020
  5. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    306
    Location:
    Island of Woman
    does it work? I thought this ought to be:

    [%PROCESS%: C:\Users\xx\AppData\Local\Microsoft\MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe] [%PARENTPROCESS%: C:*]
    at least I've never seen that executable on my system
     
    Last edited: Apr 14, 2020
  6. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,155
    Yes, it works. Do you have chromium edge install in your system?
    The executable is on program files(x86) on my system
     
  7. Pepito Perez

    Pepito Perez Registered Member

    Joined:
    Apr 17, 2020
    Posts:
    1
    Location:
    Paris
    Hi i need help whit the next issue.
    I run my cmd script bat file
    In the script i have that

    echo %ip% | more +0 > ip.txt

    the cmd command will show me " echo Adress IPv4. . . . . . . . . . . . . . : 123.456.7.8 " and save this putput in ip.txt (123.456.7.8 is my ip addres)

    well when i run this from the bat file, OsArmor showMe an alert and i acept the exclution.

    The problem ocurr when the dinamic ip changes from 123.456.7.8 other ip like 987.654.3.2

    So OsArmor block the script again and sendme request to add exclution

    I need help creating a exclution which can run whit the ip change. i know that> if I put * in the second paramete where said C:\Windows\system32\cmd.exe /S /D /c" echo Adress IPv4. . . . . . . . . . . . . . : ###.###.#.#" will be ok. But i dont want excludding all the processCMDLine.

    My actual exclude
    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cmd.exe /S /D /c" echo Adress IPv4. . . . . . . . . . . . . . : 123.456.7.8"] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe]
    The rule that excludes ALL processCMDLines
    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: *] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe]

    how can create a rule that let me execute my bat whithout the need to add AGAIN! to de exceptions? THX for readme, i hope you can help me (note: im sorry about my languaje skills):)
     
  8. RangerDanger

    RangerDanger Registered Member

    Joined:
    Apr 30, 2018
    Posts:
    91
    Location:
    Boston
    Will I need to disable OsArmor or SysHardener to update to the May Win 10 Update.I'm using default settings.
     
  9. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,172
    I also use OSArmor and SysHardener. It has never been necessary for me to disable these apps to get Windows updates.
     
  10. RangerDanger

    RangerDanger Registered Member

    Joined:
    Apr 30, 2018
    Posts:
    91
    Location:
    Boston
    Thanks I appreciate the feedback.
     
  11. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    613
    Location:
    USA
    Hey guys, my 13 year old PC is running Win7 SP1 and was always under-powered, even with it's original OS, Vista. Been out of work since early Feb, so please don't advise me to buy a newer Win10 PC. At this time I just want to upgrade my PC's real-time malware detection with a free product that's light on system resources. From what I'm reading here it seems that OSA might be worth my consideration, but I need to know if OSA will likely cause discernible drain on my already overworked CPU?
     
    Last edited: Apr 19, 2020
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,890
    Location:
    Hawaii
    OSA runs very light as to both cpu & RAM.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,893
    Location:
    Under a bushel ...
    I have OSA v1.4.3 running in Passive Logging default mode, because I like to with a number of security softs - especially on my 'test' laptop, and I have always been a fan of NVT software esp. OSA, and the old ERP v3 (never explored V4 too much, though I initially pushed for its 'improvements' over V3).

    I believe it works without problems on latest stable Win 10, but I do wish it felt more actively monitored and maintained, even though it may not technically 'need' it. I would happily pay for that.
    Andreas' free software is obviously just a hobby, when his considerable skills aren't being applied to paid projects.

    I have paid AppGuard SOLO on my 'prod' laptop, but would happily switch to OSA there too instead, as AppGuard (even at a special discount) is getting too expensive on my currency exchange rate.
     
    Last edited: Apr 19, 2020
  14. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,172
    +1:thumb:
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,890
    Location:
    Hawaii
    Agree 150%. I'm sure you know that you can keep OSA's protection current by adding your own rules. However, it does need updating by NVT so as to stay compatible with major changes to the Windows Operating System. No telling if or when NVT might do that.

    OSA is basically a stand-alone Behavior Blocker (BB). If someone wants a stand-alone BB but finds OSA is unstable on Win10, an option is to run McAfee Stinger. Stinger needs no installation. Just download & run.

    When you run Stinger, it will automatically load RealProtect (RP). RP is a stand-alone BB, described by McAfee's website as follows:
    RP will still remain on your system even if you delete Stinger. Ergo, RP must be separately deleted once it is no longer wanted. As I said, it isn't installed, so a simple deletion does the job.

    As for me, I'm staying with Win7 for now, so OSA & ERP V3 run splendidly for me.
     
    Last edited: Apr 19, 2020
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,623
    Location:
    Italy
    @bellgamin

    Hi,:)
    Unless you're using 0-Patch, you've applied mitigations for CVE-2020-0938 and CVE-2020-1020?
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,890
    Location:
    Hawaii
    No, I have NOT done anything to deal with those vulnerabilities. In fact, I was totally unaware of those vulnerabilities PLUS I had never before heard of 0-Patch. Duhhh o_O

    I found 0Patch's website HERE. That's a gold mine for obstinate users of Win7. It has a free version but, unfortunately, it does not cover Win7 unless I buy the Pro version for ~$25.95/agent/year.

    @Sampei Nihira -- do you think it's essential for Win 7 users to buy 0Patch PRO? Also, please tell me: Can I use OSA to block those two vulnerabilities you mentioned?


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    At ALL OSA Users on Win7: At THIS web page for 0Patch, I saw several Win7 vulnerabilities that are based upon use of Internet Explorer (IE). As you know, IE can be blocked on the Advanced settings page of OSA by putting a check in the appropriate box.

    (NOTE: I edited this post to correct errors pointed out by Dark Star in post 2897.)
     
    Last edited: Apr 20, 2020
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,786
    Location:
    Canada
    @bellgamin ,

    you most likely have nothing to worry about, because the common sense and intelligence you possess will no doubt protect you from being victimized by either of these exploits:

    source: https://krebsonsecurity.com/tag/cve-2020-1020/

    so many exploits require tricking a user into opening a booby-trapped file, therefore further illustrating that so much of a sound security approach is what already exists between one's ears.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,890
    Location:
    Hawaii
    @wat0114 -- I appreciate your comments very much.

    Hey -- that krebsonsecurity.com link is a teaching treasure!!! I have added it to my "visit often" list.

    Yes --- like the email I get at times from amazan.com (sic), plus those tempting get-rich offers from Nigeria, and those amazing impervious masks for Covid-19, and (golly!) all those offers about young Russian girls who are so eager to become my bride.

    All of which reminds us that a security-enhancing email client is an important layer in anyone's security. Namely, an email client should easily be configured so that:
    • Messages it receives are downloaded as preview only
    • Message bodies are downloaded by user action only, in plain text only
    • Message bodies are converted to HTML by user action only.
    • Plus one's email client should enable viewing the message source code by a single click.
    Because of my 12 websites, I receive several hundred emails daily. My email client meets the above criteria, and thereby forces me to *think* before doing something that is possibly stupid. It has saved my tush from careless clicking many times over the years.
     
    Last edited: Apr 19, 2020
  20. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,623
    Location:
    Italy
    No, in my opinion it is not essential to buy 0-Patch.
    Instead I find it useful to insert the mitigations recommended by Microsoft.
    I have applied 2 mitigations:


    https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#ID0EMGAC

    Personally I also added some of my personal mitigations:

    https://msfn.org/board/topic/181352-microsoft-warns-of-hackers-abusing-windows-adobe-library-zero-days/

    P.S. You, with Win7, have more choices.:thumb::)
     
    Last edited: Apr 20, 2020
  21. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,686
    Location:
    Location Unknown
    Can OSA and 0patch be run simultaneously without any negative effects? What is the difference between micro-patches and the anti-exploit capabilities of OSA?
     
  22. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    769
    @bellgamin Sorry if I'm missing something but OSA already blocks IE from running with it's built in rules
    Capture#14.png
    Capture#15.JPG
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,623
    Location:
    Italy
    Micro-patches resolve exploitable vulnerabilities in OS that no longer receive Microsoft Patches.
    The exploit is unable to act because the target has received the fix.

    It must be said that OSA Anti-Exploit function is basic.
    Analyze parent processes and child processes blocking exploit payloads.
    It acts only in the software and processes listed.

    It is not possible to make a further comparison, because it would be like comparing apples with oranges despite the fact that they are fruits.
     
  24. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,901
    Location:
    Hollow Earth - Telos
    Before i installed Edge i had it blocked in OSA but forgot about it until reading your post. It did not stop Edge from starting or doing anything.
     
  25. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,890
    Location:
    Hawaii
    Good catch! A few months back I uninstalled OSA for certain reasons, and then reinstalled it. I forgot that Advanced settings would revert to default so I assumed OSA had no built-in block rule for IE. I have edited my post #2892 accordingly.

    Thanks for pointing that out.
    ~~~~~~~~~~~~~~~~~~~~~

    Hmmm... When writing a custom rule, it must state the exact file location of the process to be blocked. Since OSA has not been adjusted for Edge's total revision to a Chromium-based browser, *perhaps* OSA's built-in Advanced rule points to an out-dated location of the Edge file. OR -- maybe not (I have no idea as to how NVT structures its built-in rules. I can only assume they are structured the same as Custom Rules).

    Are you sure that you have checked the Edge box under OSA's Advanced rules? If you did check that box, then maybe you could try a Custom Rule & let us know if THAT works.
     
    Last edited: Apr 20, 2020
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.