NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,361
    This makes perfect sense to me, but this would mean that this Simple Windows Hardening tool by Andy Ful is a real-time protection tool. I wasn't aware of that.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,529
    Location:
    Among the gum trees
    I haven't used that tool so can't comment. I know ConfigureDefender is just like SysHardener in that it runs. makes changes, then you close it, reboot and Configure Defender is no longer running. In fact CD is a portable program that doesn't install.
     
  3. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    749
    Location:
    The Netherlands
    Simple Windows Hardening and Hard_Configurator are no real time protection tools, they use the Windows Event Log.
    From the Simple Windows Hardening manual:
    https://github.com/AndyFul/Hard_Configurator/tree/master/Simple Windows Hardening
     
  4. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,361
    Thanks. That's what I thought. So if Simple Windows Hardening and Hard_Configurator can produce logs by using Windows event logs, why shouldn't this be possible for SysHardener as well?

    Later edit: I do realize that Windows tweaks (e.g. Show file extensions for known files etc.) cannot be logged, but maybe inbound and outbound connections and perhaps some other tweaks that are supposed to be blocked by SH could be logged.

    Anyway, a block list for SH is not a must-have feature; it's a nice-to-have option at best. All in all, SH is fine as it is and I have always used it alongside OSA. I do hope it will still be possible to couple OSA with SH when the new versions are released.

    Greetings to Italy from Buddel
     
    Last edited: Jul 19, 2020
  5. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,102
    Location:
    Italy
    Absolutely, SH + OSA is what we use here, they complement each other since SH has many system hardening rules (i.e disable SMB, unassociate file extensions, firewall hardening, etc) and OSA has powerful real-time protection to block processes executions that trigger OSA rules (plus you can write your own custom block rules).

    Just a small update on OSA progress: we're finishing a few more tests with the activation system and it should then be completed, I confirm that there will be a 30-days trial version. So just some more days and should make the official announcement of the new version with the full changelog.
     
  6. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,361
    Thanks for your reply, @novirusthanks Looking forward to the new version of OSA.
     
  7. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    682
    Location:
    sweden
    And what about SH, will there be some info about its future at the same time of the release of OSA?
     
  8. scip

    scip Registered Member

    Joined:
    Feb 13, 2020
    Posts:
    16
    Location:
    internet
    sounds good
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,277
    Location:
    Under a bushel ...
    +1. Will that also become, or part of, the subscription?

    I believe I will end up with (possibly SH) and OSA on one Win 10, and probably Andy Ful's Hard_Configurator, or discrete H_C Hardening_Tools (Simple Windows Hardening with ConfigureDefender, maybe FirewallHardener) on another. Maybe I'll end up going one way or the other, depending on my experiences ...
    I believe the approaches are slightly different?

    Andy Ful's tools are free and he is very responsive and helpful on MT.
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,102
    Location:
    Italy
    @pb1 @paulderdash

    We haven't discussed that yet, all has to be decided about the other programs (SH included), for now we're only focused on OSA, but will share some more info soon.

    Yes, after we've completed the release of OSA I'll write info about SH and the other programs.

    Another small update for OSA:

    We've finished the license activation system, here is a screenshot of the activator GUI:

    screen1.png

    We've added some new options on OSA Configurator to restrict Windows functionalities (asked by a few system administrators):

    osa2.png

    Now we're working in adding the trial mode (the only thing remained).
     
  11. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,565
    Sounds good. Thanks for the update.
     
  12. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    thank yo for the info
     
  13. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    When running this awesome program do you need or recommend Tiny Firewall
    or is it overkill? thanks
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,102
    Location:
    Italy
    If you need you can use Tiny Firewall to monitor Inet connections, they should work together without issues.
     
  15. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    thank you so much
     
  16. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    669
    Location:
    Lunar module
    User reports test results
    Is that how it should be?
     
  17. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,102
    Location:
    Italy
    @aldist

    OSArmor should not be tested by copying a malware sample in the desktop folder and then double-clicking it, OSA focuses on preventing a malware/ransomware infection by blocking the first stages of the infection, example: an user receives a maldoc invoice.doc that once opened, it drops the payload of Petya and runs it without the user noticing anything, here it comes OSA that blocks the payload from running in the system, thus preventing Petya infection.
     
  18. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    171
    Location:
    Wigan
    I wish I had a brain onehundredth as good as yours but would settle for knowing what you put in your coffee.
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,102
    Location:
    Italy
    Sugar (a lot!), but will switch to honey :p Anyway, was in a hurry when replied and meant to include some more details, will do now below: OSA was created to prevent a malware infection and especially to block delivery methods used to install the malware. Ransomware and other pests are generally delivered in the system via "third-party" methods, such as via maldocs, scripts, exploit payloads, fileless attacks, emotet links, etc. They are not directly executed in the system by the user (except in some cases, for example if the user downloads a fake flash player installer that then drops and installs a ransomware, or a keygen/crack of a software that is bundled with the ransomware). Even in that cases, OSA uses specific rules to try to block that behaviors, it also blocks common ways used to delete the shadow copies of files that can be used in a post-infection to restore the encrypted files (the block-alerts reported in the @aldist's post may be related to blocking of these behaviors). Looks like strange that with all Advanced rules enabled OSA didn't block that samples, especially with the option to block unsigned processes executions in user space, already PMed aldist for the samples so I can run some local tests and see what happened. Other users have contacted us with similar questions/reports, I will add a detailed Q&A in the Help.txt that discusses about this, basically it is recommended to test OSA in a real-world scenario than by running directly the malware.exe, because by doing that it would ignore the initial infection chains/stages required to deliver and install the ransomware.
     
  20. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    this is an awesome program and cant wait for 4.0 YAHOO
     
  21. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,128
    Location:
    Hollow Earth - Telos
    Block execution of MS Edge does not work for me.
     
  22. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,273
    Location:
    Hawaii
    Yes, same thing you said back here, in April. I suppose it's the same situation -- OSA blocks the legacy Edge, but not the Chrome-based Edge, as noted by DarkStar here, in response to your post. Reason, Edge went Chrome after OSA's latest update.

    NVT is now working on an OSA update. Hopefully he will note this situation & fix it. If not, just write a Custom Block Rule.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,277
    Location:
    Under a bushel ...
    @novirusthanks Maybe you can share now: will subscriber version need a clean install, or be OK over the top?

    No doubt will take the place of AppGuard Solo on one of my machines.
     
  24. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,102
    Location:
    Italy
    @Dragon1952

    The new OSA version will fix that.

    As a workaround you can use these two Custom Block rules:

    Code:
    [%PROCESS%: *\MicrosoftEdge*.exe]
    [%PROCESS%: *\Microsoft\*\Application\msedge.exe]
    
    Let me know if they work fine for you.

    @paulderdash

    Installing over the top should work fine.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,597
    Location:
    The Netherlands
    BTW, don't take this the wrong way, but I wonder if it makes sense for users to pay for a yearly fee when the software is developed by a small company. May I ask how many people are employed by NoVirusThanks? I mean what if something happens to the main developer, would this mean it's game over for tools like OSArmor? I was thinking about this subject because I will soon buy a new Windows 10 PC, and I'm trying to figure out what my new security setup will be. And I'm not sure if I want to pay yearly fees for apps that are not developed by big companies. I hope you can understand my concerns.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.