NoVirusThanks OSArmor: An Additional Layer of Defense

@ novirusthanks (Andrea) -- Please consider adding latest version number of OSArmor in your signature, as you have so kindly done for ERP.

Hauoli Makahikiho to all.

 

Yesterday, submitted once again and Avira finally fix it.

 

Request: The enable / disable protection setting should persist across a reboot i.e. persist until changed, to cater for software that updates on reboot.

 

Ah okay thank you very much for your infos

With best Regards
Mops21

 

Andreas, developer is a boy not a girl, ok?

 

Andrea is a male name in Italy so bellgamin is right (other examples of italian common male names ending with vowel "a" = Luca, Mattia, Elia,...)

 

Hi Everyone

I want ask a simple question.

Can NoVirusThanks ERP be replaced by OS Armor.

I am using NVTERP although I am not sure how it functions and I am tending towards software now that does not require much intervention ie BitDefender Free is a good example.

Thanks for your help.

Terry

 

If you want no user intervention, then OS Armor is the perfect security layer.
It is protecting you from specific "malicious actions/behaviours" but it is not a full replacement for an Anti-Executable. OS Armor can be used as an additional defense.

 

Your, and repeat, your comment is right, according to this: https://en.wikipedia.org/wiki/Andrea#Usage

But @bellgamin is not right. @novirusthanks is called Andreas, not Andrea.

 

Here is a new v1.4 (pre-release) (test2):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test2.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release (test1):

+ Prevent regsvr32.exe from loading .sct files
+ Block execution of any process related to SecurityXploded (unchecked by default)
+ Change the tray icon when the protection is disabled
+ Show the protection status on the GUI
+ Added more than 80 internal rules

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@anon

Thank you!

@bellgamin

Will do that

@trott3r

That's strange, try to disable one app at the time to see which one is causing the issue.

@B-boy/StyLe/

Added "Block execution of any process related to SecurityXploded", thanks for the suggestion.

@paulderdash

Installing over the top is fine too.

@Sampei Nihira

The reported issues on XP should all be fixed now, please confirm

 

Nice! Thanks Andreas

 

I upgrade from version 1.4 (test 1) to 1.4 (test 2), and it did not remember the additional rules I ticked that were not ticked by default. This has been the case for all previous versions also. Should it remember previous rules the user ticked in the configurator that were not ticked by default?

 

v1.4 (pre-release) (test2)

Spoiler: Rule Name: Block execution of PowerShell malformed commands

Process: [5820]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent: [7228]C:\Program Files (x86)\Belarc\BelarcAdvisor\BelarcAdvisor.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: powershell -NoLogo -NonInteractive -Command "&{$bDebug = ($args[0] -eq '-debug')
Function TRACE($msg){ if ( $bDebug ) { Write-Output ('<!-- ' + $msg + ' -->') } }
Function Q($x) { \"'$( $x -replace '''', '&apos;' )'\" }
TRACE ('Debugging Session at ' + $(Get-Date))
TRACE ('Computer Name: ' + $env:ComputerName)
TRACE ('Host Info:' + $(get-host|out-string))
Write-Output '<?xml version=\"1.0\" encoding=\"utf-8\"?>'
Write-Output '<apps>'
foreach ( $p in Get-AppxPackage -AllUsers )
{
Write-Output (' <app')
Write-Output (' Name=' + (Q $p.Name))
Write-Output (' Ver=' + (Q $p.Version))
Write-Output (' Pub=' + (Q $p.Publisher))
Write-Output (' Arch=' + (Q $p.Architecture))
Write-Output (' Loc=' + (Q $p.InstallLocation))
Write-Output (' Framework=' + (Q $p.IsFramework))
$m = [xml](Get-Content ($p.InstallLocation + '\AppxManifest.xml'))
if ( ! $m ) {
$m = ($p | Get-AppxPackageManifest)
}
$mp = $m.Package
$prop = $mp.Properties
Write-Output (' P.Name=' + (Q $prop.DisplayName))
Write-Output (' P.Pub=' + (Q $prop.PublisherDisplayName))
Write-Output (' P.Desc=' + (Q $prop.Description))
$users = $p.PackageUserInformation
$apps = $mp.Applications.Application
Write-Output (' U.Count=' + (Q ($users | Measure-Object).Count))
Write-Output (' A.Count=' + (Q ($apps | Measure-Object).Count))
Write-Output (' >')
foreach ( $a in $apps ) {
Write-Output (' <A Exe=' + (Q $a.Executable) + ' Start=' + (Q $a.StartPage) + ' />')
}
foreach ( $u in $users ) {
$uId = $u.UserSecurityId
Write-Output (' <U State=' + (Q $u.InstallState) + ' Sid=' + (Q $uId.Sid) + ' Name=' + (Q $uId.UserName) + ' />')
}
Write-Output (' </app>')
Write-Output ('')
}
Write-Output '</apps>'

}"
Signer:
Parent Signer: Belarc, Inc.

 

This latest build is so quiet I've had to check that it's actually running. The only time I was conscious of it was when EAM flagged up a suspicious action when I was installing Osarmor.

Good job Andreas

 

OSArmor 1.3 has been running quietly on my Windows 7 computer. I just installed 1.4 (pre-release) (test 2) over 1.3 with no problem.

 

Hi

Thank you very much for your infos

Also must i uninstall the old one right and can not installiert the new one over the last one Version

With best Regards
Mops21

Answer from @novirusthanks

It is fine also if you install the new version over the previous one.

 

Hi @novirusthanks

Can you check this and fix it please

With best Regards
Mops21

 

Here is a new v1.4 (pre-release) (test3):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test3.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of .js scripts
+ Block execution of .jse scripts
+ Block execution of .vbs scripts (unchecked by default)
+ Block execution of .vbe scripts
+ Block execution of .hta scripts
+ Block execution of .cmd scripts (unchecked by default)
+ Improved setup installer and uninstaller
+ Added button to reset protection options to the default values
+ Fixed all reported FPs

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@bjm_

That FP should be fixed, please confirm it.

@Peter2150

To know if it is working just check the GUI, it should say "Protection Enabled":



@Cutting_Edgetech

Yes, the previous installs were deleting the old settings and exclusions. Now we have updated the installer and uninstaller scripts, and this new pre-release test 3 should maintain both options and exclusions (.db files).

@faircot @justenough @Overkill

Great, thanks for the feedback =)

@Mops21

I'll sign the exes with the EV certificate on the next week.

You may temporarily disable SmartScreen or reduce its restrictions.

 

.exe (unchecked by default)
.swf (unchecked by default)
.pif (unchecked by default)
.scr (unchecked by default)

 

I upgraded to 1.4 (test 3) from test 2, and I can not access Windows 10 X64 Start Menu. Maybe i'm experiencing some conflict, or maybe it is a bug with OSArmor. OSArmor does not report to be blocking anything. I also cannot access Cortana, and the Notification Area in lower right corner of screen. I have rebooted 3 times, and the Start Menu, Cortana, and the Notification area are still being blocked.

Edit 12/30 @ 11:06 am
OsArmor 1.4 test 3 also blocked AdGuard UI from running at startup. Maybe that's where the conflict is occurring that is causing Major problems with my Windows 10 x64 installation. I tried disabling OsArmor, and that did not help with the problem. I uninstall OsArmor, and now things are back to normal. I can access Windows Start Menu, Cortana, and Windows Notification area again.

Edit 12/30 11:19
I was receiving some notification of some plug and play device trying to install during shut down each time I rebooted. That went away after I uninstalled OsArmor. You should also know that I ticked all the new scripts you added to the configurator options. OsArmor did not report that it was blocking anything though.

Edit 12/30 11:45
I reinstalled 1.4 (test 3), and I no longer experience any of the problems I listed above. Maybe it was not a good ideal to install test 3 over top of test 2. That's the only thing I can think of that I done differently.

 

Hi @novirusthanks

Thank you very much for your Infos

With best Regards
Mops21

 

Yes, I'm confirming that OSA does not alert to my Belarc Advisor run (with or without ERP enabled).
ERP enabled still alerts on powershell as usual. Belarc Advisor appears to run and report (at this time) with powershell.exe Allow or Block.
So, maybe Belarc Advisor does not need powershell? Maybe, OSA "fixed FP" was just my setup?

Spoiler: Belarc Advisor run with ERP enabled

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
-----------------------------------------------------------
[7564]C:\program files (x86)\belarc\belarcadvisor\belarcadvisor.exe
-----------------------------------------------------------------
powershell -NoLogo -NonInteractive -Command "&{$bDebug = ($args[0] -eq '-debug')
Function TRACE($msg){ if ( $bDebug ) { Write-Output ('<!-- ' + $msg + ' -->') } }
Function Q($x) { \"'$( $x -replace '''', '&apos;' )'\" }
TRACE ('Debugging Session at ' + $(Get-Date))
TRACE ('Computer Name: ' + $env:ComputerName)
TRACE ('Host Info:' + $(get-host|out-string))
Write-Output '<?xml version=\"1.0\" encoding=\"utf-8\"?>'
Write-Output '<apps>'
foreach ( $p in Get-AppxPackage -AllUsers )
{
Write-Output (' <app')
Write-Output (' Name=' + (Q $p.Name))
Write-Output (' Ver=' + (Q $p.Version))
Write-Output (' Pub=' + (Q $p.Publisher))
Write-Output (' Arch=' + (Q $p.Architecture))
Write-Output (' Loc=' + (Q $p.InstallLocation))
Write-Output (' Framework=' + (Q $p.IsFramework))
$m = [xml](Get-Content ($p.InstallLocation + '\AppxManifest.xml'))
if ( ! $m ) {
$m = ($p | Get-AppxPackageManifest)
}
$mp = $m.Package
$prop = $mp.Properties
Write-Output (' P.Name=' + (Q $prop.DisplayName))
Write-Output (' P.Pub=' + (Q $prop.PublisherDisplayName))
Write-Output (' P.Desc=' + (Q $prop.Description))
$users = $p.PackageUserInformation
$apps = $mp.Applications.Application
Write-Output (' U.Count=' + (Q ($users | Measure-Object).Count))
Write-Output (' A.Count=' + (Q ($apps | Measure-Object).Count))
Write-Output (' >')
foreach ( $a in $apps ) {
Write-Output (' <A Exe=' + (Q $a.Executable) + ' Start=' + (Q $a.StartPage) + ' />')
}
foreach ( $u in $users ) {
$uId = $u.UserSecurityId
Write-Output (' <U State=' + (Q $u.InstallState) + ' Sid=' + (Q $uId.Sid) + ' Name=' + (Q $uId.UserName) + ' />')
}
Write-Output (' </app>')
Write-Output ('')
}
Write-Output '</apps>'

}"

Thanks