NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    thank you for the update
     
  2. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    401
    Location:
    Island of Woman
    so spyshelter warned me that OS Armor is trying to modify and access sihost,

    any idea why it might be?
     
  3. Murray

    Murray Registered Member

    Joined:
    Mar 27, 2002
    Posts:
    33
    A question. Anybody know what is going on? OS Armor has been suddenly blocking this since August 25. Seems it is related to the Opera browser. Is it a false positive, or is there something that I can do to stop it from happening?


    Date/Time: 9/9/2020 4:43:43 PM
    Process: [6756]C:\Users\MICHAE~1\AppData\Local\Temp\.opera\06697A894CDC\CUsersMichael XXXXXXAppDataLocalProgramsOperaassistant\ready\assistant_installer.exe
    Process MD5 Hash: D41D8CD98F00B204E9800998ECF8427E
    Parent: [5428]C:\Users\Michael XXXXXXX\AppData\Local\Programs\Opera\launcher.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Users\MICHAE~1\AppData\Local\Temp\.opera\06697A894CDC\CUsersMichael XXXXXXXAppDataLocalProgramsOperaassistant\installing\assistant_installer.exe" --install --autoupdate --installfolder="C:\Users\Michael XXXXXXX\AppData\Local\Programs\Opera\assistant" --silent --launchopera=0
    Signer:
    Parent Signer: Opera Software AS
    User/Domain: Michael XXXXXXX/MichaelXXXXXXXX
    System File: False
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium


    Date/Time: 9/9/2020 9:42:42 AM
    Process: [2896]C:\Users\MICHAE~1\AppData\Local\Temp\.opera\06697A894CDC\CUsersMichael XXXXXXXAppDataLocalProgramsOperaassistant\ready\assistant_installer.exe
    Process MD5 Hash: D41D8CD98F00B204E9800998ECF8427E
    Parent: [4544]C:\Users\Michael XXXXXXX\AppData\Local\Programs\Opera\launcher.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Users\MICHAE~1\AppData\Local\Temp\.opera\06697A894CDC\CUsersMichael XXXXXAppDataLocalProgramsOperaassistant\installing\assistant_installer.exe" --install --autoupdate --installfolder="C:\Users\Michael XXXXXXX\AppData\Local\Programs\Opera\assistant" --silent --launchopera=0
    Signer:
    Parent Signer: Opera Software AS
    User/Domain: Michael XXXXX/MichaelXXXXXXX
    System File: False
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  4. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,940
    Location:
    Poland - Cracow
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,224
    Location:
    Hawaii
    Tick-tock. I hope the new version gets here soon.
     
  6. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,312
    I hope so, too. I'm still waiting for the release of OSA and SH.
     
  7. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    590
    Location:
    Brooklyn, NY
    Not to be a nudnik, well actually, yes, I am, but I ran out of juice,

    Could we have another update, please, of the status of OSArmor? A succession of teases is what we've gotten so far. Come on, NoVirusThanks. :thumb:
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,224
    Location:
    Hawaii
    Yes, I'm getting impatient, too. I have used NVT security apps, both the stable versions and the betas, for a long time. I have never ever had one of them crash. I can see that Andreas is very VERY careful about the stability of everything he releases, even betas. That's good to know -- an unstable security app can really screw up major parts of one's computer.
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,087
    Location:
    Italy
    @Murray

    They are FPs, will be fixed in next version.

    Too bad that Opera assistant_installer.exe is not digitally signed.

    //Everyone

    We've been testing OSA new version on the past days and all is working fine.

    We're finishing the new website for OSA, here is a small screenshot:

    osa-website.png

    It will be moved to its own website so we can dedicate more space and information to it.

    The new website is completed at 95% (just remained a few text and video tutorials to add).

    So just keep waiting for a very little longer =)

    *Sorry guys, just want to make sure all is ready and fine*
     
  10. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    248
    Location:
    Bulgaria
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,087
    Location:
    Italy
    Will be fixed them too in the new version, thanks for reporting.
     
  12. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    401
    Location:
    Island of Woman
    exactly, powershell empire is a post-exploitation tool, it is not used to penetrate per se: it first needs to be one-foot in the host with its stager, the victim is already owned at that point. The stager downloads necessary scripts and penetrate deeper to automate control over victim (which is what was created for, to automate proxy configuration, password dumps, keylogging and so on), that's why the campain using powershell empire was an email-delivery one

    @novirusthanks
    I am not sure making it yearly subscription is a good idea for everybody, I am sure you'll get subscriptions from wilders malwaretips fans (apart from them an average Joe has no idea about lolbins) and so on but there are a lot of great options right now (hitman pro alert, black fog), I am sceptical, it would be better if you did like roguekiller did with different plans and lifetime subscription at the same time (for more money). You have excubits products that do similar stuff to OSA, for me to at least consider buying it would need to alleviate alot of false positives with jupyter notebook (app running from suspicious folder), adguard, legitimate Windows commands and bahaviors (sc commands and so on...), or you don't expect the average Joe to create 100 rules to make his favourite programmes work. Maybe the issue is in the design, for me its much simpler to make rules with spy shelter than with OSA. Why not automate some of that stuff, automatic wildcards and settings for program profile. It is important since Windows is changing. Sorry I want to be honest and its just my opinion, I am sure your decisions are based on facts and good reasons and wish you the best
     
    Last edited: Oct 1, 2020
  13. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    401
    Location:
    Island of Woman
    also according co cybereason:
    "Writing in Go can be an advantage for malware authors,
    as it can be compiled on a system using only one repository but still be executable across other operating systems."
    Golang (Go) started to be deployed in 2016 by malware authors and is rising in popularity along with python but not as much as python
     
    Last edited: Oct 4, 2020
  14. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,312
    This is what you told us in June. We are in the middle of October now. What exactly does "soon" mean? This month? This year? In 2021? Later? Never?
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,224
    Location:
    Hawaii
    I estimate OSA's new version will be completed when it's completed. I do hope that Andreas is staying well -- both physically & economically -- amidst the world's on-going tumult. Italy has been hard hit, as have we all.
     
  16. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,312
    I see. When something goes wrong or not according to plan, you can always blame it on the Coronavirus. Seems to be quite fashionable these days. Don't get me wrong. I do feel sorry for the Italians because they have been particularly hard hit by the pandemic, but this virus is not an excuse for everything.
     
  17. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,087
    Location:
    Italy
    Finally, OSArmor v1.5 and its new website have been released:
    https://www.osarmor.com/

    Here is a coupon code with 20% discount (valid for 50 orders): WILDERS20

    osa.png

    This is the final changelog:

    It took some more weeks than expected, but we are very happy with the results.

    You can download and test OSArmor for 30-days without limitations in functionalities.

    On the new website we tried to include as many information as possible (more will be added soon).

    So guys, sorry for the very long delay, I hope you will like the new version!

    As always feedbacks, critics, and comments are welcome =)

    We do not officially support Windows XP anymore, however the product works fine on Windows XP SP3 and we have decided to make the product free for all XP users.

    It would be preferred to first uninstall OSA 1.4.3 and then install OSA v1.5
     
    Last edited: Oct 17, 2020
  18. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,312
    I will definitely give it a try. Thanks, Andreas. What about SysHardener? Will this app be updated as well? Is SH still needed if you use OSA?
     
    Last edited: Oct 11, 2020
  19. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,106
    Location:
    Hollow Earth - Telos
    Can this install over the top or uninstall first.
     
  20. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,312
    I have just installed OSA v1.5.0. When I click "Help" and "License Status" nothing happens, no status is shown. Hm...

    PS: I have found the culprit. The license status was blocked by my anti-malware app. Sorry for the confusion.
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,087
    Location:
    Italy
    @Buddel

    Yes we plan on updating SysHardener (along with mostly all our apps).

    Personally I use both: SH mainly to unassociate file extensions (vbs, js, etc), to apply the outbount firewall rules, and to apply other restrictions in the system. Then OSA for real-time protection and to block specific/custom processes behaviors.

    What is your OS?

    Give it a few seconds to run, it should display a new window:

    osa-license.png

    Make sure NVTLicenseManager was installed correctly, is located here:
    C:\Program Files (x86)\NoVirusThanks\NVT License Manager\NVTLicenseManager.exe

    Then "Help->License Status" will open the Activator GUI:
    C:\Program Files (x86)\NoVirusThanks\NVT License Manager\NVTActivator.exe

    * Both processes are digitally signed by NoVirusThanks Company Srl
    * It requires VC++ Redistributable 2015 that are installed with the setup (if not already present).

    @Dragon1952

    It would be preferred to first uninstall OSA 1.4.3 and then install OSA v1.5
     
  22. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,312
    As mentioned in my previous post, license status now works as expected. It was blocked by my anti-malware app. Thanks for your help, Andreas.:thumb:
     
  23. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,087
    Location:
    Italy
    Great! Thanks for confirming :)
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,773
    Location:
    U.S.A. (South)
    Whoa! Well alright. All ready for showtime! :D

    889.jpg
     
  25. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    590
    Location:
    Brooklyn, NY
    Great, thanks. It accepted an old RULES list from several years ago just fine. I see lots of new block rules in the Advanced Section. OK, will see how it goes. Thanks for the coupon also.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.