NoVirusThanks OSArmor: An Additional Layer of Defense

@hayc59

Do you have a firewall? Is possible that somehow the following processes can't establish outbound connections on TCP port 443 (HTTPS)?

C:\Program Files (x86)\NoVirusThanks\NVT License Manager\NVTActivator.exe
C:\Program Files (x86)\NoVirusThanks\NVT License Manager\NVTLicenseManager.exe
C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevSvc.exe

Another possible question: are you using a system/IE proxy?

@focus

Have sent you a PM

@aldist

Will share some results here in the next hours or tomorrow afternoon.

 

removed image

 

Firewall uninstalled...windows firewall off

 

I don't really know for sure if it was OSA. I also noticed around the same time that i got the C Kaspersky update.

 

I dont get this Andreas?? so strange

 

Date/Time: 10/13/2020 8:52:52 PM
Process: [12304]C:\Windows\System32\cmd.exe
Process MD5 Hash: ADF77CD50DC93394A09E82250FEB23C9
Parent: [16932]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Rule: AntiExploitMSEdge
Rule Name: (Anti-Exploit) Protect Microsoft Edge
Command Line: C:\Windows\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.1\plugins_nms.exe" chrome-extension://ahkjpbeeocnddjkakilopmfdlnjdpcdm/ --parent-window=0 < \\.\pipe\LOCAL\chrome.nativeMessaging.in.f1f7be470d22b612 > \\.\pipe\LOCAL\chrome.nativeMessaging.out.f1f7be470d22b612
Signer: <NULL>
Parent Signer: Microsoft Corporation
User/Domain:
System File: True
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium

 

Date/Time: 10/1/2020 3:36:42 PM
Process: [12608]C:\Windows\System32\mmc.exe
Process MD5 Hash: C51BACB9B93CA44254BE462516C6BEE0
Parent: [11692]C:\Windows\System32\Netplwiz.exe
Rule: BlockMscScriptsOutsideSystemFolder
Rule Name: Block execution of .msc scripts outside System folder
Command Line: mmc.exe C:\Windows\system32\lusrmgr.msc computername=localmachine
Signer:
Parent Signer:
User/Domain:
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High

 

We've just added %MSISIGNER% and %MSIFILE% variables in custom block and exclusion rules.

Here is a preview blocking a unsigned MSI installer:



And here is a preview blocking a MSI installed signer by a company (in the test Corel Corporation):



Useful to control installation of MSI installers.

@Dragon1952

I made some tests but could not reproduce your issue, thanks for the additional information.

About your two FPs:

#3656 "Rule Name: (Anti-Exploit) Protect Microsoft Edge" will be fixed in next version.

#3057 "Rule Name: Block execution of .msc scripts outside System folder" it has already been fixed in v1.5, did you got that alert with latest version v1.5? I see Signer: is empty, new v1.5 version should show <NULL>

 

How does one un block port 443? Windows 10
no anti virus or malware program installed
thanks

 

I get the feeling an update is coming. So, how would this be updated and how would we users be notified?

Are we going to have to install new builds in order to be updated?

 

I ticked the checkbox "Automatically download and install product updates" in v1.5.0.0, so I guess that the next update (probably v.1.5.1.0) will be a fully automatic process. If you still use an older version of OSA, this automatic update process will probably not work.

 

Tutorial for blocking ports specific ports, which should also work for allowing/unblocking certain ports in Windows 10: https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/

Check your firewall settings first.

 

Could you please add these new rules to your list of Custom Block Rules and Exclusion Rules? Thank you.

 

OK, thank you, I was looking around in the main window instead of in the Configurator where the Update tab was located. OK, so it can be automatic, that's good.

 

@hayc59

Sent you an email.

@Buddel

The new variables will be available with the new OSA v1.5.1 version, after it will be released they'll be added in the two web pages.

@plat1098

When the new version v1.5.1 will be released, if you enable the option in Configurator->Update->"Automatically download and install product updates" you will get the new version automatically.

Else you can manually install it "over-the-top".

 

Good to know. Thank you, Andreas.

 

Yes i have the latest V1.5... But you are correct. The date on this log as you can see is 2 weeks ago when i had V1.4. I copied that 10/1/20 log over here with the log from 1.5 in case you wanted to see it.

 

@novirusthanks

just an unbiased observation: the custom rules creation option is clearly far too complex for the average user. I would even go so far as to say it's too unwieldy and cumbersome for many so called "advanced" users to create specific rules to address common attack vectors used by common malware and ransomeware. The way I see it, it takes too much time and effort to create these type rules. Otherwise, in its default settings, it's an effective and robust program to combat common threats in the wild.

 

I have no idea if the custom rules has changed. If it has, I would like to say that in the old one you didn't need to fill out every blank.

 

I totally agree.

 

I'm thinking it might be a lot easier if there was a blank field for both the Parent process and the Child process, with a drop-down box in each where the user could navigate to and select each of the processes, with the additional ability to use wildcards for paths such as for example:

Code:

C:\Users\username\AppData\Local\Temp\*.exe or C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-release\extensions\*.xpi

A checkbox to the left of each rule could have an option to select either "Block" or "Allow". Something along these lines anyway. Usine "[ ]", "%" and ":" becomes tedious imho.

 

Hello, I'm not sure if I'm posting correctly here.
Following problem, for which I am asking for advice:

Among others the start of Skype (initiated by Win 7-task planner) is blocked by OsAmor. In the logfile this rule is given as cause: "BlockProcessesOnSuspiciousFolders". What should I do so that Skype can start as planned without unchecking the rule in OsAmor? Probably a code would have to be entered in the file "Exclusions.db" (I guess), but what would it look like? I am quite a layman.

A similar problem would occur with a *.bat, which (converted to a *.exe) triggers the start and termination of GoogleDrive - the execution of the bat is prevented by the rule "Block execution of suspicious processes". But maybe one after the other.

Thank you very much for any support!

 

Good luck with this!

How about Syshardener, will it continue to be free or?
Many have asked but no DEFINITIVE answer yet.

 

I may be missing something, but can one somehow save or export exclusions (i.e. not Main Protections, Anti-Exploit or Advanced settings), to load or import into another instance of OSA?

 

@wat0114

Thanks for your feedback, always appreciated!

We may simplificate the rules creation in future versions via dedicated GUI, however I think once a user understands rules syntax, it would become easier.

We use vars like this [%VAR: matching field] because this way we can better separate each rule and no need to make them in order.

Plan is to also make a detailed tutorial and videos about custom rules.

@Grille

Can you share the log of the blocked events? Log files are saved in this folder:

C:\Program Files\NoVirusThanks\OSArmorDevSvc\Logs\

To open the logs foler, right-click on OSArmor system tray icon and select "Open logs Folder".

@pb1

We're going to make an update/announcement about SysHardener soon (OSA took priority).

@paulderdash

Yes, open the Configurator GUI and at the bottom you have "Save to file" (to export rules and settings) and "Load from file" (to import rules and settings from file).

In future versions we'll improve these functionalities by seprating rules from settings.