NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @hayc59

    Do you have a firewall? Is possible that somehow the following processes can't establish outbound connections on TCP port 443 (HTTPS)?

    C:\Program Files (x86)\NoVirusThanks\NVT License Manager\NVTActivator.exe
    C:\Program Files (x86)\NoVirusThanks\NVT License Manager\NVTLicenseManager.exe
    C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevSvc.exe

    Another possible question: are you using a system/IE proxy?

    @focus

    Have sent you a PM

    @aldist

    Will share some results here in the next hours or tomorrow afternoon.
     
  2. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,841
    Location:
    KEEP USA GREAT
    removed image
     
    Last edited: Oct 13, 2020
  3. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,841
    Location:
    KEEP USA GREAT
    Firewall uninstalled...windows firewall off
     
  4. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,468
    Location:
    Hollow Earth - Telos
    I don't really know for sure if it was OSA. I also noticed around the same time that i got the C Kaspersky update.
     
  5. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,841
    Location:
    KEEP USA GREAT
    I dont get this Andreas?? so strange
     
  6. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,468
    Location:
    Hollow Earth - Telos
    Date/Time: 10/13/2020 8:52:52 PM
    Process: [12304]C:\Windows\System32\cmd.exe
    Process MD5 Hash: ADF77CD50DC93394A09E82250FEB23C9
    Parent: [16932]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Rule: AntiExploitMSEdge
    Rule Name: (Anti-Exploit) Protect Microsoft Edge
    Command Line: C:\Windows\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Cloud 21.1\plugins_nms.exe" chrome-extension://ahkjpbeeocnddjkakilopmfdlnjdpcdm/ --parent-window=0 < \\.\pipe\LOCAL\chrome.nativeMessaging.in.f1f7be470d22b612 > \\.\pipe\LOCAL\chrome.nativeMessaging.out.f1f7be470d22b612
    Signer: <NULL>
    Parent Signer: Microsoft Corporation
    User/Domain:
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  7. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,468
    Location:
    Hollow Earth - Telos
    Date/Time: 10/1/2020 3:36:42 PM
    Process: [12608]C:\Windows\System32\mmc.exe
    Process MD5 Hash: C51BACB9B93CA44254BE462516C6BEE0
    Parent: [11692]C:\Windows\System32\Netplwiz.exe
    Rule: BlockMscScriptsOutsideSystemFolder
    Rule Name: Block execution of .msc scripts outside System folder
    Command Line: mmc.exe C:\Windows\system32\lusrmgr.msc computername=localmachine
    Signer:
    Parent Signer:
    User/Domain:
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    We've just added %MSISIGNER% and %MSIFILE% variables in custom block and exclusion rules.

    Here is a preview blocking a unsigned MSI installer:

    example1.png

    And here is a preview blocking a MSI installed signer by a company (in the test Corel Corporation):

    example2.png

    Useful to control installation of MSI installers.

    @Dragon1952

    I made some tests but could not reproduce your issue, thanks for the additional information.

    About your two FPs:

    #3656 "Rule Name: (Anti-Exploit) Protect Microsoft Edge" will be fixed in next version.

    #3057 "Rule Name: Block execution of .msc scripts outside System folder" it has already been fixed in v1.5, did you got that alert with latest version v1.5? I see Signer: is empty, new v1.5 version should show <NULL>
     
  9. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,841
    Location:
    KEEP USA GREAT
    How does one un block port 443? Windows 10
    no anti virus or malware program installed
    thanks
     
  10. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    I get the feeling an update is coming. So, how would this be updated and how would we users be notified?

    Are we going to have to install new builds in order to be updated? :doubt:
     
  11. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,917
    I ticked the checkbox "Automatically download and install product updates" in v1.5.0.0, so I guess that the next update (probably v.1.5.1.0) will be a fully automatic process. If you still use an older version of OSA, this automatic update process will probably not work.
     
  12. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,917
  13. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,917
    Could you please add these new rules to your list of Custom Block Rules and Exclusion Rules? Thank you.
     
  14. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    OK, thank you, I was looking around in the main window instead of in the Configurator where the Update tab was located. OK, so it can be automatic, that's good.
     
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @hayc59

    Sent you an email.

    @Buddel

    The new variables will be available with the new OSA v1.5.1 version, after it will be released they'll be added in the two web pages.

    @plat1098

    When the new version v1.5.1 will be released, if you enable the option in Configurator->Update->"Automatically download and install product updates" you will get the new version automatically.

    Else you can manually install it "over-the-top".
     
  16. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,917
    Good to know. Thank you, Andreas.:thumb:
     
  17. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,468
    Location:
    Hollow Earth - Telos
    Yes i have the latest V1.5... But you are correct. The date on this log as you can see is 2 weeks ago when i had V1.4. I copied that 10/1/20 log over here with the log from 1.5 in case you wanted to see it.
     
    Last edited: Oct 14, 2020
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    @novirusthanks

    just an unbiased observation: the custom rules creation option is clearly far too complex for the average user. I would even go so far as to say it's too unwieldy and cumbersome for many so called "advanced" users to create specific rules to address common attack vectors used by common malware and ransomeware. The way I see it, it takes too much time and effort to create these type rules. Otherwise, in its default settings, it's an effective and robust program to combat common threats in the wild.
     
  19. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    I have no idea if the custom rules has changed. If it has, I would like to say that in the old one you didn't need to fill out every blank.
     
  20. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,099
    Location:
    Hawaii
    I totally agree.
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    I'm thinking it might be a lot easier if there was a blank field for both the Parent process and the Child process, with a drop-down box in each where the user could navigate to and select each of the processes, with the additional ability to use wildcards for paths such as for example:
    Code:
    C:\Users\username\AppData\Local\Temp\*.exe or C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-release\extensions\*.xpi
    A checkbox to the left of each rule could have an option to select either "Block" or "Allow". Something along these lines anyway. Usine "[ ]", "%" and ":" becomes tedious imho.
     
    Last edited: Oct 15, 2020
  22. Grille

    Grille Registered Member

    Joined:
    Oct 16, 2020
    Posts:
    5
    Location:
    Hamburg
    Hello, I'm not sure if I'm posting correctly here.
    Following problem, for which I am asking for advice:

    Among others the start of Skype (initiated by Win 7-task planner) is blocked by OsAmor. In the logfile this rule is given as cause: "BlockProcessesOnSuspiciousFolders". What should I do so that Skype can start as planned without unchecking the rule in OsAmor? Probably a code would have to be entered in the file "Exclusions.db" (I guess), but what would it look like? I am quite a layman.

    A similar problem would occur with a *.bat, which (converted to a *.exe) triggers the start and termination of GoogleDrive - the execution of the bat is prevented by the rule "Block execution of suspicious processes". But maybe one after the other.

    Thank you very much for any support!
     
  23. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    1,266
    Location:
    sweden

    Good luck with this!

    How about Syshardener, will it continue to be free or?
    Many have asked but no DEFINITIVE answer yet.
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,638
    Location:
    Under a bushel ...
    I may be missing something, but can one somehow save or export exclusions (i.e. not Main Protections, Anti-Exploit or Advanced settings), to load or import into another instance of OSA?
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @wat0114

    Thanks for your feedback, always appreciated!

    We may simplificate the rules creation in future versions via dedicated GUI, however I think once a user understands rules syntax, it would become easier.

    We use vars like this [%VAR: matching field] because this way we can better separate each rule and no need to make them in order.

    Plan is to also make a detailed tutorial and videos about custom rules.

    @Grille

    Can you share the log of the blocked events? Log files are saved in this folder:

    C:\Program Files\NoVirusThanks\OSArmorDevSvc\Logs\

    To open the logs foler, right-click on OSArmor system tray icon and select "Open logs Folder".

    @pb1

    We're going to make an update/announcement about SysHardener soon (OSA took priority).

    @paulderdash

    Yes, open the Configurator GUI and at the bottom you have "Save to file" (to export rules and settings) and "Load from file" (to import rules and settings from file).

    In future versions we'll improve these functionalities by seprating rules from settings.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.