NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,917
    Looking forward to the update/announcement.:)
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Same here. Not going bother with OSA on my 8.1 since the previous free version is fine but changes are coming to this camp at the 2021 turning point. Going to be investing in new computers and (tongue in cheek) Windows 10 will be the system of choice (for obvious reasons).

    So this user is eagerly looking forward to subscribing to OSA and others once the new computers are online, up and running then.

    All the best to everyone that we get the absolute tops in what NoVirusThanks fashions & improves.
    It's been top notch all along from my viewpoint for 8.1.
     
  3. guest

    guest Guest

    For users of Windows XP:
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Thank you, and I do appreciate you providing and developing a first-rate product like this, as they are a dying breed.
     
  5. Grille

    Grille Registered Member

    Joined:
    Oct 16, 2020
    Posts:
    5
    Location:
    Hamburg
    Hi, and thanks for your answere!

    Ok, I found. Here the log with blocked programs what I want to run:

    Code:
    Date/Time: 16.10.2020 20:50:37
    Process: [6560]C:\Windows\System32\mspaint.exe
    Process MD5 Hash: E97295DE2A9FDE547FEAB4FE41DF16CA
    Parent: [1208]C:\Windows\explorer.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: "C:\Windows\system32\mspaint.exe" "C:\Users\Wolfs\Desktop\Die größte kulturelle Leistungeistung - English.jpg"
    Signer:
    Parent Signer:
    User/Domain: Wolfs/WOLF-PC
    System File: True
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    
    Date/Time: 16.10.2020 14:38:02
    Process: [4276]D:\DVD\1-Essenz\SCRIPT\Ablage\Batch für Prozessbeendigung\Kill AcroTray, pdfSave, googleCrash.exe
    Process MD5 Hash: 8AF17F67830F49F55ED88DF99B675EF0
    Parent: [3668]C:\Windows\System32\taskeng.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: "D:\DVD\1-Essenz\SCRIPT\Ablage\Batch für Prozessbeendigung\Kill AcroTray, pdfSave, googleCrash.exe"
    Signer:
    Parent Signer:
    User/Domain: Wolfs/WOLF-PC
    System File: False
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
    
    
    Date/Time: 16.10.2020 10:59:55
    Process: [4172]C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
    Process MD5 Hash: 618AA659876F8C34A971BBC3F75CCA88
    Parent: [1696]C:\Windows\System32\taskeng.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe"
    Signer: Skype Software Sarl
    Parent Signer:
    User/Domain: Wolfs/WOLF-PC
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    
    Date/Time: 16.10.2020 00:31:25
    Process: [4176]C:\Windows\System32\net.exe
    Process MD5 Hash: B9A4DAC2192FD78CDA097BFA79F6E7B2
    Parent: [3532]C:\Windows\System32\cmd.exe
    Rule: BlockNetNet1Execution
    Rule Name: Block execution of net\net1.exe
    Command Line: net  stop DbxSvc
    Signer:
    Parent Signer:
    User/Domain: Wolfs/WOLF-PC
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
    
    
    Date/Time: 16.10.2020 00:22:33
    Process: [7292]C:\Windows\System32\net.exe
    Process MD5 Hash: B9A4DAC2192FD78CDA097BFA79F6E7B2
    Parent: [2184]C:\Windows\System32\cmd.exe
    Rule: BlockNetNet1Execution
    Rule Name: Block execution of net\net1.exe
    Command Line: net  stop DbxSvc
    Signer:
    Parent Signer:
    User/Domain: Wolfs/WOLF-PC
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
    
    
    Date/Time: 16.10.2020 00:02:00
    Process: [2200]D:\DVD\1-Essenz\SCRIPT\Ablage\Batch für Prozessbeendigung\stop-start GoogleDrive.exe
    Process MD5 Hash: C4EE095243888A9FF3FEF5E8527FDB88
    Parent: [1096]C:\Windows\System32\taskeng.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: "D:\DVD\1-Essenz\SCRIPT\Ablage\Batch für Prozessbeendigung\stop-start GoogleDrive.exe"
    Signer:
    Parent Signer:
    User/Domain: Wolfs/WOLF-PC
    System File: False
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
     
  6. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,917
    OSA doesn't seem to like the Kaspersky plugin:

    Date/Time: 17.10.2020 03:29:14
    Process: [8952]C:\Windows\System32\cmd.exe
    Process MD5 Hash: 321A50053155122E6ACE9691197A8E3F
    Parent: [4060]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Rule: AntiExploitMSEdge
    Rule Name: (Anti-Exploit) Protect Microsoft Edge
    Command Line: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 21.1\plugins_nms.exe" chrome-extension://ahkjpbeeocnddjkakilopmfdlnjdpcdm/ --parent-window=0 < \\.\pipe\LOCAL\chrome.nativeMessaging.in.4d9edcf990b19786 > \\.\pipe\LOCAL\chrome.nativeMessaging.out.4d9edcf990b19786
    Signer: <NULL>
    Parent Signer: Microsoft Corporation
    User/Domain: User/USER-PC
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium

    I added this false positive to the Exclusions.db, but OSA keeps popping up.

    The exclusions look like this:

    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 21.1\plugins_nms.exe" chrome-extension://ahkjpbeeocnddjkakilopmfdlnjdpcdm/ --parent-window=0 < \\.\pipe\LOCAL\chrome.nativeMessaging.in.b03019f80cde59e0 > \\.\pipe\LOCAL\chrome.nativeMessaging.out.b03019f80cde59e0] [%FILESIGNER%: <NULL>] [%PARENTPROCESS%: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe] [%PARENTSIGNER%: Microsoft Corporation]

    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 21.1\plugins_nms.exe" chrome-extension://ahkjpbeeocnddjkakilopmfdlnjdpcdm/ --parent-window=0 < \\.\pipe\LOCAL\chrome.nativeMessaging.in.e181b4339fd075c0 > \\.\pipe\LOCAL\chrome.nativeMessaging.out.e181b4339fd075c0] [%FILESIGNER%: <NULL>] [%PARENTPROCESS%: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe] [%PARENTSIGNER%: Microsoft Corporation]

    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 21.1\plugins_nms.exe" chrome-extension://ahkjpbeeocnddjkakilopmfdlnjdpcdm/ --parent-window=0 < \\.\pipe\LOCAL\chrome.nativeMessaging.in.763d4b177735a5ea > \\.\pipe\LOCAL\chrome.nativeMessaging.out.763d4b177735a5ea] [%FILESIGNER%: <NULL>] [%PARENTPROCESS%: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe] [%PARENTSIGNER%: Microsoft Corporation]

    PS: I do not have any problems with the Kaspersky plugin when I use Firefox, which is my main browser. However, as soon as I open MS Edge, I get this message from OSA. Hope this can be fixed.
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,638
    Location:
    Under a bushel ...
    OK thanks, wasn't sure if that was per tab, or everything.
    But especially after loading in other OSA instance, my exclusions weren't there? But probably I did something wrong.
     
  8. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,468
    Location:
    Hollow Earth - Telos
    I posted the same problem with Edge a few days ago. He said it will be fixed in the next version.
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @Buddel @Dragon1952

    The command-line string has characters that changes at every execution, here is a better exclusion rule that uses wildcards:

    Code:
    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security*\plugins_nms.exe" chrome-extension://*/ --parent-window=0 < \\.\pipe\LOCAL\chrome.nativeMessaging.in.???????????????? > \\.\pipe\LOCAL\chrome.nativeMessaging.out.????????????????] [%FILESIGNER%: <NULL>] [%PARENTPROCESS%: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe] [%PARENTSIGNER%: Microsoft Corporation]
    
    Let me know if that works fine.

    @Grille

    Are you using OSArmor v1.4 or latest v1.5?

    I see the Signer: is empty (no string) while on OSArmor v1.5 it should be Signer: <NULL>

    Some exclusion rules that can work for your case are:

    Code:
    ; Allow all processes located in D:\DVD\1-Essenz\SCRIPT\ and sub-folders
    [%PROCESS%: D:\DVD\1-Essenz\SCRIPT\*]
    
    ; Allow execution of Skype for Desktop
    [%PROCESS%: C:\Program Files\Microsoft\Skype for Desktop\Skype.exe] [%SIGNER%: Skype Software Sarl]
    
    ; Allow stopping of service DbxSvc via net.exe
    [%PROCESS%: C:\Windows\System32\net.exe] [%PROCESSCMDLINE%: net  stop DbxSvc] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe]
    
    To add these rules, right-click on OSArmor system tray icon and click on "Manage Exclusions", then click on "Open Exclusions", and add these rules there.

    Let me know if they work fine.

    @EASTER

    Great, thanks for the feedback!

    @mood

    Forgot to add that information in the main post, added it now. Thanks for posting.
     
  10. Grille

    Grille Registered Member

    Joined:
    Oct 16, 2020
    Posts:
    5
    Location:
    Hamburg
    Hi Novirusthanks, great that you try to help me!

    So, the version of OSArmorDevUI.exe is 1.4.3.0.
    For the code you gave me first a question: why Allow ALL processes located in D:\DVD\1-Essenz\SCRIPT\ and sub-folders?
    Code:
     [%PROCESS%: D:\DVD\1-Essenz\SCRIPT\*]
    Should'nt be enough to allow open pictures *.jpg? Apart from that the code worked.

    The other code you gave me does unfortunately not work, here the messages from log:


    Code:
     Date/Time: 17.10.2020 11:45:27
    Process: [2384]C:\Windows\System32\net.exe
    Process MD5 Hash: B9A4DAC2192FD78CDA097BFA79F6E7B2
    Parent: [2000]C:\Windows\System32\cmd.exe
    Rule: BlockNetNet1Execution
    Rule Name: Block execution of net\net1.exe
    Command Line: net  stop DbxSvc
    Signer:
    Parent Signer:
    User/Domain: Wolfs/WOLF-PC
    System File: True
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Date/Time: 17.10.2020 11:45:12
    Process: [1232]C:\Windows\System32\net.exe
    Process MD5 Hash: B9A4DAC2192FD78CDA097BFA79F6E7B2
    Parent: [2000]C:\Windows\System32\cmd.exe
    Rule: BlockNetNet1Execution
    Rule Name: Block execution of net\net1.exe
    Command Line: net  start DbxSvc
    Signer:
    Parent Signer:
    User/Domain: Wolfs/WOLF-PC
    System File: True
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Date/Time: 17.10.2020 11:35:48
    Process: [5776]C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
    Process MD5 Hash: 618AA659876F8C34A971BBC3F75CCA88
    Parent: [3360]C:\Windows\System32\taskeng.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe"
    Signer: Skype Software Sarl
    Parent Signer:
    User/Domain: Wolfs/WOLF-PC
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
    What I have to change?
     
    Last edited: Oct 17, 2020
  11. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,917
    It does work fine.:thumb: Thank you very much.
     
  12. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @Grille

    Thanks for the information.

    Because you have .exe files that are blocked by OSA in this folder:

    D:\DVD\1-Essenz\SCRIPT\Ablage\Batch für Prozessbeendigung\

    Allowing mspaint.exe to open specific .jpg images requires another exclusion rule.

    Here you can find the updated exclusion rules (use the following new ones):

    Code:
    ; Allow execution of batch scripts converted to .exe located on a safe/known folder
    [%PROCESS%: D:\DVD\1-Essenz\SCRIPT\Ablage\Batch für Prozessbeendigung\*.exe]
    
    ; Alternatively you can allow only specific .exe files on that folder, example:
    [%PROCESS%: D:\DVD\1-Essenz\SCRIPT\Ablage\Batch für Prozessbeendigung\Kill AcroTray, pdfSave, googleCrash.exe]
    
    ; Allow mspaint.exe to open .jpg images located in C:\ folder and sub-folders
    [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESS%: C:\Windows\System32\mspaint.exe] [%PROCESSCMDLINE%: *\mspaint.exe" "C:\*.jpg"
    
    ; Allow execution of Skype for Desktop checking also its signature
    [%PROCESS%: C:\Program Files\Microsoft\Skype for Desktop\Skype.exe] [%FILESIGNER%: Skype Software Sarl]
    
    ; Allow start/stop of Dropbox service via net.exe
    [%PROCESS%: C:\Windows\System32\net.exe] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: net  start DbxSvc]
    [%PROCESS%: C:\Windows\System32\net.exe] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: net  stop DbxSvc]
    
    Let me know if these new rules work fine.
     
    Last edited: Oct 17, 2020
  13. Grille

    Grille Registered Member

    Joined:
    Oct 16, 2020
    Posts:
    5
    Location:
    Hamburg
    Good morning, Noviruszhanks.

    Skype and pictures work fine now, but DbxSvc still not.
    In the log* I read something with net1 - it's not wrong that your code use only net?

    A Code I wrote yesterday work for "Allow starting of service AcrSch2Svc via net.exe" ,
    but not in the same pattern as for DbxSvc. **

    ..................................................................
    /*
    Date/Time: 18.10.2020 10:13:09
    Process: [5564]C:\Windows\System32\net1.exe
    Process MD5 Hash: 2041012726EF7C95ED51C15C56545A7F
    Parent: [5960]C:\Windows\System32\net.exe
    Rule: BlockNetNet1Execution
    Rule Name: Block execution of net\net1.exe
    Command Line: C:\Windows\system32\net1 stop DbxSvc
    Signer:
    Parent Signer:
    User/Domain: Wolfs/WOLF-PC
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
    ..................................................

    /**
    ; Allow starting of service AcrSch2Svc via net.exe
    [%PROCESS%: C:\Windows\System32\net.exe] [%PROCESSCMDLINE%: net start AcrSch2Svc] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe]

    ; Allow stopping of service AcrSch2Svc via net.exe
    [%PROCESS%: C:\Windows\System32\net.exe] [%PROCESSCMDLINE%: net stop AcrSch2Svc] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe]
     
    Last edited: Oct 18, 2020
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @Grille

    Use following rules for your net.exe/net1.exe blocks:

    Code:
    [%PROCESS%: C:\Windows\System32\net.exe] [%PROCESSCMDLINE%: * start AcrSch2Svc] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe]
    [%PROCESS%: C:\Windows\System32\net.exe] [%PROCESSCMDLINE%: * stop AcrSch2Svc] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe]
    [%PROCESS%: C:\Windows\System32\net1.exe] [%PROCESSCMDLINE%: * start DbxSvc] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe]
    [%PROCESS%: C:\Windows\System32\net1.exe] [%PROCESSCMDLINE%: * stop DbxSvc] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe]
    
    Sometimes in the command-line string of net.exe/net1.exe is added an extra space, i.e:

    Code:
    net  start DbxSvc
    net start DbxSvc
    
    The above rules should fix that behavior by using wildcard character *, let me know if they work fine.
     
  15. Grille

    Grille Registered Member

    Joined:
    Oct 16, 2020
    Posts:
    5
    Location:
    Hamburg
    Thank you. I think there is something not understood correctly, but my action to start certain services (like for Acronis and Dropbox) only when needed via task planner, are probably also outside normal users. I now tend to decide to 'solve' the problem by deselecting the option "Block execution of net/net1.exe" for the time being.
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    Released NoVirusThanks OSArmor v1.5.1:
    https://www.osarmor.com/download/

    Changelog:

    If you have the auto-update option checked your OSA version will be upgraded automatically.

    Else you can install this new version "over-the-top" (a reboot is not required).
     
  17. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,917
    Got v1.5.1 via internal updater a couple of minutes ago. Thank you, Andreas.

    Just a quick question. It is possible to block the execution of all *.scr files:
    ; Block SCR files
    [%PROCESSFILENAME%: *.scr] [%RULENAME%: Block SCR files]

    Would it also be possible to block the execution of file types such as *.doc or *.xls?

    PS: I like the feature suggested by @aldist in the following post:
    https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-104#post-2824017
     
    Last edited: Oct 19, 2020
  18. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    How do I increase the time of the popup showing what was just blocked?
     
  19. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,917
    This is what I did:
    Go to Configurator > Settings > uncheck the box "Automatically close the notification window"
    Popups need to be closed manually with these settings, but at least you have time enough to read what has been blocked by OSA.
     
  20. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    • :rolleyes: UGH..Thanks Buddel.
     
  21. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,468
    Location:
    Hollow Earth - Telos
    I unchecked that a few days ago. That should be the default setting for the popup.
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,358
    Location:
    Italy
    @Buddel

    Your rule to block execution of all .scr files is correct and works fine:

    scr-test.png

    Following rules will block opening of .doc and .xls documents:

    Code:
    [%PROCESSCMDLINE%: *.doc"] [%RULENAME%: Block opening of .doc files]
    [%PROCESSCMDLINE%: *.docx"] [%RULENAME%: Block opening of .docx files]
    [%PROCESSCMDLINE%: *.docm"] [%RULENAME%: Block opening of .docm files]
    [%PROCESSCMDLINE%: *.xls"] [%RULENAME%: Block opening of .xls files]
    [%PROCESSCMDLINE%: *.xlsx"] [%RULENAME%: Block opening of .xlsx files]
    [%PROCESSCMDLINE%: *.xlsm"] [%RULENAME%: Block opening of .xlsm files]
    
    doc-test.png

    Regarding the suggestion about the Configurator, we're going to work on it on these days.

    Plan is to improve it by allow to sort rules, better group rules, search rules and more (should have a demo GUI for testing soon).
     
  23. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,917
    Thanks for your reply, Andreas, which is very much appreciated. :thumb:

    PS: I've just tested your rules for blocking .doc, .xls and similar files - they work like a charm as expected. Thank you very much.:)
     
    Last edited: Oct 19, 2020
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,638
    Location:
    Under a bushel ...
    @novirusthanks - suggestion: Or some indication via the taskbar icon that a block occurred might be useful?
    Then one can always 'Open Logs Folder' to see exactly what was blocked.
     
  25. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Little late to the party. Where is v1.4 just in case I decide to not pay for v1.5? Also, where do I input the 20% discount code?

    Nice update so far. Checked everything in 'Advance' just like in v1.4 and restarted; seems the same because NVT does not alert.:thumb: Copied all my Custom Block-Rules with no problems.

    Thanks,
    Robert
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.