NoVirusThanks OSArmor: An Additional Layer of Defense

@novirusthanks

It is OK.
TH.

Please see the video below:

http://sendvid.com/of05qs6e

Is the behavior of OSArmor correct?

_______________________________

test.vbs



P.S.
Also I'm curious to know why your name is Andreas.
Born in Germany?
My wife was born in Germany and her name is Andrea.

 

Yes, blocking .exe or .scr would be too much.
And we already have a rule for blocking of screensavers (only screensavers in the Windows folder are allowed): "Run Windows Screensavers (.scr) only on Windows folder"

 

I agree. It is possible, however, to write your own rules. I don't use screensavers, so .scr files are blocked by OSA here. As far as .exe files are concerned, it is also possible to block them with your own rule. If you need to install an app, simply disable OSA protection.

 

You probably meant *.ps1?

 

I only block .exe files in certain locations (documents, some private stuff etc.), but blocking .exe files "universally" might be a bit too much.

 

Hm, I didn't find any reference to other file extensions except ps1 (ps2, ps3...). They are also not associated with Powershell on my system.

 

PowerShell extensions: https://www.file-extensions.org/windows-powershell-file-extensions

 

Thank you both. Till now I only added .ps1 to my SRP rules. Will have to check out which are associated with PS and add those too. </OFFTOPIC>

 

Here is a new v1.4 (pre-release) (test5):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test5.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved detection of parent process
+ Block execution of .ps1 (PowerShell) scripts (unchecked by default)
+ Improved setup installer and uninstaller

Now the .db files (exclusions and custom-rules) are not deleted on uninstall.

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@Sampei Nihira

Yes if the IE web page doesn't execute code.

Will need to check it.

If test.vbs executed a process or if you have the "Block .vbs scripts" then yes, it is normal.

Can you post the content of the log file?

@Peter2150

Added on the new pre-release test 5.

Yeah, will take a look at it on the next week.

 

Test 5? What happened to Test 4? Anyway, thanks for the new version.

 

Just made a quick update and named it test 5

 

4 test:

My simple "test.vbs":

 

@novirusthanks

Test EICAR with Firefox:

https://www.wicar.org/test-malware.html

test download EICAR test file with Firefox:

https://www.amtso.org/feature-settings-check-download-of-malware/

 

Sorry, but I'm a little late to the party. I just installed OSA and I'm having trouble adding exclusions. As best I can understand, the exclusion pattern goes:

[%PROCESS%: C:\WINDOWS\System32\cmd.exe] [%PARENT%: C:\WINDOWS\explorer.exe] [%CMDLINE%: *aaa*]

The Logfile then provides that information needed based on what has been blocked. I automate a lot of things in my system, including creating Image for Windows images. This is blocked by OSA. My logfile for that is below.

With that information, wouldn't the correct exclusion line be "[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENT%: C:\Windows\System32\wscript.exe] [%CMDLINE%: C:\Windows\system32\cmd.exe /c ""C:\Scripts\IFW\System.bat" "]" That exclusion line does nothing; the script still doesn't work. How do I exclude a vbs script that calls on a bat script?

Any ideas?

 

Welcome to my nightmare.

https://www.wilderssecurity.com/thr...ng-to-windows-10-fall-creators-update.397421/

 

Is this program going to be freeware even after finished development?

 

Will it always be offered free, or is it only free for beta testing?

Most probably free.

 

Here is a new v1.4 (pre-release) (test6):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test6.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent PowerShell from using Invoke-Expression via cmdline (unchecked by default)
+ Prevent wscript.exe from changing script engine via //E:
+ Prevent cscript.exe from changing script engine via //E:
+ Fixed all reported false positives
+ Added more than 100 internal rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@n8chavez

Available variables to use are %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE%

Make sure there are no " at begin and at end of the rule, i.e:

Code:

[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\System32\wscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cmd.exe /c ""C:\Scripts\IFW\System.bat" "]

It should work fine now.

You may also allow all *.bat scripts in C:\Scripts\IFW\* like this:

Code:

[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\System32\wscript.exe] [%PROCESSCMDLINE%: C:\Windows\system32\cmd.exe /c ""C:\Scripts\IFW\*.bat" "]

 

Thanks for the new test version. It's getting better and better with each release.