NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,713
    Location:
    Canada
    Nice
     
  2. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    747
    Location:
    Brooklyn, NY
    I think you can import an older RULES file into this new build and have them go into effect, right? It seemed to work when I tried it.

    Personally, I don't use any Profile strategy. Just would rather scan thru all the rules and check off what seem most applicable and relevant. Then back it all up. :)
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,269
    Location:
    U.S.A.
    Profiles in ver. 1.5.2 Personal don't exist as far as I can determine. Is this correct?
     
  4. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,108
    Location:
    Italy
    @plat1098

    Yes you can import old rules (CustomBlock.db and Exclusions.db files), they will work fine.

    However, the old exported settings will not work since on v1.5.3 we changed completely the export/import of protections rules (checkboxes) and settings.

    @itman

    Yes correct, protections rules profiles are available only on v1.5.3
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,790
    Location:
    The Netherlands
    No, it's a Full HD screen with a 1920x1080 resolution. I didn't uninstall the older version though, perhaps I should try it again. However, I did notice that after Windows has booted, the OSA main window looks blurry and after restart it will look normal, this happens with all OSA versions. I wonder if other people have also noticed this.
     
  6. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    747
    Location:
    Brooklyn, NY
    Right! New Import/Export on new test build only, as the configurations have changed around. Got it. :)

    Edit: no Rasheed, haven't noticed ths issue, not yet anyway. Just opened the main OSA window and it looks alright. I'd just restarted the machine to finish the cumulative Windows update as well.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,269
    Location:
    U.S.A.
    Just applied latest Win 10 x(64) 20H2 cumulative update. Upon completion of update and system restart, OSA not running. Checked status and it showed protection was disabled. Tried to enable it via desktop toolbar OSA icon option. No go. Protection would not enable. Checking running services via Control Panel option showed OSArmorDevSvc service not running. Manually started the service which enabled OSA protection.

    Is this normal OSA behavior after a Win Update? Does OSA protection need to be disabled prior to Win Updating?
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    I had a similar thing but it wasn't after a Windows Update.

    #3273
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,269
    Location:
    U.S.A.
    Wonder if this might be related to auto updating? I had enabled that earlier today prior to the Win Update activity.
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    False Positive after running PrivaZer?
    Code:
    [%PROCESS%: [6588]C:\Windows\System32\vssadmin.exe]
    [%PROCESS%: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe] [%PROCESSCMDLINE%: powershell  Optimize-Volume -DriveLetter C -ReTrim] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\System32\cmd.exe] [%PARENTSIGNER%: <NULL>]
    Medium Profile.
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,713
    Location:
    Canada
    Indeed :) hello buddy
     
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    G'day Mate!

    Not exactly sure it is a FP. OSA is probably doing exactly as it should.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,790
    Location:
    The Netherlands
    OK, so no blurry looking GUI and no ''text looking too big'' problem? Then I wonder what the hell is going on, on my machine. For now I have downgraded to the old OSA freeware version.
     
  14. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,441
    My block rule for SCR files still works as expected, but blocking DOC, XLS and other documents does not work any more. It worked fine when I used OpenOffice until recently. However, now that I use Office 365 I can open old DOC files, even though they should be blocked by OSA.
     
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,108
    Location:
    Italy
    We've released OSArmor v1.5.3, here is the changelog:

    [14-Jan-2020] v1.5.3.0

    + Improved management of protections rules in OSArmor Configurator
    + Added option to export/import protections rules, settings, all
    + Use exported .ini files with "Automatically update OSArmor settings from a URL"
    + Improved method to auto-update OSArmor settings from a URL
    + Added option to reset protections rules, settings, all
    + Added option to select protections profile (right-click on Configurator->Protections tab)
    + Added option to easily search protections rules
    + Added option to check/uncheck all protections rules
    + Added option to select protections rules group via a drop-down box
    + Previously exported settings (OSArmor.rules) will not work on this version
    + Updated NVT License Manager with latest version
    + Do not recreate Desktop icon after product has been upgraded
    + Fixed session ID issue involving Remote Desktop Protocol (RDP)
    + Added Block any process executed from web browsers
    + Added Block execution of popular web browsers
    + Added Block processes located on C:\Windows\Microsoft.NET\Framework\*
    + Added Block execution of Resource File To COFF (cvtres.exe)
    + Merged many protections rules into single category-specific rules
    + Protections rules on Configurator have been reduced (merged) from 300 to 185
    + Improved automatic product update procedure
    + By default the setup creates a Desktop icon for all users on new installations
    + The desktop icon is not re-created in case it has been previously removed
    + Added /NODESKTOPICON parameter to use with setup.exe command-line
    + Various improvements in the installer script
    + Added new internal rules to block suspicious behaviors
    + Fixed all reported false positives
    + Minor improvements

    IMPORTANT:

    * When installing this version it is required an active Internet connection
    * Everyone should update to this version, it fixes the fingerprint issue with NVT Activator caused when the BIOS is updated/flashed
    * This version will automatically apply basic protections rules after installed
    * You may require to enable again your custom protections rules (checkboxes) on Configurator

    //Everyone

    If you used the pre-release build please update to this new version.

    You can install over-the-top, if you have enabled auto-updates it will upgrade automatically.

    Some screenshots:

    osanew2.png

    osanew3.png

    @Buddel

    Looks like the command-lines changed with Office 365.

    Don't have it installed here but you may try the following Custom Block rules:

    Code:
    [%PROCESSCMDLINE%: *.doc*] [%RULENAME%: Block opening of .doc files]
    [%PROCESSCMDLINE%: *.docx*] [%RULENAME%: Block opening of .docx files]
    [%PROCESSCMDLINE%: *.docm*] [%RULENAME%: Block opening of .docm files]
    [%PROCESSCMDLINE%: *.xls*] [%RULENAME%: Block opening of .xls files]
    [%PROCESSCMDLINE%: *.xlsx*] [%RULENAME%: Block opening of .xlsx files]
    [%PROCESSCMDLINE%: *.xlsm*] [%RULENAME%: Block opening of .xlsm files]
    
    @Krusty

    Yes they are FPs, should be fixed now.

    Anyway, couldn't reproduce the FP with vssadmin.exe, can you share the blocked event from the log file?

    @itman @Krusty

    Strange, are you using other security apps? Maybe they somehow blocked OSArmorDevSvc.exe or NVTLicenseManager.exe
     
    Last edited: Jan 14, 2021
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,713
    Location:
    Canada
    Amazing work.what a beautifull software OSArmor is:) I love all this changes
     
  17. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,441
    @novirusthanks
    Thanks for your help. Unfortunately, the rules you suggested above don't work the way I want. I want to block only DOC files, but I do NOT want to block DOCX files.

    The rule [%PROCESSCMDLINE%: *.doc*] [%RULENAME%: Block opening of .doc files] blocks BOTH DOC and DOCX files (as expected). This is not what I want, however. I do NOT want to block DOCX files, as mentioned above.

    The rule [%PROCESSCMDLINE%: *.doc] [%RULENAME%: Block opening of .doc files] (without the asterisk after the file extension) does NOT block anything. I thought it would just block DOC files (not DOCX files), but it doesn't seem to work at all.
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,108
    Location:
    Italy
    @jmonge

    Great glad you like OSA =)

    @Buddel

    Can you share the blocked event from the .log file? The one that blocked also .docx
     
  19. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,441
    @novirusthanks
    Here is the log of a blocked .docx file:

    Date/Time: 14.01.2021 21:13:24
    Process: [7660]C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    Process MD5 Hash: B7048CFFCE9D156C6FFED2C0AB14C079
    Parent: [9204]C:\Windows\explorer.exe
    Rule: CustomBlockRule
    Rule Name: Block opening of .doc files
    Command Line: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "D:\MYFILES\MYNAME\MYFOLDER\MYSUBFOLDER\MYFILE.docx" /o ""
    Signer: Microsoft Corporation
    Parent Signer: Microsoft Windows
    User/Domain: User/USER-PC
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium

    I get the same log for .doc files. It always looks like ...doc(x)" /o ""
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    Sure. Here you go.
    Code:
    Date/Time: 11/01/2021 5:36:41 PM
    Process: [12052]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Process MD5 Hash: 04029E121A0CFA5991749937DD22A1D9
    Parent: [6680]C:\Windows\System32\cmd.exe
    Rule: PreventCmdFromExecutingPowerShell
    Rule Name: Prevent cmd.exe from executing powershell.exe
    Command Line: powershell  Optimize-Volume -DriveLetter C -ReTrim
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
    
    As I mentioned, it was while running PrivaZer. I believe it runs "Trim" on SSDs as it finishes. It may not run on HDDs.

    Edit: Here is the log from my second machine in case there's any difference.
    Code:
    Date/Time: 13/01/2021 4:04:17 PM
    Process: [13752]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Process MD5 Hash: 04029E121A0CFA5991749937DD22A1D9
    Parent: [13600]C:\Windows\System32\cmd.exe
    Rule: PreventCmdFromExecutingPowerShell
    Rule Name: Prevent cmd.exe from executing powershell.exe
    Command Line: powershell  Optimize-Volume -DriveLetter C -ReTrim
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: Dave/DAVE-PC
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
    Thanks.
     
    Last edited: Jan 14, 2021
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    I shall keep an eye on it. If it was blocked by another security app then it was silently blocked.
     
  22. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    584
    Location:
    US
    I cannot find my license key. Says "Machine fingerprint has changed since activation". Same machine. How to get my key?

    Thanks,
    Robert
     
  23. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,108
    Location:
    Italy
    @Buddel

    This should work:

    Code:
    [%PROCESSCMDLINE%: *.docx" /o*][%RULENAME%: Block opening of .doc files]
    Basically this is the wildcard to use: *.docx" /o*

    Let me know if it works.

    @Krusty

    Thanks, it should be already fixed in latest v1.5.3 - try to remove the exclusion rule and run again PrivaZer.

    @Roberteyewhy

    To solve activation issues like:

    Open the Customer Portal web page.

    To login the first time you need to click on the "Forgot Password?" link, then enter your email used during the order and click on the "Recover Password" button. You will receive via email (check also the spam folder) a link to reset your password, make sure to use a 15+ chars strong password.

    From the Customer Portal you can manage all your purchased licenses and activated devices, you need to deactivate the license in your device so then you can re-activate it again, follow this video: https://www.youtube.com/watch?v=FS7j276KCoA

    Once done, reboot the system and you'll be prompted to enter your license key, make sure you have an Internet active and enter the key, click Activate and it should work.

    * If you don't want to reboot the system, run cmd.exe as Administrator and enter in order:

    Code:
    sc stop osarmordevsvc
    sc start osarmordevsvc
    
    And you'll be prompted to enter the key.

    Let me know.
     
    Last edited: Jan 14, 2021
  24. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,441
    The rule [%PROCESSCMDLINE%: *.doc" /o*][%RULENAME%: Block opening of .doc files] works as expected. It blocks DOC files, but it does not block DOCX files. Great. Thank you! BTW, this rule also works great for PPT files, which are successfully blocked (but not PPTX files).

    Now I'm looking for a rule to block XLS files (but not XLSX files). Here's my log file:

    Date/Time: 14.01.2021 22:17:06
    Process: [6892]C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    Process MD5 Hash: 87380EF311444F91F6C4A68DF698530F
    Parent: [3944]C:\Windows\explorer.exe
    Rule: CustomBlockRule
    Rule Name: Block opening of .xls files
    Command Line: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "D:\MYFILES\Mappe1.xlsx"
    Signer: Microsoft Corporation
    Parent Signer: Microsoft Windows
    User/Domain: User/USER-PC
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium

    I get the same log for XLS files. This log file is triggered by this rule:
    [%PROCESSCMDLINE%: *.xls*] [%RULENAME%: Block opening of .xls files]
    It blocks both XLS and XLSX files. However, I need a block rule that only blocks XLS files but NOT XLSX files. As mentioned above, the rule [%PROCESSCMDLINE%: *.xls] [%RULENAME%: Block opening of .xls files] (without the asterisk) does not work at all.
     
    Last edited: Jan 14, 2021
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    @novirusthanks ,

    I just found this on my other machine. I believe it is the log you wanted.
    Code:
    Date/Time: 23/12/2020 7:18:41 PM
    Process: [6588]C:\Windows\System32\vssadmin.exe
    Process MD5 Hash: B58073DB8892B67A672906C9358020EC
    Parent: [5456]C:\Windows\System32\cmd.exe
    Rule: BlockDeletionOfShadowCopies
    Rule Name: Block system processes from deleting shadow copies
    Command Line: vssadmin  delete shadows /for=C: /QUIET
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: Dave/DAVE-PC
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.