NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,529
    Location:
    Among the gum trees
    No, not fixed as yet.
    Code:
    Date/Time: 15/01/2021 8:32:59 AM
    Process: [10348]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Process MD5 Hash: 04029E121A0CFA5991749937DD22A1D9
    Parent: [11232]C:\Windows\System32\cmd.exe
    Rule: PreventCmdFromExecutingPowerShell
    Rule Name: Prevent cmd.exe from executing powershell.exe
    Command Line: powershell  Optimize-Volume -DriveLetter C -ReTrim
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
     
  2. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,102
    Location:
    Italy
    @Krusty

    Thanks for testing, will take a look at it.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,176
    Location:
    U.S.A.
    Is there a write up anywhere as to what rules are activated for each profile option?
     
  4. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    584
    Location:
    US
    "The license has reached its allowed activations limit". Activated once.
     
  5. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,102
    Location:
    Italy
    @Buddel

    This should work for xls:

    Code:
    [%PROCESSCMDLINE%: *.xls"][%RULENAME%: Block opening of .xls files]
    Alternatively try this:

    Code:
    [%PROCESSCMDLINE%: *.xls"*][%RULENAME%: Block opening of .xls files]
    @Krusty

    Yes I was looking for that vssadmin.exe block event, thanks for sharing.

    Problem with that is also ransomware use that exact command to erase shadow copies so user can't recover original files once encrypted.

    I would personally highly recommend you to not exclude/whitelist vssadmin.exe and keep blocking that command.

    @itman

    Not for now, should add some details soon.

    @Roberteyewhy

    Did you deactivate your license key first via Customer Portal as wrote here:
    https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-132#post-2982645

    Looks like the license key was not yet deactivated from the device.

    In case just send an email to our support email and will help from there.
     
  6. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,361
    I tried both rules - and they both work! Thank you very much, Andreas!:thumb:
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,529
    Location:
    Among the gum trees
    Okay, got ya. I don't actually recall what I or that machine was doing at the time when that block occurred. That time and date suggest Macrium Reflect should have been imaging my machine. Does that sound right?
     
  8. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    584
    Location:
    US
    Activated.

    Thanks,
    Robert
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,102
    Location:
    Italy
    @Krusty

    Yes possible, or probably PrivaZer tried to delete shadow copies as part of the procedure to clean some system areas (that can be fine, but since it is done also by 90% of ransomware I would always block that command).

    @Roberteyewhy

    Great, thanks for confirming.
     
  10. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    584
    Location:
    US
    Why not have 'Select All'? That way the user can just deselect rules that adversely affect daily business. Tedious!

    Robert
     
  11. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,837
    Location:
    Location Unknown
    Agreed. But you can just export the protection settings, then open them in notepad, then (control +h) replace =0 with =1, then reimport.
     
  12. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    584
    Location:
    US
    Ok. 1.5.3 changes everything. What if you do not know or forgot to export the settings? Anyway, "Check All" on every separate sections would make it much more simple. Just deselect what affects your system. Why make it tedious?

    My opinion,
    Robert
     
  13. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,837
    Location:
    Location Unknown
    I just started over with 1.5.3. Just export the default settings and replace =0 with =1.
     
  14. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    584
    Location:
    US
    Nice implementation of the Search feature. I have everything checked. Notification stays open, search Configurator and uncheck Blocked rule.

    Robert
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,071
    Location:
    Canada
    @novirusthanks

    Nice program, I bought a license. I like its small footprint, granular level of rules customization and very few alerts. Thank you for continuing development on it :)
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,680
    Location:
    Canada
    Good choice buddy
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,071
    Location:
    Canada
    Thanks!
     
  18. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,680
    Location:
    Canada
    I love it very much.its very light
     
  19. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    658
    Location:
    Brooklyn, NY
    This is only a little thing, a suggestion. I have a custom WAV file to take the place of the pre-existing audio block alert. It keeps playing after I've already X'd out of the the pop-up notification. Is there any means to make it shut up already when you close the notification? I mean, I can always shorten the WAV but it's only 9 seconds as it is.

    Also, has anyone noticed anything getting blocked when you didn't enable the rule? Example: I open the AdGuard Browser assistant to do an element removal and I get a block from OSA with the rule: block any process from web browsers. Yet when I looked in the Configurator, the box was blank. Anyone? Here's some log entries:
    osablockag.PNG

    I know you can whitelist it and I have but the main point is a block showing when none was enabled. What I did was tick that box, then clear it. So far, it hasn't returned.
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,071
    Location:
    Canada
    Haven't seen this yet. I notice the process in the attached is cmd.exe. Do you have the rule enabled to block its execution?
     
  21. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    658
    Location:
    Brooklyn, NY
    This is a good question and the answer is "no." Just checked. It's an anomaly, and was only involving AdGuard Browser Assistant. If it happens again, I will let the developer know. But that web browser block rule was definitely NOT checked. Maybe he can reproduce it.

    Hopefully, this is the entry you mean. I only have PowerShell items checked as I use a lot of command-lines.

    osacmd.PNG
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,071
    Location:
    Canada
    Yes that's the rule I meant. Well then certainly it does seem to be an anomaly. Hopefully the developer can resolve it.

    Edit

    actually, how about this rule?:

    osarmor-rule.png
     
    Last edited: Jan 16, 2021
  23. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    658
    Location:
    Brooklyn, NY
    OK, after some searching, I found that one under Other Useful Block Rules and it was UN-checked. Thank you for researching that, it wasn't easy to find that one. I doubt that web browser block will be triggered again but you never know.
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,071
    Location:
    Canada
    Okay well I'm out of ideas then. There is a Search box under the Protections tab that makes finding rule types easier.
     
  25. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,581
    hey, rob. hope you're doing alright. do you still have an active subscription for ag solo? if you do, i assume you're not running it alongside osa, right?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.