NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,108
    Location:
    Italy
    @plat1098

    That is a FP, will be fixed in next version.

    The block rule is located in "Lockdown & Experimental" at the end of the list:

    osa-rule.png

    @wat0114

    Awesome! Thanks for purchasing =)

    @Roberteyewhy

    Yes we added that feature, see image below:

    osa2.png
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,268
    Location:
    U.S.A.
    I have created an Excel spreadsheet showing what OSA protections are enabled for each profile. Obviously, "1" means enabled and "0" means disabled. Source data comes from the OSA profile .ini files.

    Spreadsheet can be downloaded here: http://www.filedropper.com/osaprofiles .
     
    Last edited: Jan 17, 2021
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,151
    Location:
    Canada
    Thanks itman.

    Did you come up with these profiles or are they included somewhere in the program? I ask because I don't see them.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,268
    Location:
    U.S.A.
    They are located in this directory; C:\Program Files\NoVirusThanks\OSArmorDevSvc\Profiles
     
  5. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    739
    Location:
    Brooklyn, NY
    Thanks, this is appreciated. It can help with the decision-making process on what to enable/keep disabled. I did have to install a free app from the MS Store to view the Excel file (XLS Opener--it does have some ads but nothing extraordinary). But it's nice, I'll take a closer review before deleting the Store app. :)

    I figured that AdGuard thing was a false-positive and whitelisted it as such. The point was more the "block" that was triggered by it. If anyone has a "phantom" block where a rule is cited but that rule doesn't appear enabled in the Configurator, well, I hear ya. Maybe it was a dirty install- I did install this over the top.
     
  6. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,441
    Thanks, @itman. I have added another column to this spreadsheet to compare my settings with the predefined OSA profiles. My own settings roughly correspond to the predefinded "Extreme" profile (with some exceptions plus additional block rules and some exclusions).
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,151
    Location:
    Canada
    Okay I missed that, thanks again! I've been exporting my profiles to a different directory.
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,890
    I updated to v1.5.3 two or three days ago. Then I got the following rule, yesterday, so I hope it is OK. Don't understand what it denotes. ...I am running Windows Pro version: 1909 (OS Build 18363.1256), which I had updated to, shortly after getting that update for OSArmor.

    Date/Time: 17/01/2021 4:26:14 PM
    Process: [46296]C:\Windows\System32\rundll32.exe
    Process MD5 Hash: F68AF942FD7CCC0E7BAB1A2335D2AD26
    Parent: [8688]C:\Windows\explorer.exe
    Rule: BlockLOLBinsAndOtherSophisticatedAttacks
    Rule Name: Block LOLBins and other sophisticated attacks
    Command Line: "C:\WINDOWS\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617
    Signer: <NULL>
    Parent Signer: Microsoft Windows
    User/Domain: Owner/DESKTOP-XXXXXXX
    System File: True
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,151
    Location:
    Canada
    it looks to be fine:

    https://superuser.com/questions/1175267/what-is-this-rundll32-instance-running

    Rundll32.exe can be utilized as a LOLBin by malware to execute malicious scripts and such, but in this case it's doing something legitimate. You will probably get occasional alerts about harmless actions that you will need to add to the Exclusions list, but of course you need to be careful you don't allow something malicious.
     
  10. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,890
    Last edited: Jan 18, 2021
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,151
    Location:
    Canada
    @Tarnak

    you're welcome. It turns out I already had an exclusion for that same action when I replied yesterday, which I had completely forgotten about :confused:
     
  12. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    584
    Location:
    US
    Sorry, never noticed that option. Convenient inclusion.

    Thanks,
    Robert
     
  13. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,108
    Location:
    Italy
    Just a quick update, released OSArmor v1.5.4.0:
    https://www.osarmor.com/download/

    [18-Jan-2020] v1.5.4.0

    + Added new internal rules to block suspicious behaviors
    + Fixed all reported false positives
    + Minor improvements

    Blocks, for example, finger.exe (a new LOLBin), and much more.

    @Tarnak

    That is a FP, it is fixed now.

    @itman

    Thanks for the spreadsheet!
     
  14. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,174
    Location:
    Hollow Earth - Telos
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,809
    Location:
    .
  16. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    739
    Location:
    Brooklyn, NY
    OK, I removed 1.5.3 first this time before installing 1.5.4 but did keep settings and logs. Only thing so far: I did have to redo my WAV in the OSA folder as the default was re-instated. :)
     
  17. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,731
    mind if i ask what your custom wav is? :ninja:
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,268
    Location:
    U.S.A.
    It did it again! OSA not running. This time ver. 1.5.3 not running upon resume from Win 10 sleep mode.

    Also as before, I could not enable protection via OSA and had to manual start its service via Win 10 Services option.

    -EDIT- Also as before auto updating was enabled. About 5 mins. after resume from standby and manual starting OSA service, I did receive the ver. 1.5.4 update.

    This issue again makes me believe it has something to do with OSA auto updating. Does it check for an update immediate after user logon?
     
    Last edited: Jan 18, 2021
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    @novirusthanks ,

    It looks like you have fixed the previously mentioned PrivaZer bug. :thumb:

    Thank you!
     
  20. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    739
    Location:
    Brooklyn, NY
  21. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,731
    Last edited: Jan 18, 2021
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,151
    Location:
    Canada
    Hi itman,

    this same thing happened to me twice yesterday. The first time I believe because the firewall, WFC, had no Allow rule for it yet, so maybe the update check being blocked crashed it (disappeared from taskbar).

    The second time, I was using ConfigureDefender, and when I went to refresh to update the new settings, OSA disappeared from the taskbar.

    Adding exclusions for ConfigureDefender didn't seem to help, so I had to temporarily disable OSA, then refresh ConfigureDefender.

    Edit

    Just noticed after posting this that it disappeared again from taskbar :( No rhyme or reason this time. Had to re-start the service.

    Edit 2

    now just updated to v1.5.4 and will see what happens.
     
    Last edited: Jan 18, 2021
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,268
    Location:
    U.S.A.
    I also just noticed this event log entry that actually occurred prior to when my PC came out of sleep mode today. Possibly occurred upon entry into sleep mode:

    OSA_Error.png
     
  24. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,275
    Did you checked the logs to see what rule in ConfigureDefender could have block OSA?
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,151
    Location:
    Canada
    Yes, nothing showing in the logs.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.