NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,406
    Location:
    Canada
    hi again, Andreas,

    I may have found the problem.

    Three consecutive times today the OSArmorDevSvc failed to start after boot->login, so I decided to disable the Windows firewall control option: "Start automatically at user login", and now three consecutive reboots->login attempts and the OSArmorDevSvc starts as intended. It seems there is a conflict between the two programs only after bootup->login. once I start WFC after login and after OSArmor has already started, all is fine - no conflicts with OSArmor.
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    Good job buddy;)
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,406
    Location:
    Canada
    Thanks but...5 consecutive times and OSArmorDevSvc started fine with WFC startup disabled, so things were looking up, but then on the 6th try it failed to start :(
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,291
    Location:
    Among the gum trees
    Interesting! OSA just blocked SysHardener:
    Code:
    Date/Time: 25/01/2021 4:18:26 PM
    Process: [10828]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Process MD5 Hash: 04029E121A0CFA5991749937DD22A1D9
    Parent: [5756]C:\Windows\System32\cmd.exe
    Rule: PreventCmdFromExecutingPowerShell
    Rule Name: Prevent cmd.exe from executing powershell.exe
    Command Line: powershell.exe  -Command "Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux"
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
    
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
    Thanks @Buddel. I recently switched Protections Profile from Basic (Default) to Medium.

    I excluded it with '*' for version and .tmp files as I am fairly sure it's benign in my particular case, but probably no different to just unticking that protection!
     
    Last edited: Jan 25, 2021
  6. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    593
    Location:
    US
    Macrium Reflect. No. Had the older non paid version.

    Robert
     
  7. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    @novirusthanks maybe it is by design but I had a similar issue (also Macrium). After a restore the licence system seems to think there has been a change to the machine. I can't remember the message but the gist of it was that while the computer name was the same it did not recognise the configuration so was counting it as a separate activation. Deactivating on the cryptex site fixed it.

    Can you confirm that a licence needs to be deactivated for every uninstallation not just switching to different machine. I had thought it was an activation per machine not per install.

    Thanks
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    I use Eset Internet Security. OSA .exe's excluded from HIPS processing. Also if Eset was detecting anything amiss w/OSA, I should have received an alert/log entry of the activity which I have not.
     
  9. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    I wouldn't untick that protection. Just add your process to your list of exceptions and see what happens. That way, you are still protected from real, malicious processes.
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
    :thumb:
     
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,134
    Location:
    Italy
    @Elwe Singollo

    The activation is per-machine, but on previous OSA version there was an issue in the NVT License Manager (fixed on v1.5.3).

    There should be no issues with Macrium Reflect and our activation, I did this test on same machine:

    1) Installed OSA v1.5.4 and activated it
    2) Then I used Macrium Free to create a full system image
    3) I rebooted the PC and I restored the previously created system image
    4) Then when PC powered on I activated an Internet connection and opened OSA GUI
    5) I clicked on Help -> License Status and noticed all is fine (product activated)

    So at least in this case no issues, if you find activation issues with latest OSA version and a Macrium Reflect image please let me know.

    As long as you don't change hardware components like RAM, Motherboard, etc (HDD can be changed) there should be no activation issues.

    @Krusty

    Thanks for reporting it, it is an FP and will be fixed on next version.

    @itman @wat0114

    Thanks for details, I'm investigating the issue to see if I can reproduce it.

    //Everyone

    We're discussing about adding support for Trusted Vendors List and add new rules like:
    Block processes signed by non-Trusted Vendors List
     
  12. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,240
    @novirusthanks

    Noticed 7 files present in AppData folder (NVT OSArmor 1.5.3)

    dhsnoyhs.ctm
    fqicoaaj.avl
    gtxtxtup.cru
    ibqnpsgs.ihi
    rtmeslt
    weewkkuq.wxc
    wlidgpun.kvg

    They are not present in for example in NVT OSArmor 1.4.3

    Could you please explain their purpose?
     
  13. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    I'm currently using NVT OSArmor 1.5.4. I tried to find these files here but I couldn't. I don't think they belong to OSA.
     
  14. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    961
    Hi @ Wilders

    I have a copy of NVT OSArmor v1.43. Can I continue to use this as a free version without any adverse effects?

    Thanks

    Terry
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Do you mean Program Data folder? I have nothing related to NoVirus Thanks folder-wise in either AppData Local or Roaming sub-directories. I do have these "mysterious" files in the Program Data root that were created all after the time OSArmor was installed on my device:

    OSA_Files.png

    -EDIT- Three of these files have exact time and date OSA was originally installed. Therefore confident these are OSA related. Also two of these files were updated as recently as yesterday. Question is why?
     
    Last edited: Jan 29, 2021
  16. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    Same here. I also found these files in Program Data. Hm...
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,291
    Location:
    Among the gum trees
    Yes, as do I.
     

    Attached Files:

  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,134
    Location:
    Italy
    @KeyPer4Life

    Those files are created by the package we use to add 30-days trial to the program.

    They are innocuous text files, nothing to worry about.

    //Everyone

    Here is a pre-release (not final) version of OSArmor v1.5.5:
    https://downloads.osarmor.com/osa-1.5.5-test1.exe

    The changelog so far is this:

    + Improved handling of licensing errors
    + The service is not terminated in case of licensing errors
    + Improved analysis of digitally signed processes
    + Improved detection of revoked certificates (network check)
    + Added Block processes signed with a revoked certificate
    + Added Block processes signed with a invalid certificate
    + Added Block processes signed with a expired certificate
    + Import a custom .ini settings file via setup.exe /IMPORTSETTINGS=
    + Added new internal rules to block suspicious behaviors
    + Fixed all reported false positives
    + Minor improvements

    We're working in adding Trusted Vendors.

    If you find issues or false positives please let me know.
     
  19. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,069
    Location:
    .
    Hmm....not finding these files in my Program Data root -
    1.5.4 1.5.5-test1
     
    Last edited: Jan 29, 2021
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Can they be deleted w/o issue on paid version?
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,406
    Location:
    Canada
    Hi @novirusthanks (Andreas),

    could you possibly look into making it more efficient to add multiple, rapid-fire alerts to the Exclusions list? By this I mean I had two alerts at login at literally the same time as seen below, and to add each of them to the Exclusions list, I have to enter my credentials individually for each one I'm alerted to. Is it possible to make it so that once the Exclusions list is open, multiple entries can be added without having to enter credentials for each one? Or am I missing something, doing something wrong? Thanks if you can help.

    BTW, the OSArmorDevSvc has been starting flawlessly for more than three days now, after bootup-login.

    Code:
    Date/Time: 1/29/2021 4:39:48 PM
    Process: [9896]C:\Windows\System32\sc.exe
    Process MD5 Hash: E46C638010C25479F66BACBE8596CA76
    Parent: [4244]C:\Windows\System32\ImController.InfInstaller.exe
    Rule: BlockScExecution
    Rule Name: Block execution of sc.exe
    Command Line: "C:\Windows\system32\sc.exe" start imcontrollerservice
    Signer: <NULL>
    Parent Signer: Lenovo
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: False
    Integrity Level: System
    Parent Integrity Level: System
    
    
    Date/Time: 1/29/2021 4:39:48 PM
    Process: [9720]C:\Windows\System32\schtasks.exe
    Process MD5 Hash: A50ADB3775DB1BF3BC77CC598F68B57D
    Parent: [4244]C:\Windows\System32\ImController.InfInstaller.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: "C:\Windows\system32\schtasks.exe" /create /xml "C:\ProgramData\Lenovo\ImController\ImControllerMonitorTask.xml" /tn "Lenovo\ImController\Lenovo iM Controller Monitor"
    Signer: <NULL>
    Parent Signer: Lenovo
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: False
    Integrity Level: System
    Parent Integrity Level: System
     
  22. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,240
    Thanks for info.
     
  23. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,240
    @Buddel
    @itman

    Windows will redirect any program that tries to write to C:\Users\All Users\ to the
    C:\ProgramData folder, too.
    Most programs use this as a caching location for data that should be available
    to all users, or to configure some basic settings.
    Your most important application data, if you want to back it up, will likely
    be stored under C:\Users\username\AppData\Roaming.

    These files are indeed installed by NVT OSArmor. Names and location may differ
    depending on OS version and free vs.paid versions of OSArmor.
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
    Yes, I also struggle with multiple alerts (not uncommon) piling up one behind the other, and adding all to exclusions list.
    I also wonder if that could be made easier or more intuitive. Maybe I am also doing something wrong, or there is some setting (I have 'Automatically close the notification window' unticked).
    Sometimes I actually re-run the 'offending' software to auto-add exclusions, rather than cutting and pasting from logs, in these cases.
     
    Last edited: Jan 30, 2021
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    What's the update frequency checking in OSA?

    I am seeing OSArmorDevSrv.exe outbound connections to IP address 212.47.232.234 as frequent as once an hour. This doesn't seem right to me for a product that is only updated via new release version.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.