NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    747
    Location:
    Brooklyn, NY
    Hey Krusty, I noted the same in post 3442. I used this exe to test TVL only.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    Updating to Test 3 enabled that setting where in Test 2 I had it disabled by choosing Medium Protection Profile. After choosing Medium again that setting is now disabled.

    I have scanned my system and added another 20 vendors to the list in case that setting gets re-enabled.
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    Thanks plat. As above, I didn't manually enable the TVL setting.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,151
    Location:
    Canada
    Thank you for your plans to keep OSA simple.
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,713
    Location:
    Canada
    Agree too buddy
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    Because it's a Chinese company, right?
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,270
    Location:
    U.S.A.
    :thumb:
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,108
    Location:
    Italy
    We've released a new version of OSArmor v1.5.5:
    https://www.osarmor.com/download/

    Final changelog:

    [02-Feb-2021] v1.5.5.0

    + Improved handling of licensing errors
    + The service is not terminated in case of licensing errors
    + Improved analysis of digitally signed processes
    + Improved detection of revoked certificates (network check)
    + Added tab "Trusted Vendors" in Configurator
    + Added button to scan system for vendors (signers)
    + Added button to open TrustedVendors.db file
    + Added button to reset Trusted Vendors to default list
    + Added Block signers not present in Trusted Vendors
    + Added Block processes signed with a revoked certificate
    + Added Block processes signed with an invalid certificate
    + Added Block processes signed with an expired certificate
    + Import a custom .ini settings file via setup.exe /IMPORTSETTINGS=
    + Added new internal rules to block suspicious behaviors
    + Improved installer and uninstaller scripts
    + Fixed all reported false positives
    + Minor improvements

    User notice:

    * You can install over-the-top
    * If you installed test builds you should update to this final version

    Screenshot of Trusted Vendors:

    osa-new1.png
    Recent video uploaded:

    Block malware signed with valid or revoked certs with OSArmor
    https://www.youtube.com/watch?v=XUStga9CX1A
     
    Last edited: Feb 3, 2021
  9. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,175
    Location:
    Hollow Earth - Telos
    Chrome has blocked the download from the link because it may be dangerous. A few minutes later i got the auto update which worked.
     
    Last edited: Feb 3, 2021
  10. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,441
    Got it. Thanks for the new version, Andreas.:thumb:
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,270
    Location:
    U.S.A.
    Same with FireFox. Ditto for the main OSA web site: https://www.osarmor.com/. I assume the OSA IP address is being blocked.

    No way I am turning on auto updating till this is resolved.

    Scratch this. Forgot I created an Eset firewall rule to block OSArmor IP Address.
     
    Last edited: Feb 3, 2021
  12. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,441
    Strage. I used FireFox to download the latest version without any problems. No popups. No warnings. Nothing. Hm...
     
  13. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,108
    Location:
    Italy
    @Dragon1952

    Thanks for reporting it, I tried with Chrome and indeed it doesn't allow to download OSArmor setup file, strange.

    Maybe it reacts like this because the file is new? All our setups and exes are digitally signed, I will have to investigate on this tomorrow.

    @itman

    Thanks for the update about the Eset details, no issues with FF here.
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,108
    Location:
    Italy
    Just tried now to download OSArmor setup file with Chrome and no issues.

    I guess it was showing the warning yesterday because the file was new and/or not popular.

    @Dragon1952 Can you confirm?

    Thank you
     
  15. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,175
    Location:
    Hollow Earth - Telos
    Yes i can download OSA with chrome now.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,270
    Location:
    U.S.A.
    I always get a Win 10 SmartScreen alert on the installer download. So its not passing its cert. validation. It's a Win Store non-download alert.
     
    Last edited: Feb 4, 2021
  17. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    829
    Location:
    Europe
    Ive literally downloaded malware with chrome and never said anything, other than this file is exe and might harm ur pc are u sure bla bla bla

    perhaps u have safe browsing enabled?

    in any case no reason to trust false positives
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,151
    Location:
    Canada
    @novirusthanks

    downloaded using latest Chrome beta and no alerts form chrome or smartscreen.
     
  19. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,239
    @novirusthanks

    The Homepage Internet shortcut has an insecure URL address.(HTTP)
    The Changelog file lists same URL, but has secure (HTTPS) URL for novirusthanks.org
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,270
    Location:
    U.S.A.
    Appears OSA added a new process, NVTHelperProcess.exe, in ver. 1.5.5. Any reason why this should be "dialing out" shortly after Win logon with auto update disabled? Also Trusted Publisher feature is not enabled. As such, no need to check certificates or the like.

    NVTHelperProcess.exe 6952 TCPV6 [2600:1700:64c0:XXXX] 56921 [2606:4700:0:0:0:0:6812:15e2] http ESTABLISHED

    -EDIT- Add to this the following IPv4 addresses; 104.18.20.226 and 104.18.21.226.

    All the above IP Address are associated with Cloudflare and GlobalSign. This would be indicative of Trusted Publisher cert. validations and the like. However if this feature is not enabled, this dial-out activity should not be occurring.
     
    Last edited: Feb 6, 2021
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    I got this while running PrivaZer and attempting to delete a restore point.
    Code:
    Date/Time: 7/02/2021 2:02:08 PM
    Process: [13768]C:\Windows\System32\vssadmin.exe
    Process MD5 Hash: B58073DB8892B67A672906C9358020EC
    Parent: [7768]C:\Windows\System32\cmd.exe
    Rule: PreventImportantSystemModifications
    Rule Name: Prevent important system modifications
    Command Line: vssadmin  delete shadows /for=C: /QUIET
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: Dave/DAVE-PC
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    Oh, I see I've reported this before.

    #3300
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,270
    Location:
    U.S.A.
    Not quite.

    The current detection you received originated from OSA Main Protections rule section. Assume this is a ransomware mitigation since it performs like activity.

    The prior alert you received originated from Block Specific System processes optional rule for vssadmin. Assumed is you enabled this rule manually or via profile selection.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,270
    Location:
    U.S.A.
    I am also questioning what PrivaZer is doing here.

    To delete a specific restore point in Win 10, the specific Shadow Copy ID must be specified:
    or, to delete the oldest restore point:
    https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html

    Using "vssadmin delete shadows /For=(drive letter): /quiet" that PrivaZer is doing appears to me to delete all restore points. This is most likely why OSA is alerting on this activity.

     
    Last edited: Feb 7, 2021
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,108
    Location:
    Italy
    @itman

    That connections are needed to validate if a certificate is revoked or invalid and for Trusted Vendors, they are performed by Windows APIs we use to verify a certificate.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.