NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,111
    Location:
    Italy
    We've released a new version of OSArmor v1.5.7:
    https://www.osarmor.com/download/

    Changelog:

    + Added more signers to Trusted Vendors list
    + Added new internal rules to block suspicious behaviors
    + Fixed all reported false positives
    + Minor improvements

    User notice:

    * You can install over-the-top

    @itman

    OSA 1.5.7 test 1 you used for testing doesn't save system memory or such, what I changed compared to v1.5.6 related to the startup issue is only a better way to wait until desktop has fully loaded. The service-not-starting issue you and other users have reported should now be fixed. As additional information, the method of loading kernel-mode drivers used in our products is totally fine and has never created issues.

    Please keep me updated in case osarmordevsvc still has startup issues (should not have anymore).

    And thanks a lot for all the testings and information, really much appreciated.
     
    Last edited: Apr 15, 2021
  2. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,900
    :thumb: It has already happened. ;) ...The update to the latest version, on my laptop. ;)

    Ergo:

    VirusTotal_scan_NVT Osarnor_update to v1.57_01.JPG
     
    Last edited: Apr 15, 2021
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,160
    Location:
    Canada
    The test version has worked with no issues for me, Andreas. Thanks!
     
  4. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,460
    The latest version arrived here via automatic update a couple of minutes ago. Thanks, Andreas.:thumb:
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,293
    Location:
    U.S.A.
    The OSA saga continues.

    Not wanting the issues I encountered with the previous pre-release 1.5.7 install over 1.5.6 ver., I activated auto updating. Rebooted to force the update.

    Monitoring and a short time later, I observed OSA doing the ver. 1.5.7 update. After all updating activity appeared to cease, I opened OSA via desktop icon and it still showed ver. 1.5.6.:confused: OSA files had been updated in C:\Program Files; all except OSArmorDevUI. Short time later, I get this popup screen in the middle of the desktop stating that updating was not successful; I needed to perform a system restart; and then run the "setup" program again to complete the update. o_O Setup program .....? Note there was nothing on this desktop popup that sourced to OSA or anything else for that matter. So I rebooted. A short time latter, I get an OSA desktop popup stating that it successfully installed.:rolleyes: OSA GUI then showed ver. 1.5.7 and so far, no issues with OSA or the system itself.

    Bottom line - I don't have a "warm and fuzzy feeling" about this product.
     
    Last edited: Apr 16, 2021
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,902
    Location:
    The Netherlands
    What about the DPI scaling problem and the problem with the NVT License Manager? I like to trial OSA, but I can't.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,293
    Location:
    U.S.A.
    As far as my latest ver. 1.5.7 episode described above, I didn't realize that Microsoft had patched the "dirty" disk issue in last Tuesday's Win 10 cumulative update. So actually when I ran the ver.1.5.7 in-product update, both the Win 10 patch and use of the i30flt.sys driver to mitigate it were in place.

    Yesterday, I uninstalled the i30flt.sys driver and have my fingers crossed that I will have no further issues with OSA starting or updating. A short time later after the driver uninstall, I did observe a dirty shutdown entry in my Win Event logs. However, OSA started up at subsequent restart w/o issue - a good sign. The weird thing is related to the unexpected shutdown. As shown in the below screen shot, the shutdown Event log entry is not related to any actually shutdown nor any restart activity in progress at the time the log entry was created.o_O I am still pondering this one and what was the source of the shutdown activity which appears to either failed or never executed.

    OSA_Shutdown.png
     
  8. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    803
    Location:
    Brooklyn, NY
    I got an update notice via email for 1.5.7 today but the actual update was available on April 15th--like 21/2 weeks ago.

    Why so late? Is there any way to stop emails about updates?
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,293
    Location:
    U.S.A.
    Same here and the links in the e-mail look suspicious:

    OSA_E-mail.png
     
  10. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    803
    Location:
    Brooklyn, NY
    da Heck?!

    What is that, itman, it surely does look very odd. Only thing: I have AdGuard that strips URLs so they look more clean. For comparison, here's my email notice:

    Oh, and within the email is a small "unsubscribe" link at the top. So, I used it. :thumb:
    nvtosaemailnotice.PNG
     
  11. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    564
    Location:
    Island of Woman
    can you make the programme friendlier to anaconda data science programme, not only block suspicious script but allow scripts from suspicious location and now block on curl.exe, it must be added to trusted vendor or something, too many rules to unblock and complicated (anaconda is modular it has bash etc), especially those first two I mentioned
    anaconda is very important and popular its like excel on drugs
     
    Last edited: May 5, 2021
  12. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    564
    Location:
    Island of Woman
    also the programme is receiving very low rating and I predicted that , this is because the GUI is not noob friendly, OSA seems difficultier than exe radar pro: in particular the whitelisting
    this should have been reworked as I said previously
    typical comments are: "this programme blocks everything I can't work"
    I believe Andrea work is important so that is no the point , the point is implementation for people who don't know or never heard about LOLBINS, like my mother, if my mother can use it the programme will get high rakings
     
    Last edited: May 13, 2021 at 7:50 AM
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,315
    Location:
    Under a bushel ...
    I never had the strange links in the e-mail - but Andreas has never responded ...
     

    Attached Files:

  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,902
    Location:
    The Netherlands
    BTW, is anyone seeing high CPU activity from system.exe sometimes? I have a feeling it might be caused bu OSArmor or AppCheck, but I'm not sure yet. I have removed them both from my desktop and so far I'm not seeing it anymore. I did use Process Explorer to see if it was perhaps caused by some driver, but I didn't see anything.
     
  15. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    564
    Location:
    Island of Woman
    sry could be unrelated but last thing I remember it was caused by henry's simplewall, with logging enabled, NT Authority System spikes to 60%, no spikes on OSA for me at least, I've never seen spikes on NVT products, only if you mismanage some rules and it constantly blocks spikes can happen
     
    Last edited: May 13, 2021 at 1:21 PM
  16. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,460
    No problems with NVT products here, either.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,293
    Location:
    U.S.A.
    My main issue is OSA keeps trying to dial-out and I am getting tried of it.

    I have OSA auto updating disabled, yet OSArmorDevSvc.exe keeps dialing out. I have all Trusted Publisher settings disabled, and NVTHelperProcess.exe keeps dialing out. I need a clear explanation from @novirusthanks about this activity. As far as I am aware of OSA does not contain any individual component capability; e.g. individual program, rule updating, etc..
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,315
    Location:
    Under a bushel ...
    License check?
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,293
    Location:
    U.S.A.
    OSA has a dedicated process for that - NVTLicenseManager.exe.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,902
    Location:
    The Netherlands
    OK thanks guys, so far I saw no CPU spikes on my desktop and laptop anymore after removing AppCheck and OSArmor so I will now reinstall them one by one to see what happens.

    Sounds a bit weird indeed, of course NVT is a trusted company but would still be interesting to know why this happens, it might even be a bug.
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,111
    Location:
    Italy
    @itman

    NVTHelperProcess is used to only verify a digital code signature (required to check if it has been revoked). This may require to occasionally query VeriSign/Akamai servers in case the signature fingerprint/hash data is not cached in the system. Even if you disable options in the "Digital Code Signature" section of OSA Configurator, the process will still make these connections because for safety it has to still verify signatures in some cases. Please note that the connections are done/performed/requested by the Windows APIs if/when required and not directly by OSA.

    The "strange" links you saw in the newsletter email are created with Sendinblue (the platform we use to manage newsletters) to count clicks for statistical purposes, infact you will see they all redirect to the OSA website. I guess you saw that links in that way because you have choosen to display the message as "plain-text" and not in HTML format. Else you should have saw them as in the screenshot posted by @plat1098

    @plat1098

    Yes, we were too busy and we delayed the sending of the newsletter.

    Generally they are sent the day or a few days after a program has been officially released/updated.

    @lucd

    curl.exe and other commonly hijacked processes are blocked by OSA because in an office/family/generic PC use they are not required or used at all. Unfortunately they are commonly abused by malware/exploit payloads to download malicious content or bypass security solutions. If you have Anaconda installed you may want to allow all processes that are started from processes (parent process) located in the Anaconda installation folder, e.g of an exclusion rule (not tested):

    [%PARENTPROCESS%: C:\Users\<Your-Username>\Anaconda3\*]

    * Replace <Your-Username> with your PC username, e.g Admin.
    * Additionally, you may harden the exclusion rule with additional matches if needed.

    We will work on making exclusions/whitelisting and logs management easier, it is in the todo list.
     
    Last edited: May 16, 2021 at 1:56 PM
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,293
    Location:
    U.S.A.
    I will allow NVTHelperProcess outbound network traffic for the time being. However, note the following:

    1. The communication is occurring via HTTP. This needs to be changed to HTTPS.
    2. The connections are to Clouldfare servers; specifically to Globalsign domains.
     
  23. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,111
    Location:
    Italy
    Yes that two points are normal behaviors: the Windows APIs may require to query the CRL (Certification Revocation List) of a digital signature that is using a HTTP connection and doesn't support HTTPS connection.

    Here is an example of CRL list of Notepad++ code sign certificate (by DigiCert):

    crl-list-example.png

    Here is an example of CRL list of our code sign certificate (by GlobalSign):

    crl-globalsign-url.png

    Some queried CRLs may be hosted/behind Cloudflare IPs and/or GlobalSign (or other) domains/providers.
     
    Last edited: May 17, 2021 at 1:37 PM
  24. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    966
    Location:
    Europe
    What about the change to HTTPS, dodging questions
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,111
    Location:
    Italy
    @Floyd 57

    Just updated the post now with additional information and a screenshot.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.