NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,963
    Location:
    .
    Does Trusted Vendors apply to installers? 1.5.7
    Code:
    Process: [9044]C:\Users\bjm\AppData\Local\Temp\is-6MCLT.tmp\Sandboxie-Plus-x64-v0.8.0.tmp
    Process MD5 Hash: CCD375DC174DBB8998A6BC803364E620
    Parent: [1744]C:\Users\bjm\Desktop\Sandboxie-Plus-x64-v0.8.0.exe
    Rule: BlockUnsignedProcessesAppDataLocal
    Rule Name: Block execution of unsigned processes on Local AppData
    Command Line: "C:\Users\bjm\AppData\Local\Temp\is-6MCLT.tmp\Sandboxie-Plus-x64-v0.8.0.tmp" /SL5="$13045C,15687322,780800,C:\Users\bjm\Desktop\Sandboxie-Plus-x64-v0.8.0.exe" /SPAWNWND=$4E03CA /NOTIFYWND=$8030E
    Signer: <NULL>
    Parent Signer: Tonalio GmbH
    User/Domain: bjm/DESKTOP-DELL
    System File: False
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High
    png_10892.png
     
    Last edited: Jun 13, 2021
  2. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,124
    Location:
    Italy
    @bjm_

    Looks like the .tmp setup file Sandboxie-Plus-x64-v0.8.0.tmp is not digitally signed and thus it is blocked by rule "Block execution of unsigned processes on Local AppData".

    You should ask to the creator of the setup file to sign also the .tmp setup file (not just the main .exe file).

    Then once it is signed, it will be allowed (I see you already added "Tonalio GmbH" to TrustedVendors.db).

    //Everyone

    Just released OSArmor v1.5.8:

    + Added more signers to Trusted Vendors list
    + Added new internal rules to block suspicious behaviors
    + Fixed all reported false positives
    + Minor improvements

    Download:
    https://www.osarmor.com/download/
     
  3. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,567
    Thanks for the info, Andreas. I'm pretty sure v1.5.8 will soon find its way to my internal OSA updater.:)
     
  4. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,963
    Location:
    .
    Okay....understood. Thanks
     
  5. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,960
    Just updated to v1.5.8 :)
     
  6. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,960
    P.S. I was watching this YouTube video when it came through... ;) :thumb:
     

    Attached Files:

  7. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,960
    I have a license for Windscribe VPN which I had last updated on my laptop, in March 2019, i.e v1.83 Build 20. I have run the installer, earlier this morning, for the new build
    that came out earlier this year, v2.2 Build 10. They don't update very often!!!!!

    Anyhow, I got a popup from OSArmor, which I decided to exclude.

    Windscribe Pro_v2.02.10 install_03.JPG
     
  8. Influenza

    Influenza Registered Member

    Joined:
    May 7, 2016
    Posts:
    58
    Hello,
    How can I report a false positive ?
    When installing Adguard for Windows:

    1.PNG
    2.PNG
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    I think you can just request to
    @novirusthanks

    In my case, fwiw, I would simply add that trusted installer to exclusions and be done with it. It's just reporting a potentially suspicious action from schtasks - listed LOLBin - launching an unknown installer in C:\ProgramData, a directory where built-in users have Read, Write and Execute rights, as reported from launching icacls C:\Progra* from an elevated command prompt.


    icacls.png

    That said, if adguard is in OSArmor's Trusted Vendor's list, then maybe you shouldn't need to add it to Exclusions? This latter possibility is something I'm not sure of.
     
  10. Influenza

    Influenza Registered Member

    Joined:
    May 7, 2016
    Posts:
    58
    Thanks @wat0114
    I have excluded it and the installation can finish.
    I think it is interesting if @novirusthanks can "whitelist" it.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    You're welcome.

    I think if you Scan system under the Trusted Vendors tab, it should detect it if it's a valid certificate included in its list.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    Greetings @novirusthanks

    regarding Trusted Vendors list, does a Protections rule, such as for example the one in the above post #3733, take precedence over a valid vendor's name present on the list, or is it the other way around?
     
  13. Influenza

    Influenza Registered Member

    Joined:
    May 7, 2016
    Posts:
    58
    Thanks @wat0114
    Just done, Adguard is listed.
    I'm surprised because Dr.Web is not listed as Trusted Vendor.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    No problem Influenza. I now wonder if the Exclusion you added in post #3733 is redundant.

    EDIT

    I may have answered my own question posted in #3737, although I'd still like to hear from Andreas or someone else.

    I was experimenting by dropping a signed binary setup file (OSArmor) into the depths of C:\Windows\System32\.... then tried executing it and OSA alerted as follows:

    Code:
    
    Process: [8564]C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\osarmor-personal-setup(1).exe
    
    Parent: [3568]C:\Windows\explorer.exe
    
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\osarmor-personal-setup(1).exe"
    Signer: NoVirusThanks Company Srl
    Parent Signer: Microsoft Windows
    
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
    I got rid of some of the unnecessary text from the log entry just for better clarity. Users can write to this location. Anyway OSA alerted based on the Protection rule in place, even though both Parent and Child processes are included in the Trusted Vendors list, so I guess the Protection rule will take precedence over the list.
     
    Last edited: Jun 20, 2021
  15. harko

    harko Registered Member

    Joined:
    Jul 1, 2021
    Posts:
    2
    Location:
    usa
    Hello,

    I am a developer for the app https://redact.dev and we have noticed that osarmor slows down the performance and even loadtime of our app by ~10 seconds.

    This behavior continues even if you set osarmor protection to disabled in the tray context menu.

    Does anyone have any idea what might be happening and how to fix? The app is based on electron if that matters.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    My tests of OSA show that when Protection is disabled, it is not monitoring any process activity.

    The delay time noted would be indicative of AV scan processing. For example, Windows Defender cloud scanning which has a default 10 sec. scan time.
     
  17. harko

    harko Registered Member

    Joined:
    Jul 1, 2021
    Posts:
    2
    Location:
    usa
    I dont think its related.

    OSarmor installed, default rules = 10 second processing time.
    OSarmor installed, Protection disabled = 10 second processing time.
    OSarmor full uninstalled = 2 second processing time
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Do you have OSA set to default settings?

    I find it a "stretch" that your app is the only one having performance issues with OSA. If this was the case, there would like numerous postings of the same in this forum section.
     
  19. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,567
    @harko: What version of OSA are you using?
     
  20. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,559
    I am thinking about giving OSA a first time try in the near future on my Windows 10 Pro 64bit PC.

    On the first three Tabs, it appears that some of the options are un-checked by default. If you want to increase the Security above the default, are there any recommendations on which additional boxes to check?

    Thanks in Advance.
     
  21. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    586
    Location:
    US
    Me, I checked them all (right click in 'Protections' tab and Select All Protections) . In 'Settings' I uncheck 'Automatically close the notification window' and check 'Play a custom sound'. Then when OSA notification/alert pops up, I just search the blocked event in the 'Configurator' and uncheck that specific blocked process. My setup, not many notifications. I always 'Disable Protection' when updating or installing any software.

    Win 10 Pro x64 v20H2

    Good luck,
    Robert
     
    Last edited: Jul 14, 2021
  22. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,064
    Location:
    Brooklyn, NY
    NoVirusThanks: on your website, it seems Windows 7 thru Windows 10--32 and 64 bit are supported.

    Has Windows 11 been tested yet by you? I haven't come up with anything (yet), all seems to be in order. But I need some confirmation. Thanks!

    Understandable if it's still too early.
     
  23. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,124
    Location:
    Italy
    @Influenza

    Yes that AdGuard block is a FP, will be fixed on next release.

    @Tarnak

    Will add Windscribe vendor to Trusted Vendors List.

    @wat0114

    Some rules take precendence over Trusted Vendors List.

    @plat1098

    OSA is working fine on Windows 11, see screenshot below.

    win11-2021-07-22-22-43-04.png
     
  24. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,064
    Location:
    Brooklyn, NY
    Yes, there was a small concern that one or more obscure rules would not work on Windows 11. Great, thanks alot. :thumb:
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    Thanks Andreas!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.