NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,132
    Location:
    Italy
    New build test 5 can be downloaded here:

    Code:
    https://downloads.osarmor.com/osarmor_personal_1.5.9_test5.exe
    
    @plat1098 @bjm_

    The problem related to the message dialog that is displayed also if you don't click the "Save" button in the Configurator is fixed now.

    The user still needs to type a custom file name when exporting its settings.

    About the loon.wav file, nothing was changed and I can't reproduce the issue here.

    I remember you sent me time ago your custom WAV file and here it worked fine (it played when something got blocked).

    Will try to dig more but seems a very strange behavior.
     
  2. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,213
    Location:
    Brooklyn, NY
    Thanks for the new build, NVT-- installed cleanly--mainly for trying to get my WAV to work. Since it works fine for you and prob others, I will have to figure out what the deal is. That message box no longer appears after canceling the Export "operation," which is nice.

    Thanks for giving the WAV thing some acknowledgement even though it's not something universal. I'm sure it'll work out one way or another eventually. :)
     
  3. Influenza

    Influenza Registered Member

    Joined:
    May 7, 2016
    Posts:
    60
    Thanks @novirusthanks for the explanations.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,378
    Location:
    Canada
    I get none of these results on these tests.
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,062
    Location:
    .
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,378
    Location:
    Canada
    Didn’t see that @bjm_ , thanks!
     
  7. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,132
    Location:
    Italy
    We've released OSArmor v1.5.9:
    https://www.osarmor.com/

    This is the changelog:

    If you find issues or FPs please let me know.

    * You can install over-the-top of a previous version (reboot is not needed).
    * If you have auto-update option enabled you should get the update automatically.

    Thanks guys!
     
  8. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,010
    Location:
    Canada
    Thanks Andrea for your hard work:)
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,378
    Location:
    Canada
    Thanks so much, Andreas!

    This utility just gets better and better with each new release.
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    Gggrrrreeeeeat!

    Booting back into Windows right now just for the update. :)
     
    Last edited: Aug 7, 2021
  11. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,594
    Thanks a lot for the update. Works great, as always. I still hope SysHardener will also be updated one day.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,378
    Location:
    Canada
    +1 :thumb:
     
  13. Influenza

    Influenza Registered Member

    Joined:
    May 7, 2016
    Posts:
    60
    Automatically updated :thumb:
     
  14. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,213
    Location:
    Brooklyn, NY
    I saw the Twitter notification about the new build but I have to ask: is OSA officially supported for Windows 11 or is this still in the evaluation phase? In the announcement, it's Vista thru Windows 10. Or, does one have to wait until the Windows release is official?

    No problems so far running on Windows 11 but nothing too in-depth. :).
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,774
    Location:
    The Netherlands
    Congrats, I will soon give it a test drive. :thumb:
     
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    I'm not sure if this was technically a false positive or not.

    Date/Time: 9/08/2021 8:00:00 AM
    Process: [14620]C:\Windows\System32\cmd.exe
    Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
    Parent: [1456]C:\Windows\System32\svchost.exe
    Rule: BlockPowerShellMalformedCommands
    Rule Name: Block encoded and malformed PowerShell commands
    Command Line: C:\WINDOWS\system32\cmd.EXE /c start hpdiags://SmartCheckTest
    Signer: <NULL>
    Parent Signer: Microsoft Windows Publisher
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: System
     
  17. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    39
    Location:
    Scotland
    If you look at that command, it's an attempt to execute

    start hpdiags://SmartCheckTest

    If I try to do that here, Windows complains that (on my non-HP system) there is no application installed to process that sort of link. That is, it's interpreting the "hpdiags://" part in the same basic fashion as it would interpret something starting "http://" or "ftp://" etc. That implies that the HP diagnostics software has installed a protocol handler for their invented "hpdiags:" protocol. On your system that might well be legitimate, but on anyone-else's it's easy to see (in my opinion anyway) why it looks like a malformed command.
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,416
    Location:
    Under a bushel ...
    Got this flashing my Lenovo BIOS, with Medium Protection Profile ... but 'Prevent unsigned processes in user space from starting system processes' is not ticked? (under Lockdown & Experimental).
    Code:
    Date/Time: 8/9/2021 10:50:37 AM
    Process: [14012]C:\Windows\TempInst\ExtactTemp\SctWinFlash64.exe
    Process MD5 Hash: 5ED5158DEE32426640B151716BEE5360
    Parent: [6864]C:\Drivers\Flash\20210908.10500715\CQCN34WW.exe
    Rule: PreventUnsignedProcsInUserSpaceStartSystemProcs
    Rule Name: Prevent unsigned processes in user space from starting system processes
    Command Line: "c:\windows\TempInst\ExtactTemp\SctWinFlash64.exe"
    Signer: Phoenix Technologies Ltd.
    Parent Signer: <NULL>
    User/Domain: SYSTEM/NT AUTHORITY
    System File: False
    Parent System File: False
    Integrity Level: System
    Parent Integrity Level: System
    
    
    Date/Time: 8/9/2021 10:44:31 AM
    Process: [1368]C:\Drivers\Flash\20210908.10435955\CQCN34WW.exe
    Process MD5 Hash: 6CBA94E34474777D2A0C17C22E79D00A
    Parent: [6236]C:\Windows\TempInst\is-RV52M.tmp\cqcn34ww.tmp
    Rule: BlockUnsignedProcsWithSystemIL
    Rule Name: Block unsigned processes executed with system privileges
    Command Line: "C:\Drivers\Flash\20210908.10435955\CQCN34WW.exe"
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: SYSTEM/NT AUTHORITY
    System File: False
    Parent System File: False
    Integrity Level: System
    Parent Integrity Level: System
    
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    It must be HPs dodgy coding as I just got this one:

    Date/Time: 10/08/2021 8:00:02 AM
    Process: [3384]C:\Windows\System32\cmd.exe
    Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
    Parent: [1480]C:\Windows\System32\svchost.exe
    Rule: BlockPowerShellMalformedCommands
    Rule Name: Block encoded and malformed PowerShell commands
    Command Line: C:\WINDOWS\system32\cmd.EXE /c start hpdiags://BatteryStatusTest
    Signer: <NULL>
    Parent Signer: Microsoft Windows Publisher
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: System

    It is interesting because my desktop PC doesn't have a battery.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    FYI:
    https://www.file.net/process/hpdiags.exe.html

    Looks like HP telemetry activity to me. On the other hand, anything that runs a PowerShell script as a child process from cmd.exe that can establish a remote connection ....... well, I would view it with suspicion.
     
    Last edited: Aug 9, 2021
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,774
    Location:
    The Netherlands
    BTW, a technical question about the "Block Remote Scripts" and "Block Bitsadmin.exe" rules, does this mean that OSArmor will block outbound connections via the Win Firewall, or perhaps its own firewall?
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,774
    Location:
    The Netherlands
    Is it possible to get a license key purely for testing? I keep getting that my license has expired, but I never actually completed the trial.
     
  24. Influenza

    Influenza Registered Member

    Joined:
    May 7, 2016
    Posts:
    60
    Hello,
    I'm not sure but I think these are false positives ?
    ____________________________________________________________________________________________________
    Date/Time: 12/08/2021 16:01:39
    Process: [11700]C:\Windows\SysWOW64\regedit.exe
    Process MD5 Hash: BD63D72DB4FA96A1E0250B1D36B7A827
    Parent: [11360]C:\Users\Robert\Downloads\euc_win_1_06_022.exe
    Rule: PreventUnsignedProcsInUserSpaceStartSystemProcs
    Rule Name: Prevent unsigned processes in user space from starting system processes
    Command Line: regedit.exe /s bin\etn_ca.reg
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: ................................
    System File: True
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High
    ________________________________________________________________________________________________________

    Date/Time: 14/08/2021 09:52:39
    Process: [11800]C:\Windows\System32\reg.exe
    Process MD5 Hash: 227F63E1D9008B36BDBCC4B397780BE4
    Parent: [11784]C:\Windows\System32\cmd.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: C:\WINDOWS\System32\reg.exe QUERY HKEY_USERS\S-1-5-21-1669281036-1562460724-2316969650-1001_Classes\Software\ESRV\ids
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: Système/AUTORITE NT
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System


    Date/Time: 14/08/2021 09:52:39
    Process: [11772]C:\Windows\System32\reg.exe
    Process MD5 Hash: 227F63E1D9008B36BDBCC4B397780BE4
    Parent: [11756]C:\Windows\System32\cmd.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: C:\WINDOWS\System32\reg.exe QUERY HKEY_USERS\S-1-5-21-1669281036-1562460724-2316969650-1001_Classes\Software\ESRV
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: Système/AUTORITE NT
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System


    Date/Time: 14/08/2021 09:52:37
    Process: [11272]C:\Windows\System32\reg.exe
    Process MD5 Hash: 227F63E1D9008B36BDBCC4B397780BE4
    Parent: [7304]C:\Windows\System32\cmd.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: C:\WINDOWS\System32\reg.exe QUERY HKEY_USERS\S-1-5-21-1669281036-1562460724-2316969650-1001_Classes\Software\ESRV\ids
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: Système/AUTORITE NT
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,378
    Location:
    Canada
    In my case I would consider OSA is working as intended and simply add those alerts to exceptions. Actually the last three are identical. Based on the Rule Names, the alerts are legitimate.
     
    Last edited: Aug 14, 2021
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.