NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    I hope not or everyone here who has paid for a license might feel ripped off.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    I got this today on my HP desktop:

    Date/Time: 15/08/2021 7:54:01 AM
    Process: [8952]C:\Windows\System32\cmd.exe
    Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
    Parent: [1396]C:\Windows\System32\svchost.exe
    Rule: BlockPowerShellMalformedCommands
    Rule Name: Block encoded and malformed PowerShell commands
    Command Line: C:\WINDOWS\system32\cmd.EXE /c start hpdiags://FastSystemTests
    Signer: <NULL>
    Parent Signer: Microsoft Windows Publisher
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: System

    Hopefully nothing besides HP Support Assistant performing 'normally'.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    You keep complaining about this. Also, I am sure you are very well aware of how software trials work.

    The time expiration clock starts ticking the minute the software is installed and activated. It doesn't matter if you later uninstall the software or whatever. When 30 days elapses, the trial license expires. Also the software vendor is not going to issue the user another trial license since trialing is a one-time event.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,774
    Location:
    The Netherlands
    What I mean is that because we test software on this forum, developers are often willing to give a trial key for let's say 14 days. Also, I believe something went wrong on my system, I uninstalled OSArmor within the 30 days and after that it wrongly stated that my trial key had expired when I reinstalled the new version. But anyway, the new GUI looks quite good, but to be honest I prefer the old GUI. So I will stick with OSA free for now.
     
  5. Influenza

    Influenza Registered Member

    Joined:
    May 7, 2016
    Posts:
    60
    Thanks @wat0114
    Sorry but I'm not sure to understand exactly how OSA works ?
     
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,062
    Location:
    .
    Curious, HP with Trusted Vendors?
    Curious, HP Tools with HP as Trusted Vendor?
    Curious, what HP as Trusted Vendors allows HP to do?
     
    Last edited: Aug 17, 2021
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    I refer you to these posts:

    #3792

    #3795
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,774
    Location:
    The Netherlands
    BTW, isn't OSArmor supposed to block execution of poweshell.exe out of the box? I noticed that ConfigureDefender uses PowerShell, and I didn't get any notifications. I'm using the last freeware version of OSA.
     
  9. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,213
    Location:
    Brooklyn, NY
    Rasheed, I just enabled ConfigureDefender to see but am wondering which rules you have enabled there. Are you using a Profile like High, Max, etc? I looked real quick in the H_C thread at MT and the developer is talking about settings where ps1, .vbs and .bat scripts are blocked using certain settings. Where did you see that CD was using PowerShell?

    I don't recall in OSA where PowerShell was ever blocked out of the box. I always had to manually enable it. I enabled it just now under Block Scripts Executions in OSA. I don't think this section name is there in your version, it has another name.

    I'm using OSA v. 1.5.9 and Hard_Configurator v. 6.0.0.0.

    Example
     
  10. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,594
    No, it doesn't block the execution of PowerShell out of the box, but OSA can be configured to block it.
    OSA_PowerShell.png
     
    Last edited: Aug 22, 2021
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,774
    Location:
    The Netherlands
    Thanks, totally forgot about this. Most likely because EXE Radar was always blocking this, but I've stopped using it, OSArmor is a better choice for me, I got a bit tired of having to keep whitelisting stuff.

    I'm currently not on my Win 10 laptop, but I believe when you apply certain restrictions via ConfigureDefender, it will use powershell.exe, and OSArmor will correctly block it. In fact, OSArmor will also block it when you run a tool like DefenderUI.
     
  12. Graphite85

    Graphite85 Registered Member

    Joined:
    Aug 28, 2020
    Posts:
    32
    Location:
    New Zealand
    What does the NVTHelperprocess do and why does it need to connect outbound through the firewall?
     
  13. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    Yes. As far as I know, it's used to verify digital signatures.
     
  14. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,213
    Location:
    Brooklyn, NY
    I submitted a minor issue to the Microsoft Feedback Hub and got two popup alerts from OSA, which I then added as exclusions. Since this is Microsoft, I'm wondering if these false positives can be whitelisted internally. Thanks. There are over 100 entries (due to spamming cmd.exe until I excluded) in the log but I'm referencing the first one. The primary rule:AntiExploitProtectSpecificSystemProcesses .
    osafp.PNG

    If it's helpful, I can forward the entire log from 9/9/2021. :) Windows 11 v. 22000.184

    Edited 9/12/2021 to report the correct rule. :)
     
    Last edited: Sep 12, 2021
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,132
    Location:
    Italy
    @Graphite85

    It is used to verify digital code signatures and to check for revoked certificates.

    @plat1098

    Yes that if a FP, can you please share the entire log? Just send it to me via email if possible.

    //Everyone

    Just tested OSArmor v1.5.9 with recent CVE-2021-40444 (MS Office Exploit), here is the video:
    https://www.youtube.com/watch?v=z86o15Polac

    OSArmor blocked the exploit infection chain and prevented the execution of the payload (calc), thus keeping the system safe.
     
  16. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,010
    Location:
    Canada
    Fantastic! thanks Andreas for your dedication fighting malwares.:thumb:
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    Great!

    However, my question is did OSArmor previous to this exploit disclosure, detect control.exe running rundll32.exe in shell mode with .ini command string?

    Also, the exploit can be employed using a .rtf file versus ActiveX. Will OSA protect against this also?
     
    Last edited: Sep 11, 2021
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,132
    Location:
    Italy
    @itman

    Yes, the "Preview pane" option in Windows just spawns a hidden window of Microsoft Word to capture file content and show a preview to the user.

    Here I uploaded a new video showing OSArmor that blocks the malicious behavior:

    Testing OSArmor with "Preview Pane" .RTF CVE-2021-40444
    https://www.youtube.com/watch?v=XeaJkuK7sbc

    Yes, it should trigger one of these rules:
    Block execution of .cpl applets outside System folder
    Block execution of suspicious command-line strings
    Prevent rundll32.exe from using Control_RunDLL (shell32.dll)
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,132
    Location:
    Italy
    Here is a pre-release test build of OSArmor Personal 1.6.0:

    Code:
    https://downloads.osarmor.com/osarmor-1.6.0-setup-personal.exe
    
    Changelog so far:

    Let me know if you find any issues guys =)

    Thanks!
     
  20. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    786
    Location:
    sweden
    What happened to Syshardener?
    A long time ago you said that info about its future would come shortly. How long is short ;)
     
  21. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,594
    I would also like to get an answer to this question. SH was last updated in 2018. Is this app still supported/developed or should SH be considered "abandonware"?
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,416
    Location:
    Under a bushel ...
    Andreas, would it still be possible (e.g. via a dot) in Configurator Protections tab right-click context menu, to indicate which profile is currently selected / in operation: Basic Protection (default), Medium Protection, Advanced ... ?

    It is difficult to know which one was last selected / currently in operation, and to be sure one has to select again?
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,774
    Location:
    The Netherlands
    Very cool! BTW, I already asked this way back, but is it possible to add options to block running of browsers like Chrome, Vivaldi, Opera, Edge and Firefox as child process? Also, what about an option to block running of processes in suspended mode? This would block process hollowing attacks, see link. So basically it should spot processes that are created with the create_suspended flag. Of course, safe behaviors should be allowed from trusted processes.

    https://www.elastic.co/jp/blog/hunting-memory
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    I've been running on 1.6.0 on two Win10 21H1 machines with differing real-time security products on each and no problems to report so far. :thumb:
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    I'd be interested in hearing about that too, but I've started using Hard_Configurator on one machine so far.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.