Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.
I hope not or everyone here who has paid for a license might feel ripped off.
I got this today on my HP desktop:
Date/Time: 15/08/2021 7:54:01 AM
Process MD5 Hash: 8A2122E8162DBEF04694B9C3E0B6CDEE
Rule Name: Block encoded and malformed PowerShell commands
Command Line: C:\WINDOWS\system32\cmd.EXE /c start hpdiags://FastSystemTests
Parent Signer: Microsoft Windows Publisher
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: System
Hopefully nothing besides HP Support Assistant performing 'normally'.
You keep complaining about this. Also, I am sure you are very well aware of how software trials work.
The time expiration clock starts ticking the minute the software is installed and activated. It doesn't matter if you later uninstall the software or whatever. When 30 days elapses, the trial license expires. Also the software vendor is not going to issue the user another trial license since trialing is a one-time event.
What I mean is that because we test software on this forum, developers are often willing to give a trial key for let's say 14 days. Also, I believe something went wrong on my system, I uninstalled OSArmor within the 30 days and after that it wrongly stated that my trial key had expired when I reinstalled the new version. But anyway, the new GUI looks quite good, but to be honest I prefer the old GUI. So I will stick with OSA free for now.
Sorry but I'm not sure to understand exactly how OSA works ?
Curious, HP with Trusted Vendors?
Curious, HP Tools with HP as Trusted Vendor?
Curious, what HP as Trusted Vendors allows HP to do?
I refer you to these posts:
BTW, isn't OSArmor supposed to block execution of poweshell.exe out of the box? I noticed that ConfigureDefender uses PowerShell, and I didn't get any notifications. I'm using the last freeware version of OSA.
Rasheed, I just enabled ConfigureDefender to see but am wondering which rules you have enabled there. Are you using a Profile like High, Max, etc? I looked real quick in the H_C thread at MT and the developer is talking about settings where ps1, .vbs and .bat scripts are blocked using certain settings. Where did you see that CD was using PowerShell?
I don't recall in OSA where PowerShell was ever blocked out of the box. I always had to manually enable it. I enabled it just now under Block Scripts Executions in OSA. I don't think this section name is there in your version, it has another name.
I'm using OSA v. 1.5.9 and Hard_Configurator v. 220.127.116.11.
No, it doesn't block the execution of PowerShell out of the box, but OSA can be configured to block it.
Thanks, totally forgot about this. Most likely because EXE Radar was always blocking this, but I've stopped using it, OSArmor is a better choice for me, I got a bit tired of having to keep whitelisting stuff.
I'm currently not on my Win 10 laptop, but I believe when you apply certain restrictions via ConfigureDefender, it will use powershell.exe, and OSArmor will correctly block it. In fact, OSArmor will also block it when you run a tool like DefenderUI.
What does the NVTHelperprocess do and why does it need to connect outbound through the firewall?
Yes. As far as I know, it's used to verify digital signatures.
I submitted a minor issue to the Microsoft Feedback Hub and got two popup alerts from OSA, which I then added as exclusions. Since this is Microsoft, I'm wondering if these false positives can be whitelisted internally. Thanks. There are over 100 entries (due to spamming cmd.exe until I excluded) in the log but I'm referencing the first one. The primary rule:AntiExploitProtectSpecificSystemProcesses .
If it's helpful, I can forward the entire log from 9/9/2021. Windows 11 v. 22000.184
Edited 9/12/2021 to report the correct rule.
It is used to verify digital code signatures and to check for revoked certificates.
Yes that if a FP, can you please share the entire log? Just send it to me via email if possible.
Just tested OSArmor v1.5.9 with recent CVE-2021-40444 (MS Office Exploit), here is the video:
OSArmor blocked the exploit infection chain and prevented the execution of the payload (calc), thus keeping the system safe.
Fantastic! thanks Andreas for your dedication fighting malwares.
However, my question is did OSArmor previous to this exploit disclosure, detect control.exe running rundll32.exe in shell mode with .ini command string?
Also, the exploit can be employed using a .rtf file versus ActiveX. Will OSA protect against this also?
Yes, the "Preview pane" option in Windows just spawns a hidden window of Microsoft Word to capture file content and show a preview to the user.
Here I uploaded a new video showing OSArmor that blocks the malicious behavior:
Testing OSArmor with "Preview Pane" .RTF CVE-2021-40444
Yes, it should trigger one of these rules:
Block execution of .cpl applets outside System folder
Block execution of suspicious command-line strings
Prevent rundll32.exe from using Control_RunDLL (shell32.dll)
Here is a pre-release test build of OSArmor Personal 1.6.0:
Changelog so far:
Let me know if you find any issues guys =)
What happened to Syshardener?
A long time ago you said that info about its future would come shortly. How long is short
I would also like to get an answer to this question. SH was last updated in 2018. Is this app still supported/developed or should SH be considered "abandonware"?
Andreas, would it still be possible (e.g. via a dot) in Configurator Protections tab right-click context menu, to indicate which profile is currently selected / in operation: Basic Protection (default), Medium Protection, Advanced ... ?
It is difficult to know which one was last selected / currently in operation, and to be sure one has to select again?
Very cool! BTW, I already asked this way back, but is it possible to add options to block running of browsers like Chrome, Vivaldi, Opera, Edge and Firefox as child process? Also, what about an option to block running of processes in suspended mode? This would block process hollowing attacks, see link. So basically it should spot processes that are created with the create_suspended flag. Of course, safe behaviors should be allowed from trusted processes.
I've been running on 1.6.0 on two Win10 21H1 machines with differing real-time security products on each and no problems to report so far.
I'd be interested in hearing about that too, but I've started using Hard_Configurator on one machine so far.