NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,134
    Location:
    Italy
    Already added all requested applications (except two of them) on "Anti-Exploit" tab, will upload the new build tomorrow.

    Thanks all for the suggestions and feedbacks!

    @n8chavez

    JRiver Media Center is not digitally signed, I prefer to support only digitally signed applications.

    A program needs Admin rights to terminate OSA service, so it is not that easy.

    However, we'll add self-defense in next versions.

    @bjm_

    Thanks for the screenshot!

    @liba

    Epic Privacy Browser is not digitally signed, I prefer to support only digitally signed applications.

    @rethink

    I fixed the second FP, but about the first one, do you get any errors on Internet Explorer when csc.exe is blocked?

    @cruelsister

    Some users may need to run some .vbs scripts, so I am going to discuss if we can enable the option "Block execution of .vbs scripts" by default.

    We have the option "Block any process executed from wscript.exe" enabled by default, and it would protect from malicious .vbs (the payload is blocked).

    Have prepared a new option "Block suspicious processes executed from Rundll32", will add it tomorrow.
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
    +1
     
  3. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,383
    Location:
    Hawaii
    Bummers. I installed test 13 . When I did a reboot, the task bar again was missing. Tried again with NO firewall & ER set to Disabled. Again, no task bar. I checked task management. OSA was loaded & running.

    IMO, there has to be some aspect of OSA that is causing this. The only security app that I haven't killed is Zemana AntiMalware. I might try that tomorrow but it's getting tiresome. When the task bar doesn't load, I have no choice except to restore a functioning image. I have already done this 8 times, trying to figure what is causing the problem. As reported earlier, there was just one time when I got the task bar with OSA loaded, but I have been unable to repeat that.
     
  4. rethink

    rethink Registered Member

    Joined:
    Jan 13, 2015
    Posts:
    68
    Hi Andreas,

    I test this in a virtual machine so I will need to test how Internet Explorer reacts.
    About the flexnet agent it should come directly from the application which requires the flexnet licensing module. I am not sure why it runs through svchost, I will investigate more.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Here are a few parent child command lines I think should be blocked from rundll32.exe I think vulnerable parent processes should never be allowed to spawn the listed child processes below. This would cover Office Applications, PDF Viewers, Media Players (this includes flash), Browsers, Browser containers & Plugins, P2P Applications (File Sharing Apps, Instant Messengers), and Java.

    I actually block vulnerable applications from spawning any .exe except for the ones that the application uses. I doubt your trying to be that aggressive though.

    rundll32 ----> cmd.exe
    rundll32----->powershell.exe
    rundll32----->powershell_ise.exe
    rundll32----->regsvr32.exe
    rundll32 ----> wscript.exe
    rundll32 ----> cscript.exe
    rundll32------>vbs.exe
    rundll32 ----> java.exe
    rundll32 ----> javaw.exe
    rundll32----->lsass.exe (i'm not sure this can be done safely)
    rundll32----->presentationhost.exe
    rundll32----->mshta.exe
    rundll32----->msra.exe
    rundll32------>mstsc.exe
    rundll32----->bitsadmin.exe
    rundll32----->runonce.exe
    rundll32----->bcdedit.exe
    rundll32----->msiexec.exe
    rundll32----->schtask.exe
    rundll32------>regedit.exe
    rundll32------>netsh.exe
    rundll32------->at.exe
    rundll32------>reg.exe
    rundll32------->reset.exe
    rundll32------->sc.exe
    rundll32------->taskkill.exe
    rundll32------->IEExec.exe
    rundll32------->diskpart.exe
    rundll32------->debug.exe
    rundll32 ----> .tmp

    Also, rundll32 should be blocked from being spawned by any vulnerable application. This will block the attack earlier in stage that way a malicious instance of rundll32 never is spawned at all.
     
    Last edited: Jan 6, 2018
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,244
    Location:
    Italy
    BINGOOOOOO !!!

    Also I have ZAM but in portable version.
    I did not think about it.:rolleyes:

    @novirusthanks

    You can then check if the suspect number 1 is ZAM portable.
    :thumb:

    __________________________________________

    1.JPG

    2.JPG
     
    Last edited: Jan 6, 2018
  7. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    NVT- The default rule "Block any process executed from wscript.exe" would be inadequate for many worms (eg. something like the later Dunihi worm variants). These will drop a payload somewhere on the drive and at the same time set itself up for persistence. The spread would be through wscript itself without any further payload. On reboot, even after an initial alert from OSA that wscript was blocked, the worm re-propagates and will connect out.

    M
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,839
    Location:
    The Netherlands
    Holy crap, this OSArmor tool keeps getting better and better! When it comes to anti-exploit, I suppose not all child processes are blocked? But you didn't answer my question about the ability to block processes from running browsers (Chrome, Opera, Firefox, Vivaldi) as a child process. You should also be able to block processes from running explorer.exe and svchost.exe, this will block process hollowing attacks. And what about EXE Radar, when can we expect a new stable version?
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I think vulnerable parent processes should never be allowed to spawn the listed child processes below. This includes Office Applications, PDF Viewers, Media Players (this includes flash), Browsers, Browser Containers & Plugins, P2P File Sharing Applications, Instant Messengers, Notepad, Wordpad, Archive software, and Java.

    cmd----->powershell.exe
    cmd----->powershell_ise.exe
    cmd----->rundll32.exe
    cmd----->regsvr32.exe
    cmd-----> to all the same processes listed below.

    vulnerable app ----> cmd.exe
    vulnerable app----->powershell.exe
    vulnerable app----->powershell_ise.exe
    vulnerable app----->rundll32.exe
    vulnerable app----->regsvr32.exe
    vulnerable app ----> wscript.exe
    vulnerable app ----> cscript.exe
    vulnerable app------>vbs.exe
    vulnerable app ----> java.exe
    vulnerable app ----> javaw.exe
    vulnerable app----->presentationhost.exe
    vulnerable app----->mshta.exe
    vulnerable app----->msra.exe
    vulnerable app------>mstsc.exe
    vulnerable app----->bitsadmin.exe
    Vulnerable app----->lsass.exe
    vulnerable app----->runonce.exe
    vulnerable app----->bcdedit.exe
    vulnerable app----->msiexec.exe
    vulnerable app----->schtask.exe
    vulnerable app------>regedit.exe
    vulnerable app------>netsh.exe
    vulnerable app------->at.exe
    vulnerable app------>reg.exe
    vulnerable app------->reset.exe
    vulnerable app------->sc.exe
    vulnerable app------->taskkill.exe
    vulnerable app------->IEExec.exe
    vulnerable app------->diskpart.exe
    vulnerable app-------->debug.exe
    vulnerable app ----> .tmp

    Also some rules need to be created to block vulnerable apps from injecting into explorer.exe, and browsers as Rasheed pointed out above.
     
    Last edited: Jan 6, 2018
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    What processes are used to operate SMB? I'm not getting a clear answer when doing a Google Search. We need to create rules to block vulnerable apps from using SMB maliciously.
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,450
    Location:
    Slovenia
    It's a protocol. I doubt that you can control it on process level without breaking networking all together.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Yeah, I know. I was hoping maybe blocking access to certain processes might help keep it from being abused. I think process injection mitigation may help, but that's something different as well.
     
  13. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,134
    Location:
    Italy
    Here is a new v1.4 (pre-release) (test14):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test14.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Block execution of C Sharp compiler (csc.exe) (unchecked by default)
    + Block execution of Visual Basic compiler (vbc.exe) (unchecked by default)
    + Block suspicious processes executed from Rundll32 (unchecked by default)
    + On "Exclusions Helper" GUI do not add the exclusion rule if is already present
    + Added LibreOffice and Kingsoft WPS Office on "Anti-Exploit" tab
    + Block processes executed from C Sharp compiler (csc.exe) (unchecked by default)
    + Block processes executed from Visual Basic compiler (vbc.exe) (unchecked by default)
    + Fixed some false positives

    To install this pre-release, first uninstall the old one.

    Here is a new video of OSArmor protecting Kingsoft WPS Office:

    Block WPS Office Exploit Payloads with OSArmor
    https://www.youtube.com/watch?v=-r-bp3WKM3A

    @bellgamin

    I will try to reproduce the issue you and @Sampei Nihira have.

    Will update here asap.

    @rethink

    The issue about FLEXNET should be fixed now.

    @Sampei Nihira

    Thanks for the video on PM and for the details.

    Will install ZAM setup + portable on Monday in the XP VM and will check what happens :)

    @cruelsister

    I will enable "Block execution of .vbs scripts" by default in the next build.

    Will need to make sure there are no FPs on regular systems.

    @Rasheed187

    OSA can monitor child processes also of running processes, can't say much about internal rules.
    ERP dev is a little slow now (due to OSA) but is on its track.

    @Cutting_Edgetech @Rasheed187

    Yes, we already take care of vulnerable apps in a smart way (take a look at the recent videos).
     
  14. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,011
    Location:
    Canada
    Thanks @novirusthanks for the new build.

    I have a quick question in the "advance section" from the configurator, which Process would you recommend to block to start with?
    Thanks
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,383
    Location:
    Hawaii
    I disabled ZAM. I did NOT disable anything else but ZAM. Did 3 reboots. All of them worked perfectly WITH OSA test 13 installed. Go figure.
     
  16. plat1098

    plat1098 Guest

    @novirusthanks: OK, after installing test 14, I needed to open the Configurator and tried to launch it via OSArmor on docker. No, it will not open from there. From tray and from taskbar: yes. Docker: no, it is only a decoration there. The Configurator itself functions on the dock but the shortcut is um..rather flat and bumps against the others. This is rather frivolous, so maybe when it's convenient to answer. Also, very pleased to be able to save my very few rules in Advanced settings, thank you. :)

    dock with osa.PNG
     
  17. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    @novirusthanks If I want to exclude a folder like I do in ERP (C:\Program Files (x86)\Zemana AntiMalware\*) do I use the "Process Path" option?

    Can OSA protect chrome while sandboxed in sbie?
    Can you add uninstaller in start menu?
     
    Last edited: Jan 6, 2018
  18. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Last I heard using "OpenPipePath=*\mailslot\NVTInj\*" workso_O
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Sure does with ERP, but don't know for sure if it does with OSArmor
     
  20. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,069
    Location:
    .
    maybe, see .... message & message.
     
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,244
    Location:
    Italy
    The removal of ZAM also in portable version leaves 2 drivers in the Windows folder:

    ZAM.krnl.trace
    ZAM_Guard.krnl.trace

    These can only be deleted by removing the corresponding registry keys.
    Also other tracks to delete to consider uninstalled the software.
     
  22. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,383
    Location:
    Hawaii
    I monitor every install with an uninstaller program. I uninstall in 2 steps: (1) first I use control panel's program remover, then (2) I use uninstall program. This method has never failed to do a total clean up.

    After I uninstalled Zam, I installed Malware Hunter (MH). But MH also caused my task bar not to load. So I dumped MH and switched to Stinger. Stinger is totally portable and 100% self contained. My task bar now loads just fine and OSA test 14 is running smooth as a baby's booty.
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,291
    Location:
    Among the gum trees
    Is why I will never ever use ZAM again.
     
  24. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    ... can we expect a video test from this "fine" lady soon? :shifty:
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    She'd be smart until the product is finished.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.