NoVirusThanks OSArmor: An Additional Layer of Defense

Wasn't the build number (EG: Test 1) going to be put on the GUI? Or am I missing something?

 

We've released OSArmor v1.8.5:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.

Will upload in the next days a new video similar to the previous one where I test recent malware samples from the past 3 months.

@Krusty

Yes you are correct, I mainly forgot (again) about it

 

Yeep, seemed to update from v. 1.8.5 to v. 1.8.5. I think. Not sure. But hopefully.

Yes, maybe sometime consider to add some way to differentiate from test to release build so that we can see whether things are up to date ourselves.

 

Automatically downloaded and installed v1.8.5 update with no issues. I love having your software onboard!

 

Got it, thanks.

All good, no worries.

 

+1

 

BTW, I wonder if OSArmor could have some helped in this particular case by monitoring the launch of svchost.exe by untrusted processes, does such a feature already exist? For example, the ShadowPy malware seems to be using DLL Hijacking but it also spawns svchost.exe and injects code into it. This quote is from the ESET article, see first link:

https://www.welivesecurity.com/2023...k-apt-group-dlp-software-developer-east-asia/

https://www.wilderssecurity.com/thr...st-asian-data-loss-prevention-company.450996/

 

@Rasheed187

Sorry for the delay.

Yes, OSArmor already monitors that behavior with this protection rule:

Block suspicious Svchost.exe process behaviors

And with other internal rules (all enabled on Basic Protection profile).

I don't have the initial malware sample for testing so I can't make a real test, but according to the analysis on WeLiveSecurity:

If the replaced installers of Q-Dir were unsigned (or signed by an unknown vendor) they could have been blocked by one of these options:

Block unsigned processes on user space
Block unsigned processes with high privileges
Block unsigned processes with system privileges
Block signers not present in Trusted Vendors

OSArmor blocks vbscripts executions by default, so the dropped and executed VBS/Agent.DL (ReVBShell backdoor) malware would have been blocked.

Also, according to this:

I guess these .exe files dropped on %TEMP% folder and then executed, could have been blocked by the "Block unsigned processes on user space".

While I can't test the scenario I guess that OSArmor could have helped in stopping the infection chain at one or more stages.

 

No problem, and thanks for the feedback, sounds awesome. OSArmor really is one of the best behavior blockers that is focused on blocking suspicious process execution, great job!

 

Just booted up and noticed this change... An update, obviously.

 

Crap! I let my OSA license expire. Time to renew.

 

Just got another update for this...

Changelog:

[29-Apr-2023] v1.5.7.0
+ Various improvements and optimizations

 

No such update here. I'm still running OSA v1.8.5, which was released on 20 March 2023.

 

Well I looked at some other things going on in Task Manager--the License Helper is at version 1.0.0.0, same for the OSArmor Service. The DevUI is at 1.8.5 also.

 

@Buddel @plat

We updated NoVirusThanks License Manager to v1.5.7.

If you open OSA and click on Help -> License Status it will open the Activator GUI and it should say "v1.5.7.0".

Will release a new version of OSA later or tomorrow (90% done).

 

Yes, it does. Thanks for the info.

Looking forward to v1.8.6.

 

Here is a pre-release test 2 version of OSArmor PERSONAL v1.8.6:

Code:

https://downloads.osarmor.com/osa-1-8-6-personal-setup.exe

What's new so far:

You can install over-the-top, reboot is not needed.

Let me know if you find issues or FPs.

PS: I forgot to add the test number on the GUI.

Regarding this new protection rule: Block execution of Remote Access Tools (E.g TeamViewer)

The option was requested by companies and is not enabled in any protection profile at the moment. If enabled, it will block TeamViewer, Radmin, TightVNC, helpU, AnyDesk and many other similar legitimate applications. Unfortunately remote access/desktop tools have been abused in the past to access/control a remote system (installed via unhattended scripts or via social engineering attacks to trick the user to install them), and since they are signed and legitimate, they are not always blocked by other security software. If you know you will never install these applications on your PC you may want to enable this option.

 

Thank you @novirusthanks
Installed over the top without any problems, will test it ASAP.

 

Installed without issue here. No problems so far.

 

NVT License Manager updated to v1.5.8. Emsisoft alerts to being malware.

I have reported it to Emsisoft, and await their response.

 

NVT License Manager has just updated to v1.5.9 on my laptop.

Changelog:

[13-May-2023] v1.5.9.0

+ Improved installer/uninstaller script

P.S. I have two laptops, and this is the one that doesn't have Emsisoft active.

 

But I did have this turned on, and got these alerts, and that is how I knew that NVT License Manager was about to update.

Protection is usually turned off, but I sometimes I have it turned on.

 

I just got this while updating MalwareBytes:

Code:

Date/Time: 19/05/2023 7:19:46 AM
Process: [5224]C:\Windows\Temp\a780e03c-f5c1-11ed-982d-00262d8c9c6e\SHBridge.exe
Process Size: 2.72 MB (2,856,168 bytes)
Process MD5 Hash: 7CF6D6C5368E5A8343838FDF83A65909
Parent: [4180]C:\ProgramData\Malwarebytes\MBAMService\ctlrupdate\mbupdatr.exe
Parent Process Size: 5.57 MB (5,844,912 bytes)
Rule: BlockProcsFileAttribHidden
Rule Name: Block processes with hidden file (+H) disk attribute
Command Line: "C:\WINDOWS\TEMP\a780e03c-f5c1-11ed-982d-00262d8c9c6e\SHBridge.exe" {CF7AC340-7C02-4F66-80EA-9BD5AFC180BC}
Signer: Malwarebytes Inc
Parent Signer: Malwarebytes Inc.
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System

Strangely, I only had that alert from one of my Win10 machines.

 

hi @novirusthanks
can i ask you a question?
on a laptop , i have installed smart pc locker pro 3.1.0.0 (i guess the last free version)
will keep to work or will stop to work soon and have I to update from 20€ to 45€?
Just installed to friend 's laptop w10 pro 64bit
thanks

 

We've released OSArmor v1.8.6:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.

@Krusty

FP is fixed now, thanks for reporting it.

@Tarnak

Emsisoft FP should be fixed on their end, thanks for reporting it.

@mantra

The last free version of Smart PC Locker v3.1.0.0 will keep working.

From v4.0.0.0 it was moved to Appsvoid website.