NoVirusThanks OSArmor: An Additional Layer of Defense

Here is a new v1.4 (pre-release) (test15):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test15.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of .jar scripts (unchecked by default)
+ Block execution of netsh.exe from specific processes (unchecked by default)
+ Block specific processes from self-executing (unchecked by default) *** Experimental ***
+ Exclusions.db and CustomBlock.db are now in UTF-8 format
+ Improved detection of suspicious Explorer behaviors
+ Minor fixes and optimizations

To install this pre-release, first uninstall the old one.

For final release we miss:

* Driver co-signed with MS for Secure Boot
* Some more days of testing to find out if there are other FPs to fix
* Probably enable "Block execution of .vbs scripts" by default
* Fix issues reported by @bellgamin and @Sampei Nihira on XP OS

I recommend all OSA users to change the .db file format to UTF-8:

1) Open Notepad as Admin
2) Click File -> Open and select "C:\Program Files\NoVirusThanks\OSArmorDevSvc\Exclusions.db"
3) Click File -> Save As... and choose UTF-8 under "Encoding:", then click on Save and overwrite the existing file
4) Do the same for CustomBlock.db

@Antarctica

I would start with:

"Block unsigned processes located on root folder"
"Block execution of .vbs scripts"
"Prevent PowerShell from using Invoke-Expression via cmdline"
"Block suspicious processes started from Rundll32"
"Block execution of netsh.exe from specific processes"

These options should generate low FPs.

@bellgamin

Let's cross fingers, can you try this new test15 build without ZAM and see if OSA works fine again?

Thank you for all the tests

@Overkill

You should add this in Exclusions of OSA:

Code:

[%PARENTPROCESS%: C:\Program Files (x86)\Zemana AntiMalware\*]
[%PROCESS%: C:\Program Files (x86)\Zemana AntiMalware\*]
[%FILESIGNER%: Zemana Bilişim Teknolojileri Sanayi Ticaret Limited Şirketi]
[%PARENTSIGNER%: Zemana Bilişim Teknolojileri Sanayi Ticaret Limited Şirketi]

Not sure, have not tested it yet.

I think yes, will need to check a few things.

 

Thanks a lot NovirusThanks

 

Djigi- I'm actually thinking about it. I had to cut my ski-bumming short as Corporate earnings season begins this week and I hope to have some time during work breaks.

Peter- A good point with which I normally would agree. It really is not appropriate to review something that is on a fast development track; however the protection OSA affords currently is very fine and in particular should be known, especially by those that rely on Windows Defender.

 

novirusthanks - This is really turning out to be something special. I'd buy several licensees right now!

My wishlist:

1. Adding service / gui protection (termination and password protections)
2. Adding PDF x-change exploit protection
3. Adding the ability to export and import all settings, including the exclusion lists
4. Changing the order of the exclusion gui to put the parent process field above the command line field, as it is in the logs
5. Adding auto-update checking
6. Adding a button to auto-create and exclusion rule on the notification popup
7. Adding customization popup notification timeout settings

 

Test 15 all good here!!

 

I just reformated my machine to get it ready for the new school semester which starts tomorrow. I want be able to test for a few days. Could someone tell me if Andreas has given an option that allows the user to add their own applications to the Exploit protection feature? If not then maybe he could consider that to make maintaining OSAmor less work in the future.

 

v1.4 (pre-release) (test15):
is this area supposed to be pitch black? also anti-explolit is black

 

Weird, this doesn't look normal. Similar look: #431

 

yes indeed all I have running right now is avast av

 

Hello, Pete.......was this meant for me? I just want to know why half of the GUI is all blacked out and it was not two or three
versions ago

 

Here is a new v1.4 (pre-release) (test16):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test16.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of .msc scripts (unchecked by default)
+ Block execution of .bat scripts (unchecked by default)
+ Improved some internal rules related to the options added on test15
+ Updated Configurator and "Exclusions Helper" GUI
+ Minor fixes and optimizations
+ Fixed some false positives

To install this pre-release, first uninstall the old one.

@n8chavez

List saved

This "Adding PDF x-change exploit protection" is already added.

@Cutting_Edgetech

That option is not yet present, but will discuss about that.

@hayc59

Can you try this new test16 build?

I updated a few parameters in the Configurator and Exclusions Helper GUI.

 

That will never happen though. It's not a realistic goal, especially among the security conscious who are aware that it's better to enable a feature than make exclusions than it is to disable it completely.

 

My apologies. I must have missed a version. Thanks for adding waterfox! Also, do you think you could add some sort of protection indicator when launching a protected process, similar to Hitmanpro.alert or Sandboxie; colored border or altered window title? It makes me feel better having that visual reassurance of protection.

 

Please, add PotPlayer (PotPlayerMini.exe, PotPlayerMini64.exe)...

 

Could you add Mailwasher Pro 6.5.4 , The Bat!, and Internet Download Manager ?

 

Andreas..same thing happening

 

G, did you uninstall the old build before you installed build 16?
Do you get the same result if you disable Avast and open the OSA configurator?

 

OK, installed the test #16 after deleting the previous but I have no exclusions or custom blocking rules (running Windows Defender makes it easier) to modify the file format for as per post 451. Found out the docker software I have is no longer developed or supported so never mind about any shortcuts not working from there. Is working really well on Windows 10 16299.192, no problems at all. My enabled Rules are backed up, it's good.

 

Is it mandatory to exclude all other security?

 

As a general rule, I would not unless you know of, or are alerted to a specific issue.

 

I installed test 15 & rebooted. All is normal. Shazam!

My real-time security now stands at: Kerio 2.1.5, ERP, OSA, MBAE, and a router-with-FW.

 

OSA working as designed per Block execution of .msc scripts.

Spoiler: Block execution of .msc scripts

Process: [2544]C:\Windows\System32\mmc.exe
Parent: [4256]C:\Windows\explorer.exe
Rule: BlockMSCScripts
Rule Name: Block execution of .msc scripts
Command Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\services.msc"
Signer:
Parent Signer: Microsoft Windows

Process: [4648]C:\Windows\System32\mmc.exe
Parent: [1260]C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe
Rule: BlockMSCScripts
Rule Name: Block execution of .msc scripts
Command Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\Services.msc"
Signer:
Parent Signer: NoVirusThanks Company Srl

Process: [17288]C:\Windows\System32\mmc.exe
Parent: [4256]C:\Windows\explorer.exe
Rule: BlockMSCScripts
Rule Name: Block execution of .msc scripts
Command Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\eventvwr.msc" /s
Signer:
Parent Signer: Microsoft Windows

Process: [8864]C:\Windows\System32\mmc.exe
Parent: [1260]C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe
Rule: BlockMSCScripts
Rule Name: Block execution of .msc scripts
Command Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\diskmgmt.msc"
Signer:
Parent Signer: NoVirusThanks Company Srl

Process: [6348]C:\Windows\System32\mmc.exe
Parent: [4600]C:\Windows\explorer.exe
Rule: BlockMSCScripts
Rule Name: Block execution of .msc scripts
Command Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\comexp.msc"
Signer:
Parent Signer: Microsoft Windows