NoVirusThanks OSArmor: An Additional Layer of Defense

We have released OSArmor v1.9.3:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

In case you used test builds you need to install this final release "over-the-top".

If you find false positives or issues please let me know.

@Dragon1952

It is the child process started from InSpectre but unfortunately it is unsigned (the main exe is signed) and located in a uncommon location.

I will contact them and ask if they can digitally sign also inspect64.exe

 

New version auto-updated no problem and is running smoothly on two machines. TY for the release.

 

Norton just updated on this machine and first reboot I got this:



I'm sure it is a false positive so I chose, "Allow Always".

 

Kinda funny, just downloaded 0day malware, exe file. Instatly OSA blocked it..or does it? Because, my ESET blocked it completely after a while. Funny eh?

 

Yeah what a awesome program, beautiful complement to Eset.

 

I just got this on two machines:

Spoiler: Rule: BlockLOLBinsAndOtherSophisticatedAttacks

wDate/Time: 14/02/2024 5:00:25 AM
Process: [11092]C:\Windows\System32\reg.exe
Process Size: 75.5 KB (77,312 bytes)
Process MD5 Hash: 227F63E1D9008B36BDBCC4B397780BE4
Parent: [10676]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: BlockLOLBinsAndOtherSophisticatedAttacks
Rule Name: Block LOLBins and other sophisticated attacks
Command Line: C:\Windows\system32\reg.exe import "C:\ProgramData\Kaspersky Lab\Kaspersky Password Manager 24.0\Data\patch_config.reg" /reg:32
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Here is a pre-release test 1 version of OSArmor PERSONAL v1.9.4:

Code:

https://downloads.osarmor.com/osa-personal-1-9-4-setup-test1.exe

Here is what's new so far:

If you find issues or FPs please let me know.

Here is a screenshot of the OSA Events Viewer app:



And here are the new options in OSA Configurator -> Trusted Vendors tab:



@Krusty

FP is fixed now, thanks for reporting it.

@moredhelfinland

I guess this is what happened:

OSA blocked the malware process execution, but the file was not removed from disk (OSA doesn't remove files from disk).

Then ESET later scanned the file on disk and the file got detected and quarantined.

 

Got it, thanks!

 

Many programs spontaneously open a browser with their own page when the installation is complete. What rule can be used to prevent this?

 

Hello NVT,
Is there possibility to add:
Protection for disabling Task Manager (via reg key)
Protection for disabling Windows key modifications (via reg key)

 

BTW, I wonder how OSArmor protects browser against exploits exactly? I suppose it will block all processes that are executed by the browser? Also, can it slowdown the browser, or should OSArmor in no way be able to interfere with typing inside the browser? BTW, I still need to test the newest version, the OSA Events Viewer looks interesting.

 

We have released OSArmor v1.9.4:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

In case you used test builds you need to install this final release "over-the-top".

If you find false positives or issues please let me know.

We added on Events Viewer some new options to ease the creation of exclusion rules:

"Create Exclusion Rule" -> Will open Exclusions Helper with all pre-filled fields.
"Copy Exclusion Rule to Clipboard" -> Will copy to clipboard an auto-generate exclusion rule that can then be pasted (and if needed modified) on Exclusions.db
"Open Exclusions" -> Will open Exclusions.db with Notepad



And on the Configurator -> Trusted Vendors tab, you can add a new trusted vendor from a .exe or .msi file.

It now supports also drag and drop of .exe and .msi files on the Trusted Vendors tab.

@aldist

Generally, when an app is installed or uninstalled, this command-line is used to start a browser instance with a custom URL:

Code:

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.example.com/..."

* With Edge, Chrome, Opera, etc it may be different, e.g for Chrome it is:

Code:

"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument https://www.example.com/..."

You may handle this situation like this:

Block that specific Firefox command-line but allow processes on Program Files folder to run it (e.g when you click on "Help" or "Homepage" button of a program and it opens a browser instance like above):

Add this on Custom Block Rules:

Code:

[%PROCESS%: *\firefox.exe] [%SIGNER%: Mozilla Corporation] [%PROCESSCMDLINE%: * -osint -url "http*]

Add these lines on Exclusions Rules to allow only processes on Program Files:

Code:

[%PROCESS%: *\firefox.exe] [%SIGNER%: Mozilla Corporation] [%PROCESSCMDLINE%: * -osint -url "http*] [%PARENTPROCESS%: C:\Program Files\*]
[%PROCESS%: *\firefox.exe] [%SIGNER%: Mozilla Corporation] [%PROCESSCMDLINE%: * -osint -url "http*] [%PARENTPROCESS%: C:\Program Files (x86)\*]

Alternatively, you can allow only specific processes (in this example Foxit Reader and Office applications):

Code:

[%PROCESS%: *\firefox.exe] [%SIGNER%: Mozilla Corporation] [%PROCESSCMDLINE%: * -osint -url "http*] [%PARENTPROCESS%: C:\Program Files (x86)\Foxit Software\*]
[%PROCESS%: *\firefox.exe] [%SIGNER%: Mozilla Corporation] [%PROCESSCMDLINE%: * -osint -url "http*] [%PARENTPROCESS%: C:\Program Files\Microsoft Office\*]

@moredhelfinland

OSA already blocks reg.exe commands that disable Task Manager and other important system areas.

If you try to run this from cmd.exe:

Code:

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

It should be blocked by OSA.

@Rasheed187

OSA monitors and blocks processes executed by web browsers and it doesn't slowdown the browser (no code is injected into web browser process).

You can find also this option on OSA Configurator -> Protections tab:

Block any process executed from web browsers

If you enable it, any process (good or bad) that is executed from a web browser is blocked.

 

Thanks, it's working.

 

@aldist

Please replace the %PARENT% with %PARENTPROCESS% on the Exclusion Rules.

The correct variable/alias to match the parent process is %PARENTPROCESS%

I corrected it on my post just now.

 

I just got this:

Spoiler: Block execution of .cmd scripts

Date/Time: 21/02/2024 9:38:47 AM
Process: [10788]C:\Windows\SysWOW64\cmd.exe
Process Size: 231 KB (236,544 bytes)
Process MD5 Hash: D3348AC2130C7E754754A6E9CB053B09
Parent: [2796]C:\Program Files (x86)\Google\GoogleUpdater\122.0.6234.0\updater.exe
Parent Process Size: 4.42 MB (4,639,520 bytes)
Rule: BlockCmdScripts
Rule Name: Block execution of .cmd scripts
Command Line: "C:\WINDOWS\system32\cmd.exe" /Q /C ""C:\Program Files (x86)\Google\GoogleUpdater\122.0.6234.0\uninstall.cmd" --dir="C:\Program Files (x86)\Google\GoogleUpdater\122.0.6234.0""
Signer: <NULL>
Parent Signer: Google LLC
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

OK I see, that's what I figured. So any unknown process (except for browser's own child processes) are simply blocked. That should indeed block most exploits from the ability to load malware on the system. And lately I saw a slowdown when typing in Vivaldi and OSArmor started to use a lot of CPU time, so that's why I wondered about this. And I'm sorry to say but column-size is still not remembered in the OSA configurator! Is it hard to fix this? In the new event viewer it does work correctly though. I'm sorry, but I'm very picky when it comes to the GUI.

 

@Rasheed187

I tried OSA Configurator and it correctly remembers the columns size of the "Protections" tab list.

Can you show a video in case it is not working for you? So I can better see what is happening.

You can send it to me via email or PM.

Thanks!

 

That's weird, so you're saying that columnsize should always be remembered? What happens is that when I open the OS Configurator, I get to see the ugly and annoying horizontal scrollbar, then I resize the columns, but after restart, the columnsize is all wrong again.

 

@Rasheed187

That's strange, I can't reproduce it here.

I made a video showing it is working fine in my tests, uploaded it on WeTransfer:

Code:

https://we.tl/t-qckXMUapIj

I noticed you are using Sandboxie or similar (there are the [#] on the app window title), does it work fine if you open Configurator outside of the sandbox?

Let me know.

 

My bad, that may be the problem, I tested it with Sandboxie first, most of the time apps work exactly the same when sandboxed. But now that I think of it, it can not communicate with driver, so perhaps that is the problem. I should try to install it outside of the sandbox. Wait a minute, in the video you didn't close OSA Configurator, and with ''close'' I mean exit. So perhaps this is why you don't see it?

 

@Rasheed187

Tried again to close the window via the Exit button on the main menu but it is working fine here, uploaded the new video:

Code:

https://we.tl/t-8bi2HXat0d

Let me know.

 

You need to try it multiple times, the first time it looks OK, but when you then exit and restart the second time, it happens again. At first I thought it was perhaps because of a tool called AutoSizer, but when it's disabled it still happens. Can you try it one more time, thanks!

http://www.southbaypc.com/autosizer/

 

@Rasheed187

I tried around 20 times but no issues here (no horizontal scrollbars and column size and window size are fine), tried on real PC and a W10 and W11 VM.

I took a quick test of the AutoSizer app you linked and I found some issues (repeated screen refreshes, issues with some auto-sizeable apps, on one occasion even when it was disabled the OSA Configurator window was resized/different).

You may try to fully uninstall the app and see if you still get the issue again.

If possible try also with OSA outside the sandbox (considering the issues I got with the app in a VM I guess it may create some unexpected behaviors if you run also AutoSizer inside a sandbox).

Let me know.

 

OK thanks for your time and help, in this case it's probably a problem on my side, will keep you posted.

 

Just had look at ''event viewer"... I guess nothing out of the ordinary.