NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    Yes
    and
    Yes
     
  2. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    Windows 7 x64, Sandboxie, NOD32. Uninstalled test 14 using Revo Uninstaller Pro, installed test 16, runs smooth no glitches.

    A question: After an uninstall of OSA would it be better to restart the computer before installing the new build?
     
  3. guest

    guest Guest

    this is best practice.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I've been using OSArmor test 16 for about 8 hours without any problems so far on Windows 10 X64 Pro.
     
  5. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    OSArmor is a BB; its intended to supplement ERP which is an AE, providing complete all-around protection.
     
  6. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    Yep, this is the reason why I'm looking forward to ERP 4.:geek:
     
  7. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    431
    OSArmor seems to me like ERP 4 with some predefined rules (ERP Lite). These rules should be default rules in ERP 4, too.
     
  8. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    Its a BB because its set and forget it. ERP is more configurable, which is what you want with an AE, setting rules to define what executables to deny and to allow.

    They protect in somewhat different ways and there is no conflict with them running side by side.
     
  9. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    OSA warnings on Blocks - Can this be set or adjusted? Or Wait for user input? Am I missing something?

    Here is what happened to me today. I had ran a SFC on my Win 7 box cause I surmised something was wrong. Some files did not get replaced by the SFC and research indicated that running KB947821 would assist me. Research indicated that this 500 MB monster can run from 30 minutes to 8 hours. So I went and did something.

    Note. I forgot to turn off OSA. (Shame on me - lesson learned :) ) Something I would guess than many casual users would do as well.

    Later I was checking to see if that Update had in fact ran and it appeared it ran but did not do anything. hmmmm It ran for a couple of hours and there was no indication that it had NOT worked - a Pop Up or whatever.

    And no pop up that OSA had done anything - I was not sitting here watching the screen.

    In digging thru the OSA logs I found this:

    Date/Time: 1/7/2018 6:24:52 AM
    Process: [13104]C:\Windows\SoftwareDistribution\Download\Install\Windows6.1-RTM-Client-NEUTRAL-AMD64.EXE
    Parent: [12768]C:\Windows\System32\wuauclt.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: "C:\Windows\SoftwareDistribution\Download\Install\Windows6.1-RTM-Client-NEUTRAL-AMD64.EXE" /q /x:..\..\..\CheckSur\v1.0
    Signer: Microsoft Corporation
    Parent Signer:

    With 13 entries for each of the upgrades that were packaged in this KB.

    In this case there was no message from the KB Update that it had not in fact succeeded. Nor any pop up or indication that OSA had prevented it.

    And YES - I should have thought about it and dropped Protection. Or changed my settings for that rule.

    But I have been trying to use this like average Joe or Jane might. That and Age Induced Forgetfulness
     
  10. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,933
    So far no issues with test build 16. Running Windows 10 x64 fully updated. At the moment I am also running EAM and Heimdal Security Pro alongside it. :thumb:
     
  11. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    Its intended for the average user. Nothing to configure and if you need to set rules then something like ERP is more suitable for advanced users.
     
  12. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    Nothing to configure? That's not true. What about exclusions? I guess you could just chose to deactivate options but that lowers security dramatically. There will never be a set-and-forget security app. Tweaking will always be needed, because what works for one will not for someone else.
     
  13. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    Huh? Average user would think his/her M$ Updates were installed and they weren't. I was running at that point out of the box configuration.

    A Big Pop up saying:

    Do you REALLY want to disallow installing these Critical updates? Y/N/Dunno.

    Would be helpful. Such a popup did not occur. They were auto blocked by OSA unbeknownst to me. Average user would have no clue.
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,134
    Location:
    Italy
    @JoWazzoo

    We can add an option like "Do not close the warning popup when something is blocked" + we can add a button like "Close" to manually close it.

    So if you go away from the PC, when you come back you can view it and close it.

    Thanks for posting the log, I will fix the FP later and upload a new build.

    @hayc59

    Ok, will try to reproduce.
     
    Last edited: Jan 8, 2018
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,831
    If the user returns to the PC and OS Armor has blocked for example 50 processes in the meantime, the user must click 50x times on "Close"?
    Or is it displaying the latest blocked process and only one click is needed to close the dialog.

    If the latter, an idea might be to display the amount of blocked processes in the dialog ("and [<insert amount of blocked processes here>] more blocked processes") :doubt: so the user knows that there were several blocked processes while he was away.
     
  16. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,612
    Location:
    USA
     
  17. rethink

    rethink Registered Member

    Joined:
    Jan 13, 2015
    Posts:
    68
    Hi Andreas,

    Can we categorize the anti-exploit tab page something like that:
     
  18. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    This^^
     
  19. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    Thank you. My biggest concern is/was with the typical ignorant user. Since it operates sequentially I presume, in a case such as mine it would stop on the first encountered in the installerr? There were 13 .exes that were bundled in one big package. All blocked. Unbeknownst to me. :)

    " I will fix the FP later and upload a new build."

    So then you consider the blocking of the OS upgrade package was a FP? I was not sure, but scratched my head. Again - my concern is with average user. We want them secure - not frustrated.

    TY for ALL your efforts on this exciting project!
     
  20. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    I assume, because it's been done numerous times before, that he is going to tweak the internal ruleset to prevent the blocking of windows updates (which your log suggests was done.) Essentially, novirusthanks has your back....no user intervention required for this obvious FP.
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,134
    Location:
    Italy
    Here is a new v1.4 (pre-release) (test17):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test17.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Block execution of .wsh scripts
    + Block execution of .reg scripts (unchecked by default)
    + Enabled by default "Block execution of .vbs scripts"
    + Improved internal rules
    + Fixed false positives

    To install this pre-release, first uninstall the old one.

    @mood

    Yes, the idea is to display the latest blocked process and only one click is needed to close the dialog.

    Good point :)

    @rethink

    Yes we will do that, but in next versions.

    @JoWazzoo

    Yes, it was triggered by an internal rule, it is fixed in this test17.

    Much thanks for reporting it :)
     
  22. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    Thanks, will do.
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,379
    Location:
    Hawaii
    17 running grrreat. I uninstalled 16 but no reboot before installing 17. Andreas knows how to write an uninstaller, desho ka?

    I will most certainly buy a license for OSA, when such is available. I MUCHLY appreciate folks who continue to support XP.

    Now that I have dumped Zemana, I'm using DrWeb CureIt for periodic on-demand AV scans. I shall probably buy DrWeb's realtime AV, but doubt I'll run it -- simply a purchase to express my thanks for CureIt. CureIt even has a Users Manual!

    For Andreas: The element that explains the appeal of RPG games to many programmers is neither the fire-breathing monsters nor the semi-clad, sexy damsels-to-be-rescued. It is the joy of writing a program from start to finish without any change in the user requirements.
     
    Last edited: Jan 8, 2018
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,418
    Location:
    Under a bushel ...
    Andreas, can you also allow OSA manual disablement to persist on reboot for those programs that need reboot to install?

    Unless it already works like that.
     
  25. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    224
    Location:
    UK
    I'm running build 17 and like the previous two or three builds the system tray GUI icon doesn't load although OSA is running in the background and reporting events OK. If nobody else has this issue then it's probably confined to this one machine.

    UPDATE. I've just uninstalled Heimdal because it was slowing my Internet browsing and not allowing some pages to load properly. After a reboot OSA is now back to normal. Go figure!
     
    Last edited: Jan 9, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.