NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,341
    ...and one more for good measure.

    OSArmor_v1.9.8.0_available_03.JPG
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,728
    Location:
    The Netherlands
    Thanks for the info, will check it out. :thumb:
     
  3. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    373
    Location:
    Finland
    I'm using OSA with Harmony Endpoint. Very powerful combo. In OSA i enabled all "suspicious" protections and basic lolbin stuff, Harmony Endpoint takes cares the rest.
    Tested this combo against various bazaar samples about a week. I do not download or run anything from "user space folders". I just save pictures, videos etc to custom folders.
    I was kinda impressed, when running some .exe samples, OSA reacted really fast "suspicious process detected". Before mighty Harmony Endpoint even reacts. I was like...wow.

    Just one feature in OSA is that it really needs some more tampering protections(self protection mechanism). It's easy terminate OSA processes. When testing some malwares, they "kill" all the runnin processes which are not protected(chrome,outlook etc).
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,550
    After enabling medium protection, I am getting a repeated block. I don't know what is making this run.
    Here is a Microsoft doc about the cmdlet:
    https://learn.microsoft.com/en-us/p...t/disable-computerrestore?view=powershell-5.1
    Code:
    Date/Time: 4/17/2024 10:09:39 AM
    Process: [16032]C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Process Size: 413.5 KB (423,424 bytes)
    Process MD5 Hash: 61732DBA77466B624C014B67A1E1348E
    Parent: [4904]C:\Windows\SysWOW64\cmd.exe
    Parent Process Size: 239.5 KB (245,248 bytes)
    Rule: PreventCmdFromExecutingPowerShell
    Rule Name: Prevent cmd.exe from executing powershell.exe
    Command Line: powershell.exe  "Disable-ComputerRestore -Drive \"C:\""
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System
    Passive Logging: False
    
     
    Last edited: Apr 17, 2024
  5. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,971
    Is "Enable OSArmor self-defense (process termination)" enabled?

    OSA.png
     
    Last edited: Apr 19, 2024
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,469
    Location:
    .
    I cannot update my payment method over on FastSpring. Any ideas what I'm doing wrong. FastSpring tells me...talk to my credit card. My credit card tells me...talk to FastSpring.
    My Appsvoid sub expires in May. My OSArmor sub expires in December.
    png_18925.png
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,076
    Location:
    Canada
    Maybe reach out to @novirusthanks.
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,341
    I got this short time ago, but then I had problems with my Opera browser. It locked up, and I had to reboot the laptop.

    Finally, here it is, and I chose ignore.

    OSArmor_popup_chose ignore_01.JPG
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,361
    Location:
    Italy
    We have released OSArmor v1.9.9:
    https://www.osarmor.com/download/

    Here is the changelog:

    If you have automatic updates enabled then OSArmor should auto-update in the next hours.

    Else you can install it "over-the-top" of the installed version, reboot is not needed.

    If you find false positives or issues please let me know.

    @shmu26

    It looks like something in the system (e.g a Windows Update or a system process or a service of a backup software) is doing that activity.

    You should not see the alerts in this new build.

    @bjm_

    We resolved the issue via email, thanks for reporting that.

    @Tarnak

    FP fixed.

    @moredhelfinland

    We have an option (enabled by default) to protect OSA processes from termination (only Task Manager is allowed to terminate them).

    We intentionally didn't add other particular/advanced tampering protections because a process to damage OSA has to [1] run in the system and [2] gain admin privileges.

    It already covers protection from tampering done by abusing system processes.
     
  10. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,341
    Auto updated a short time ago to v1.9.9.0 :), and scanned for New Trusted Vendors.

    OSArmor_auto updated to v1.9.9.0_01.JPG
     
  11. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,971
    OSArmor has been updated to v2.0.0.0.

    Changelog:
    + Save log files in YYYY-MM-DD.log format
    + Save date/time in log files in YYYY-MM-DD HH:mm:ss format
    + Save also date/time in UTC
    + Added more JSON data on HTTP POST request (Enterprise version)
    + Minor improvements

    Source: https://www.osarmor.com/changelog/

    OSA-2.png
     
    Last edited: May 20, 2024
  12. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,341
    Got it now...

    OSArmor_autoupdated_to v2.0.0.0.JPG
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,281
    Location:
    Among the gum trees
    Hi @novirusthanks ,

    Just seen a message from OSA on starting Windows that OSA service wasn't running and suggested I start the service, restart my machine, or reinstall the latest version. I've seen it once or twice before with recent builds. A system restart gets it going.

    Not a big deal, but if I didn't catch the pop up I may not have noticed that OSA wasn't running.

    I've installed the latest version of the top for now.

    Thanks.
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,361
    Location:
    Italy
    We have released OSArmor v2.0.1:
    https://www.osarmor.com/download/

    Here is the changelog:

    If you have automatic updates enabled then OSArmor should auto-update in the next hours.

    Else you can install it "over-the-top" of the installed version, reboot is not needed.

    If you find false positives or issues please let me know.

    This update was focused mainly on the Enterprise version but we made improvements also to Personal and Business versions.

    @Krusty

    Please let me know if you notice that again with this new v2.0.1 version.
     
  15. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,341
    Got it a short time ago...

    OSArmor_autoupdated_to v2.0.1.0.JPG
     
  16. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,341
    I don't know what this is about, that just popped:

    Code:
    Date/Time: 2024-06-11 21:52:44
    Date/Time UTC: 2024-06-11 11:52:44
    Action: Process Blocked
    OSArmor Version: 2.0.1.0
    Process: [12732]C:\Windows\System32\cmd.exe
    Process Size: 283 KB (289,792 bytes)
    Process MD5 Hash: 2B40C98ED0F7A1D3B091A3E8353132DC
    Parent: [20680]C:\Windows\System32\cmd.exe
    Parent Process Size: 283 KB (289,792 bytes)
    Rule: BlockCmdScripts
    Rule Name: Block execution of .cmd scripts
    Command Line: C:\windows\system32\cmd.exe  /S /D /c" dir /a /b /s install.cmd"
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System
    Passive Logging: False
    
    
    Date/Time: 2024-06-11 21:52:28
    Date/Time UTC: 2024-06-11 11:52:28
    Action: Process Blocked
    OSArmor Version: 2.0.1.0
    Process: [18656]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Process Size: 445 KB (455,680 bytes)
    Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
    Parent: [20680]C:\Windows\System32\cmd.exe
    Parent Process Size: 283 KB (289,792 bytes)
    Rule: PreventCmdFromExecutingPowerShell
    Rule Name: Prevent cmd.exe from executing powershell.exe
    Command Line: powershell  -Command "(gc version.txt ) -replace ']', '' | Out-File -encoding ASCII version.txt"
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System
    Passive Logging: False
    
    
    Date/Time: 2024-06-11 21:52:27
    Date/Time UTC: 2024-06-11 11:52:27
    Action: Process Blocked
    OSArmor Version: 2.0.1.0
    Process: [5616]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Process Size: 445 KB (455,680 bytes)
    Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
    Parent: [20680]C:\Windows\System32\cmd.exe
    Parent Process Size: 283 KB (289,792 bytes)
    Rule: PreventCmdFromExecutingPowerShell
    Rule Name: Prevent cmd.exe from executing powershell.exe
    Command Line: powershell  -Command "(gc version.txt ) -replace 'Microsoft Windows \[Version 10.0.', '' | Out-File -encoding ASCII version.txt"
    Signer: <NULL>
    Parent Signer: <NULL>
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System
    Passive Logging: False
    
    
    
     
  17. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,341
    Now, I know what the above is about. Just got this warning from CyberLock/VoodooShield. The timing fits.

    Cyberlock-VoodooShield_ not safe item_01.JPG

    Cyberlock-VoodooShield_ not safe item_03.JPG

    PS. Added another image
     
    Last edited: Jun 11, 2024
  18. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    373
    Location:
    Finland
    @Tarnak
    swsetup folder is related to HP computers i think...for me it seems that HP driver or what ever install/uninstall cmd "script" gets blocked by CL. I know, this is annoying, when some legit softwares uses scripts for uninstalling/installing stuff.
    One example, one of my test PCs, i ran freeware PC MARK 10 to test my security software performance. It was kind of a nightmare to get the test completed. CL and OSArmor blocked powershell script used by PC MARK 10.
    PC MARK 10, one of the test uses in build chromium(old version), massive alarms from CL / OSA. In the end, i whitelisted whole friggin PC mark directory, which is, security wise very bad move.
     
  19. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,341
    @moredhelfinland

    Yes, I have a HP Probook laptop.

    I have decided to exclude and unblock, and allow the script to run. No ill effects noticed.

    OSArmor_Excluded_allowed running of script_01.JPG

    P.S. Maybe, I should have chosen ignore in this instance. @novirusthanks can advise?
     
  20. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,341
    Just updated:

    Changelog:

    [16-Jun-2024] v2.0.2.0

    + Added more signers to Trusted Vendors list
    + Added more JSON data on HTTP POST request
    + Fixed all reported false positives
    + Minor improvements
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.