NoVirusThanks OSArmor: An Additional Layer of Defense

ERP v3 is EOL, just wait v4 public beta, it will come soon.

 

Hi bellgamin.
I've been testing since yesterday the test 19 which presents a more "smart" change compared to the fixes in the 18 test also for us XP users.

 

10Q Sampei. I look forward to test 19. I will be a little sad when OSA reaches its final release status -- this thread is a lot of fun AND very interesting!

 

OSA test 19...for now on XP smooth without issue in combo with ERP, Kerio FW and SD.
--------------------------
edit: sorry it was v.18...my mistake
.

 

Haven't seen a test 19 posted?

 

Wonder if Andreas pulled it? It WAS here - I installed it. OOPS!! Sorry - I guess 18 IS the latest. Unfortunately you cannot tell inside OSA - you have to look at your DL or Install history.

 

I don't think it was pulled...I have got them all.

 

Here is a new v1.4 (pre-release) (test22 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test22.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ We have now 150+ protection options on Configurator GUI
+ Improved support for Windows XP OS (2)
+ Added an exclamation icon on left of protection options that can create FPs
+ Block execution of .msc scripts outside System folder
+ A lot of internal rules have been improved
+ Fixed all reported false positives

New protection options to mitigate specific attacks and UAC\DeviceGuard\AppLocker\etc bypasses:

+ Prevent winword.exe from loading DLLs with /L switch
+ Prevent DLL\Exe execution via Tracker.exe
+ Prevent ieexec.exe from loading remote files
+ Prevent msiexec.exe from loading MSI files masked as PNG files
+ Block execution of .msi installer scripts (*can create many FPs*)
+ Prevent MavInject32.exe from loading DLLs in running processes
+ Prevent AtBroker.exe from using /start switch to run processes
+ Block processes executed from AtBroker.exe
+ Prevent msxsl.exe from loading .xsl scripts
+ Prevent MSBuild.exe from loading .csproj scripts
+ Prevent odbcconf.exe from loading .rsp scripts
+ Block F# Interactive (fsi.exe) from executing F# scripts
+ And many more, see screenshot:



Yes, we are very paranoid

To install this pre-release, first uninstall the old one (important).

@Cutting_Edgetech

You can use the new option "Block execution of .msc scripts outside System folder".

@paulderdash

OSA test19 (and test20, test21) was specific for a few users to test on Windows XP.

@Overkill

Suggestions saves, thanks!

 

Great

 

The orange False Positive warning "I" next to certain rules like Block Execution of unsigned processes on Local AppData is very helpful, this was why I have these three AppData-related rules currently disabled.

 

Exploit Test Tool http://dl.surfright.nl/hmpalert-test.exe

v1.4 (pre-release) (test22)

Stack Pivot 1 = FAILED

Stack Exe = FAILED

Unpivot Stack = FAILED

ROP - VirtualProtect() = FAILED

ROP - WinExec() = FAILED

ROP - NtProtectVirtualmemory() = FAILED

ROP - Wow64 bypass = FAILED

ROP - Exploit Wow64 = FAILED

ROP - CALL preceded VirtualProtect() = FAILED

ROP - VirtualProtect() via CALL gadget = FAILED

ROP - WinExec() via anti-detour = FAILED

IAT Filtering = FAILED

Null Page = FAILED

Heap Spray 1 = FAILED

Heap Spray 2 = FAILED

Heap Spray 3 = FAILED

Anti-VM - VMware = FAILED

Anti-VM - Virtual PC = FAILED

Lockdown 1 = FAILED

Lockdown 2 = FAILED

 

@liba Not sure what "FAILED" means here. Did the exploit fail to load, which would be a good thing, or did the anti-exploit app fail to stop the exploit, which would be a bad thing, of course.

@novirusthanks Thanks for the new test build.

 

I updated test22 setup file, please re-download it and install the new one:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test22.exe

File: osarmor_setup_1.4_test22.exe
File size: 6,52 MB (6.839.448 bytes)
MD5 checksum: F3F0F66CBCA78EBD01252A6D797312B9
SHA1 checksum: 9A1B71DEC2E1944E516C7312FB4B40829815D3D2
SHA256 checksum: 81A94C5B33D4D1FFCD30531F25456E9D1B49AAE608A7A048291AC88FEAE55351

* Make sure these options are not enabled by default (issue on the previous test22 setup):
* Block execution of Windows Command Prompt (cmd.exe)
* Block execution of Windows PowerShell

@liba

Try to rename hmpalert-test.exe to opera.exe and re-run the test.

It is what @Sampei Nihira did on his test:

https://www.wilderssecurity.com/thr...-layer-of-defense.398859/page-21#post-2730345

hmpalert-test.exe is not recognized as a vulnerable process, thus it is not protected with Anti-Exploit module.

 

@novirusthanks thanks and suggestions
Block Exe from Temp Dir
Prompt User on Exe Blocked

 

@liba

Allright, I tested HMPA Test and OSA didn't block some payloads just because the payload is calc.exe (a totally safe system process).

I added a new rule "Consider calc.exe (Calculator) as malicious on Anti-Exploit module" on OSA and it blocked all payloads successfully.

I will make a video in the next hours

Suggestions saved, thanks!

 

Very nice! Particularly that one!! TY 3 thumbs up

 

Dense this morning... If you set that are .msc scripts automatically allowed in the System folders?

 

Yes. They are allowed inside the System folder, but outside of the folder they are blocked.

 

test 22 #539

Process: [21108]C:\Windows\System32\cmd.exe
Parent: [22820]C:\Program Files\Sandboxie\Start.exe
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: C:\WINDOWS\System32\cmd.exe /c rmdir /s /q "D:\Sandbox\bjms\__Delete_Firefox_01D38AFE8A4D2A26"
Signer:
Parent Signer: Invincea, Inc.

Process: [8144]C:\Windows\System32\cmd.exe
Parent: [4568]C:\Program Files\Sandboxie\Start.exe
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: C:\WINDOWS\System32\cmd.exe /c rmdir /s /q "D:\Sandbox\bjms\__Delete_Chrome_01D38AFEDC00B50B"
Signer:
Parent Signer: Invincea, Inc.

[%PROCESSCMDLINE%: C:\WINDOWS\System32\cmd.exe /c rmdir /s /q "D:\Sandbox\bjms\__Delete_*_*"]

 

Um, does exclusion e.g., [%PARENTFILEPATH%: C:\Program Files\Sandboxie\*] or [%PARENTSIGNER%: Invincea, Inc.] carry over to processes running in my sandboxes.
Meaning, can I exclude Sandboxie and not exclude sandbox'd files.

 

Ok, I'll try that. That should eliminate most false positives.

 

Here is a new v1.4 (pre-release) (test23):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test23.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Now calc.exe is blocked via the Anti-Exploit module
+ Block execution of unsigned processes on Temp Folder (unchecked by default)
+ Block execution of unsigned processes on Windows Temp (unchecked by default)
+ Minor fixes and optimizations

To install this pre-release, first uninstall the old one.

Here is a new video where I tested OSArmor with HitmanPro.Alert Exploit Test Tool:
https://www.youtube.com/watch?v=2fUBOVbAHcE

@Peter2150

Do you have any links or sample to check?

@bjm_

Did you intentionally check "Block execution of Windows Command Prompt (cmd.exe)"?

I am asking this because test22 (first setup file) had an issue that auto-checked that option after installation.

@Cutting_Edgetech

Yes, with that option it should block only "suspicious" .msc scripts (outside of System folder).