NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Cool, but I'm starting to think that with OSA it's not possible to give me what ask for, I'm guessing you can not make OSA allow to execute system and browser processes only by a trusted parent process? Perhaps this will help a bit (see link) and I hope ERP will soon be released.

    https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2

    It would be nice if you actually understood what OSA is all about before testing, because seems like you don't LOL.

    I was thinking, I wonder if it's even necessary to put regsvr32 and rundll32 on the vulnerable list in ERP if OSA is already installed.
     
  2. guest

    guest Guest

    I think it is doable.
    You can try to create a rule to block the directory (%PROCESSFILEPATH%) in which the browser is installed (file: CustomBlock.db - "Write rules to block custom processes")
    Then create exclusions for it to allow the parent process(es) which should be able to execute it (file: Exclusions.db - "; Write rules to exclude a process from being blocked")
    In the case of a multi-process browser, the browser itself must be allowed to execute files in the directory (process: firefox.exe <- parent process: firefox.exe)
    And at least explorer.exe must be allowed (process: firefox.exe <- parent process: explorer.exe), else launching the browser from the startmenu leads to a blocked process.

    There are tons of other possibilities and a lot can be done with variables/rules.
     
  3. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    CPU usage of OSArmorDevSvc.exe constantly exceeds 10 per cent. I don't think this was the case with previous builds. Maybe some kind of a memory leak?
     
  4. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Also with the latest build, I can’t open the configurator
     
    Last edited: Jan 14, 2018
  5. j9ksf

    j9ksf Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    35
    Neither can I.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    No problem here (Win 7 x64)
     
  7. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    I know this had been mentioned but I can't find the answer. Is there going to be an automatic rule updater without having to run the installer each time?

    What is the purpose of 'Exit GUI' in the context menu? For what reason would someone use this?
     
    Last edited: Jan 14, 2018
  8. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    No problem with configurator here, on Win 10 Pro 64 bit. Also, OSA using only 12MB RAM
     
  9. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    It doesn't use a lot of RAM here either, but CPU constantly exceeds 10 per cent or more.

    Edit: This refers to test build 23. I didn't have this CPU problem with previous builds.
     

    Attached Files:

    • OSA.png
      OSA.png
      File size:
      12.7 KB
      Views:
      10
    Last edited: Jan 14, 2018
  10. plat1098

    plat1098 Guest

    Yes, the Configurator doesn't open for me either, there is just a spinning circle next to the pointer. This is test version 22--if I had been the only one reporting it, I would have un/reinstalled it. There is just one more process loading in task manager every time you click the UAC prompt.

    Otherwise, memory use is around 13 MB, same as others.

    osa configurator.PNG
     
  11. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    I know guest had a installation tut on NVT. I'll see if I can find it.
     
  12. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a new v1.4 (pre-release) (test24):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test24.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Block reg.exe from hijacking Registry startup entries
    + Block execution of unsigned processes on Desktop folder
    + Block execution of processes on Documents folder
    + Moved Block ExecutionPolicy Bypass and WindowStyle Hidden to Advanced tab
    + Added PhantomPDF on Anti-Exploit tab
    + Added many new internal rules
    + Improved handling of false positives
    + Added new tab "Settings" on Configurator
    + New option: Enable Passive Logging (do not block the process, just log the event)
    + New option: Show a notification window when something is blocked
    + New option: Automatically close the notification window
    + You can exclude more easily the events via the "Exclude" button
    + The "Exclude" button opens the "Exclusions Helper" GUI with pre-filled fields
    + You can open the logs folder via the "Open Logs" button
    + You can set the notification dialog to not auto-close and keep it open
    + You can manually close the notification dialog via the "X" button on top-right
    + Minor fixes and optimizations

    Here is a screenshot:

    osarmor-pre24.png

    @plat1098 @Antarctica @j9ksf

    Do you have VS or ERP running?

    Another user from MT reported the same issue and fixed it by closing VS.

    To me it looks like as if another program (probably an anti-exe or similar) is entered like in a "loophole" to analyze\check OSArmorDevCfg.exe execution, or is waiting a response\data but not receiving it.

    I'll try to reproduce the issue.

    @Buddel

    Will try to reproduce the issues with the CPU usage.

    @Charyb

    Auto-updater is on the todo list.

    It just allows to close the UI.

    We may allow it to totally close the service too, we'll need to discuss it.

    @Sampei Nihira

    Thanks for the info :thumb:
     
    Last edited: Jan 14, 2018
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Work just fine.:thumb:

    Test DEP (HPA3) on W.XP:

    Immagine.JPG
     
  14. plat1098

    plat1098 Guest

    Installed the test 24 and the Configurator opens at this time. I don't have VoodooShield installed, just Windows Defender with several exploit mitigations enabled. I'll see how it goes, now it's fine. :)
     
  15. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    I've been running test build 24 for a couple of minutes. My CPU problem seems to be gone.:) Should it come back, I will tell you. Thanks for the new build, @novirusthanks . Much appreciated.:thumb:
     
  16. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Running test build 24 and Configurator wouldn't open. Checked process list and OSArmorDevCfg.exe listed as running but gui did not show. Analysed wait chain of OSArmorDevCfg.exe and process was waiting for Voodooshield.exe. Killed Voodooshield.exe and Configurator then appeared :thumb:

    I restarted VS then opened OSA again. This time Configurator opened successfully. Checked VS and OSArmorDevCfg.exe is now Whitelisted :cool:
     
    Last edited: Jan 14, 2018
  17. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    I did have an issue uninstalled version 22 to get 23 installed but got around that. Just installed 24 so thank you. Not that it is a big deal to me but I saw this in the logs prior to upgrading to build 24.

    Code:
    Date/Time: 1/14/2018 10:00:54 AM
    Process: [1952]C:\Windows\System32\cmd.exe
    Parent: [2396]C:\Windows\System32\igfxCUIService.exe
    Rule: BlockBATScripts
    Rule Name: Block execution of .bat scripts
    Command Line: C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat"
    Signer:
    Parent Signer: Intel(R) pGFX
     
    Date/Time: 1/14/2018 11:00:32 AM
    Process: [7084]C:\Windows\System32\cmd.exe
    Parent: [2500]C:\Windows\System32\igfxCUIService.exe
    Rule: BlockBATScripts
    Rule Name: Block execution of .bat scripts
    Command Line: C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat"
    Signer:
    Parent Signer: Intel(R) pGFX
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Hi Trooper,
    FWIW ~ from my exclusions.
    [%PROCESSCMDLINE%: C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat"]
     
    Last edited: Jan 14, 2018
  19. plat1098

    plat1098 Guest

    Sorry, spoke too soon. Since there is nothing like an anti-exe on here, I tried turning off CFG in Defender and restarting. Then it was clear it had something to do with a games app that was also open. If I closed this app, the Configurator would then open immediately. I'll try to figure it out still further, but there's definitely some kind of interference there.
     
    Last edited by a moderator: Jan 14, 2018
  20. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Yeah, it work for me too, thanks askmark:)
     
  21. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    24 running fine on Windows 7 x64.
    Configurator OK.
    Memory usage OSArmorDevSvc.exe: 10,580K, OSArmorDevUI.exe: 3,480K.
     
  22. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    Thank you Peter2150, Rasheed187, and Infected for the comments on running ERP with OSA. I searched for a tutorial by guest with no luck, but I don't want to go off-thread here, so I'll ask any other questions at the ERP thread.
     
  23. guest

    guest Guest

  24. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
  25. j9ksf

    j9ksf Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    35
    Yes, VS is installed and running. No problems prior to test 23. However, disabling VS made no difference.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.