NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    I probably spoke too soon. The CPU issue is back (test build 26):(

    And - again - I found a couple of these entries in my event viewer:
    Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst OSArmorDevSvc erreicht.

     

    Attached Files:

    Last edited: Jan 19, 2018
  2. #744 @Buddel

    I think this is a very good idea! :thumb:

    #736 @Peter2150

    Thanks!

    #729 @Buddel

    That CPU level looks a bit high on my Windows 7 Computer it's around 4% CPU.

    #734 @Peter2150

    Can't wait for OSArmor build 27 that will be nice, I wonder what changes have been made by @novirusthanks?

    Hex message: 5468697320536F66747761726520697320736F20636F6F6C21 ;)

    I was thinking about using an MD5 Hash, but came to my senses lol.

    Could I use hashes for my urls would that be breaking forum policy, at the end of the day it's just numbers or letters?

     
    Last edited by a moderator: Jan 20, 2018
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    My hunch is no one will bother. Just use the delink feature.
     
  4. Rebsat

    Rebsat Registered Member

    Joined:
    Oct 20, 2014
    Posts:
    34
    Location:
    My Desk
    How are you doing bro? I really need your advice regarding the following combo:
    Avast Free Antivirus + OSArmor

    I am using that combo but I don't have any Firewall module in my combo and I am thinking about adding Comodo Firewall into that combo to get Network Protection.
    Would you please explain it to me if adding Comodo Firewall is required to my combo or not?

    Thank you for your good assistance bro :thumb:
     
  5. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    I think it really unnecessary to combine any HIPS with an any anti-behavioral; it's just overkill. Pick one or the other. In my opinion...Avast + OSA = yes. Comodo + OSA = No. Avast + Comodo = Maybe. Just because something can be used doesn't mean it should be.
     
  6. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    26 is looking really good but worth reporting a potential issue. For testing I enabled Block execution of unsigned processes on Local AppData and launched the Woolyss no sync, no webRTC etc privacy focused version of Chromium. As expected it was blocked as it is unsigned and running in AppData.

    To follow the test through I clicked pop-up to exclude and accepted the suggested exclusion. This was followed by several other pop-ups were triggered by different command line actions that are similar but not identical spawned by me allowing the first process i.e.:

    Command Line: "C:\Users\xxx\AppData\Local\Chromium\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,16144676380247047929,16388329692474331710,131072 --start-stack-profiler --gpu-vendor-id=0x1002 --gpu-device-id=0x990f --gpu-driver-vendor="Advanced Micro Devices, Inc." --gpu-driver-version=15.201.1101.0 --gpu-driver-date=8-6-2015 --start-stack-profiler --service-request-channel-token=FE0A7AD983AC28A36DCC8BB3C779A117 --mojo-platform-channel-handle=1584 --ignored=" --type=renderer " /prefetch:2

    Command Line: "C:\Users\xxx\AppData\Local\Chromium\Application\chrome.exe" --type=renderer --site-per-process --field-trial-handle=1612,16144676380247047929,16388329692474331710,131072 --service-pipe-token=95255A6F82852A01D823C9EEE2CD4B02 --lang=en-GB --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --blink-settings=disallowFetchForDocWrittenScriptsInMainFrame=false,disallowFetchForDocWrittenScriptsInMainFrameOnSlowConnections=true,cssExternalScannerNoPreload=false,cssExternalScannerPreload=true --site-per-process --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-checker-imaging --enable-compositor-image-animations --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553 --service-request-channel-token=95255A6F82852A01D823C9EEE2CD4B02 --renderer-client-id=6 --mojo-platform-channel-handle=2796 /prefetch:1

    Command Line: "C:\Users\xxx\AppData\Local\Chromium\Application\chrome.exe" --type=renderer --site-per-process --field-trial-handle=1612,16144676380247047929,16388329692474331710,131072 --service-pipe-token=67361FD01F3316C492CD164903F2DBB9 --lang=en-GB --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --blink-settings=disallowFetchForDocWrittenScriptsInMainFrame=false,disallowFetchForDocWrittenScriptsInMainFrameOnSlowConnections=true,cssExternalScannerNoPreload=false,cssExternalScannerPreload=true --site-per-process --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-checker-imaging --enable-compositor-image-animations --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553 --service-request-channel-token=67361FD01F3316C492CD164903F2DBB9 --renderer-client-id=3 --mojo-platform-channel-handle=2820 /prefetch:1

    I couldn't allow the exclusion quickly enough as they were coming thick and fast and OSA became unresponsive and eventually gave a message saying Stack Overflow. Windows then gave a message that OSA had stopped working. I assume this is a result of multiple actions backing up to the extent that the application could not manage the activity.

    Its a reasonable question to ask why check this option if you plan to run unsigned apps from Local AppData and to suggest this is maybe limited to my set up and this particular application but it is still beta and just testing. It seems though that the developer may be interested in resolving a potential scanario that results in a stack overflow that stops the application running.

    Win 10 Pro x64. No other security apps running .

    Thanks
     
  7. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,134
    Location:
    Italy
    @Elwe Singollo

    Thank you for reporting that issue, will be fixed in the next build.

    We'll make sure that if there are many blocked events the notification dialog is not flooded.
     
  8. I will not continue using OSArmor now that I have my dream security software SpyShelter Firewall 10.0 Software for 100% free of charge! :isay:

    There's a command line tool that can shutdown Computer system that could still exploit that OSArmor build 26 Software, very cool. :D I can't create block rules for these exploits one UAC exploit and the other shutdown exploit both signed as Microsoft big problems lol. :eek:

    Rule 'Block Execution of shutdown.exe'
    Rule 'File Signer'

    Exploits confirmed! :eek:

    Then compile exploit script and then execute!

    Code:
    ' ????????? Exploit Script! - created by (BlackBox) Grey Hat Hacker
    ' Written on 20/01/2018
    '
    ' Execute: C:\Windows\System32\wscript.exe load.vbs
    
    Set Payload_1 = WScript.CreateObject("WScript.Shell")
    Set Payload_2 = CreateObject("Shell.Application")
    Path = Payload_1.CurrentDirectory
    Payload_1.RegWrite "HKCU\Software\??????\?????????\Accepted", "1", "REG_DWORD" ' We can already write to registry without user rights here ...
    Payload_2.ShellExecute "???????", "-s -t 00", "", "runas", 0 ' Force UAC bypass via "runas" function here ....
    
    Code:
    / Use this command line with shell access.
    ???????.exe -s -t 00
    

    Security patch here!

    Code:
    / Security fix for Desktop folder
    [%FILESIGNER%: Microsoft Corporation] [%PROCESSFILEPATH%: *Desktop\] [%PROCESSCMDLINE%: *.exe*]
    / Security fix for Downloads folder
    [%FILESIGNER%: Microsoft Corporation] [%PROCESSFILEPATH%: *Downloads\] [%PROCESSCMDLINE%: *.exe*]
    / Security fix for UAC bypass DLL Hijacking
    [%PROCESSCMDLINE%: *sysprep.exe*]
    
    All of the above exploits are now blocked, I'm not patching all of the security holes. :thumb:

    Let's keep that Windows 10 UAC exploit and others etc. yay! :shifty:

    Screenshot: https://photos.app.goo.gl/mxbosYyP0w7YX7493

    * some off topic remarks removed
     
    Last edited by a moderator: Jan 20, 2018
  9. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    It was always below 1% in earlier test builds (Windows 10).
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Yes exactly. I'm guessing the new ERP v4 will offer this feature. But obviously it should not alert about launching of explorer.exe and svchost.exe during boot up. I guess this is were the problem is, you need a way to identify the parent process of all system processes.
     
  11. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Date/Time: 20/01/2018 17:38:21
    Process: [15336]C:\Windows\System32\wscript.exe
    Parent: [1836]C:\Windows\System32\svchost.exe
    Rule: BlockVbsScripts
    Rule Name: Block execution of .vbs scripts
    Command Line: C:\WINDOWS\System32\Wscript.exe //B //NoLogo "C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.vbs"
    Signer:
    Parent Signer: Microsoft Windows Publisher
     
  12. #748 @Circuit

    ZoneAlarm also has Application Control like HIPS Protection, but also works with ZoneAlarm Firewall. That would conflict as well with another HIPS Program! :eek: Plus ZoneAlarm Software has bad CPU usage it's too high for my liking. Can also make your Computer a bit sluggish lol. :( I wouldn't use ZoneAlarm with OSArmor build 26 Software!

    #747 @Rebsat

    Behavior Shield is like Heuristics Detection and HIPS Protection plus Sandbox for Zer0-day detections choose only one method? :D

    Anti-virus Software do combine Behavior Based Blocking and Heuristics Detection with HIPS Protection and even Sandbox mad really! But they have created each security modules, so that they don't conflict very cool. Even AVG FREE Anti-virus Software has a 4 layer security mechanism! :cool:

    Combo:
    1. SpyShelter Firewall
    2. OSArmor + Windows Firewall
    3. FortKnox Firewall + OSArmor
    4. Comodo Firewall + OSArmor
    5. SpyShelter Firewall + OSArmor

    Note: Unchecked box (HIPS) in FortKnox Firewall called "Enable Intrusion Detection System!" and for Comodo Firewall disable HIPS and Sandbox security modules. I'm now running SpyShelter Firewall so disable security modules system protection that's all.

    #744 @Buddel

    I think that's a great idea! :thumb:

    #743 @n8chavez

    With the SpywareShelter Firewall Software you don't even need any form of Anti-virus Software, because of the powerful HIPS Protection dissects Spyware Malware in each code part keylogger code etc. even detections of sockets backdoor for example, but with Anti-virus Software it's well known that virus database or virus definitions need constantly updating even to detect known malware and the HIPS Protection not very good. This is why I only use Spyshelter Firewall Software! :cool:

    #738 @rdsu

    It's just that they have put so much effort in the security software mechanisms and improving GUI user options and fixing most Computer exploits for the HIPS Protection. That's still not enough knowledge in hacking or Computer exploits are limited. Well Spyshelter Firewall is really overkill that's my opinion! ;) If they also implement in build 27 software the DLL blocking? Then that would be a very big step in fixing the problems! :cool: This would also protect against DLL code injections which is mission impossible to block with OSArmor build 26 Software and requires future review.

    #740 @Circuit

    OSArmor still has some of my big online security achievements in improvements, so I will still continue it. But probably install it on my Virtual LAB Computer system instead for testing beta Software. I always have my own different projects in malware designing and exploit creating and testing, but also in computer security fixes or patching as well. :thumb:

    #736 @rdsu

    Why not just use the rule block .vbs? This always works great as shown below! :thumb:

    #734 @Buddel

    Very cool! :thumb:

     
    Last edited by a moderator: Jan 20, 2018
  13. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
  14. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,381
    Location:
    Hawaii
    Avast includes a BB. I wonder if that aspect of Avast would be redundant with SOME aspects of OSA.

    By the way, Avast is very modular and each module can readily be disabled if desired -- that includes Avast's BB.
     
  15. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Bye-Bye with the chit-chat.
     
  16. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    I would love to see options to "Select All" or something like that in Configurator (Advanced) so don't have to click one by one...

    Clipboard01.jpg
     
  17. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    At least the ones without the explanation markers.
     
  18. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,986
    Location:
    Location Unknown
    True. But I like having a more multilayered approach. I like Comodo and SpywareShelter firewall, but I prefer to not rely completely on one product.
     
  19. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    Instead of (or in addition to) "Sect all", it would like to have pre-defined levels of security (e.g. standard, advanced, paranoid) with recommended settings for each level.
     
  20. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Was not referring to products, but thanks for agreeing.
     
  21. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Too vague. Leave as is.
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
    @novirusthanks already stated here he would introduce something like this, preset novice to expert settings, but I can't find the post now.
     
  23. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,372
    https://malwaretips.com/threads/novirusthanks-osarmor.78195/page-25#post-704287
    "On next v1.5 version we'll make it very simple, it'll allow user to select 3 protection options:

    Basic Protection (good for any beginner user)
    Medium Protection (good for experienced users)
    Extreme Protection (good for very experienced users"
     
  24. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    Cool! Thanks for the info, @Azure Phoenix . That's exactly what I want (in addition to a solution to the CPU usage problem).:)
     
  25. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    This is what I get when I use my EPSON printer:

    Date/Time: 21.01.2018 16:34:54
    Process: [4244]C:\Windows\System32\spool\drivers\w32x86\3\E_FARNCDE.EXE
    Parent: [4412]C:\Windows\System32\spool\drivers\w32x86\3\E_FAMTCDE.EXE
    Rule: BlockUnknownProcessesOnWindowsFolder
    Rule Name: Block unknown processes on Windows folder
    Command Line: C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FARNCDE.EXE /FU "C:\Users\CB\AppData\Local\Temp\E_S5FC1.tmp"
    Signer:
    Parent Signer:

    What rule(s) do I need to be able to print without any popups from OSArmor?

    EDIT: Complete log file with regard to printing problem attached
     

    Attached Files:

    Last edited: Jan 21, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.