Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.
Request: An Anti-Exploit rule to protect Thunderbird.
I have the application for you, but it's now OSArmor Software. If DLL was implemented into the security, I could help create some rules to help prevent DLL code injection through Thunderbird.
imuade- if you use AppGuard as it is intended to be used there would be no need for OSA, as the default installation preclusions will protect you (well, actually perhaps not- malware with a VERY high signed certificate can bypass it as I demonstrated a few years ago. But this certificate was acquired at an extremely high cost (I could have gotten it cheaper if I wore a shorter skirt...) and would only be used against high value targets and certainly not Mooks like you and me. Now if you ignore AppGuard alerts and install stuff that you think is OK anyway then you would still need a good AV first. So either way I personally don't see the need for OSA in this scenario.
BlackBox Hacker- a dll is really nothing more than an executable needing a trigger (Oh God! I can see the critics coming because of that statement!). So a general rule stopping such stuff would be both a very, very complicated thing to do and I feel the Developers would be insane even to try dong this. Please remember that OSA is NOT intended to be the primary protection (and please, please, please NVT- do not make it so!!!!!).
Regarding TB- by default OSA will stop any scripts that spew out from a TB email, and common sense on the part of the user should stop any executables from being run.
With Appguard at standard settings, there is still room for OSA. For instance, with OSA you can block cmd.exe but make exceptions for the things you need.
But the cmd.exe would only come out of an application initiated by a company that is on an extremely limited Whitelist, and thus would in all probability be allowed (and rightfully so) by the user.
Actually, I mentioned AppCheck by CheckMal, not AppGuard...
*off topic remark removed
Yikes!!! looks like a certain someone should ACTUALLY READ a post before responding! If AppCheck is used OSA would be an excellent addition just for the worm protection alone (I am sooo embarrassed...).
OK thanks, that was my understanding too
But @cruelsister, nonetheless, for a home user, do you think OSA would be a good replacement for AppGuard? Would there be significant protections missing in OSA?
Everything you said is right when we are talking about Appguard at high settings, and by that I mean protection level=lockdown.
But with Appguard at standard settings (protection level=protected), like it is on my system, cmd.exe could come out of:
1 any process with a valid digital sig
2 a guarded app such as the browser or the PDF reader or the dreaded MS Word
In both 1 and 2, malware would not gain persistence, but it could still modify files and steal data in user space locations without privacy protection.
I hope so. I understand OSA better than I ever did for AppGuard.
Appguard has important features that OSA doesn't presently have. These are some of them:
1 block unsigned files executing anywhere in user space, not just in appdata (and with lockdown mode, it blocks even signed files)
2 memory protection
3 privacy protection
@paulderdash Thanks for your question bro
@shmu26 Thank you for pointing out that question regarding AppGuard bro
Your question is an interesting one, but the discussion should be continued either on a Spyshelter thread or an Appguard thread.
Could you please elaborate? What would you wish for OSA to do WRT Thunderbird? I use both and am scratching my head.
@novirusthanks I would greatly appreciate it if you could fix those issues with Avast Free Antivirus in the next pre-release. Thank you for your great effort bro. Keep up the good work
Interesting you guys say that. When I look in the advanced tab of OSA, I ask myself what all those file types are, and what all those commands do, and I wonder how much I will mess up my system if I start flipping them on and off...
Yeah, same for me. And so far I haven't touch anything in the advance tab...
Paul- I mean this with absolutely zero criticism for OSA, but it is not and is not and will never be a replacement for primary protection (unless, God forbid, they make in into a BB...). If one uses something like AppGuard or CF, OSA is not at all needed. But for those Mooks that still rely on a traditional AV it would be essential.
The protection missing in OSA that AG (and obviously CF) has would be the prevention of malware packages that will work outside of any realistic prevention that a rule based security application can provide (see my video). However as the bulk of society still uses traditional based security applications (AV's), I would consider the use of OSA mandatory as it would stop various VB and Powershell scripts that my Cat can code that can bring down Western Civilization.
So for those few that are reading this thread please, please do not either ask or expect OSA to stop everything! This will destroy what is currently a very useful and elegant application.
I don't know what all those do either, what I meant is it's very easy to set up (simply tick or untick an option) compared to AppGuard...Andreas has it preconfigured already so not much to tweak
With AG, it blocks lots of stuff, so I have to constantly ask the forum is this safe or should I change a setting etc
@novirusthanks Does OSA protect folders from ransomware like WD does? If not could you add that feature?
That answers my question. I'm running Comodo IS Premium. I've thought of dumping the AV and just using the firewall, but I'm too lazy to spend the time. I like OSA and did play with an earlier version but am definitely NOT a geek and all the sections and boxes to check or not is way beyond me.