NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    815
    Location:
    A Non-Sh*thole State
    THANKS shmu26. :)
     
  2. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    174
    Location:
    Wigan
    I am trying to exclude a 16-bit program dating from 1996 (the New Oxford Shorter Dictionary with 500,000 definitions). This runs in Windows XP from an exe file.

    The exclusion rule that Test28 version1.4 OSArmor has created is : -
    [%PROCESS%: C:\WINDOWS\system32\ntvdm.exe] [%PROCESSFILEPATH%: C:\WINDOWS\system32\] [%PROCESSCMDLINE%: "C:\WINDOWS\system32\ntvdm.exe" -f -i8 -ws -a C:\WINDOWS\system32\krnl386.exe] [%PARENTPROCESS%: C:\WINDOWS\explorer.exe] [%PARENTFILEPATH%: C:\WINDOWS\]

    This failed to work so I have at present unchecked "Block execution of 16-bit (NTVDM) processes." I do not understand the mechanism underpinning NTVDM processes. Should it be possible to selectively permit the use of individual 16-bit programs?
     
  3. plat1098

    plat1098 Guest

    The test27 build successfully resolved two issues for me: presence of four DCOM permissions-related errors @startup plus a Service Container error (failure of OSArmor to start) AND the failure of the Configurator to open while a games app was on the desktop. Those DCOM errors were present when HitmanPro.Alert was on here and to date, that has not been resolved though there's a registry workaround. So, I'm very good with OSArmor and its anti-exploit rules and a hardened OS/Windows Defender. :)

    FYI: SmartScreen blocks the download of test28 via Edge browser. Since the changelog is specific for some false positives, I'll keep the test27 for now.
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,484
    I have OSA + HMPA but I am not seeing any DCOM errors.
    @plat1098, based on your signature, it looks like you were running HMPA + SBIE. Maybe this combo is responsible for the errors, I mean, after you added OSA into the mix? Do you still get errors if OSA+HMPA but no SBIE?
     
  5. plat1098

    plat1098 Guest

    I don't want to go off-topic but I can only go by simple cause/effect on here and OSArmor-related errors at startup were cleared with test27 to date. I was one of the few who experienced the frozen Start menu/taskbar problem when HitmanPro.Alert was on the system, persisting with Sandboxie's outright removal. There is a registry workaround but haven't tried it. If you're not getting any errors with both Alert and OSArmor installed, then in theory, it can be done. So, I'm encouraged by this. Just to mention: this machine (main)--with fast startup and BIOS quick-boot disabled (so I can hear the POST)-- boots in 10 seconds. So maybe the timing at startup was involved? It's OK, sometimes software issues clear up later rather than sooner, right? :)
     
  6. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    686
    Location:
    Island of Woman
    hmm why would OSarmor try to open opera.exe
     
  7. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    804
    I have OSArmor with Sophos Home Premium (which has HMPA) and have not had any problems at all.
     
  8. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Similar here - OSA with HMPA. No sign of any issues thus far.
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,132
    Location:
    Italy
    Here is a new v1.4 (pre-release) (test29):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test29.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Categorized options in Anti-Exploit tab and sorted them alphabetically (per category)
    + When on Passive Logging, the text on the notification window is "Passive Logging Enabled"
    + On Configurator -> Settings -> Passive Logging changed the text to "You will still receive notification dialogs while in Passive Logging."
    + Added Thunderbird on Anti-Exploit tab
    + Removed "Process Path" and "Parent Process Path" from Exclusions Helper GUI
    + Option to disable protection temporarily, for 10 minutes, 30 minutes, 1 hour
    + Option to not display alerts when an application is in full-screen mode
    + Improved "Block execution of .vbs scripts"
    + Improved "Block execution of .js scripts"
    + Tray icon becomes red when Passive Logging is enabled
    + Option to play beep sound when notification is displayed
    + Fixed a false positive with "Block processes executed from javaw.exe"
    + Improved detection of PowerShell encoded commands
    + Improved detection of PowerShell malformed commands
    + Improved detection of suspicious processes
    + Block processes executed from USB
    + Block processes executed from RAM Disk
    + Block processes executed from Network Drive
    + Block processes executed from CD-ROM
    + Block execution of Internet Explorer
    + Block execution of Microsoft Edge
    + OSArmor 64-bit now supports Secure Boot
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 29.

    @Sampei Nihira

    Can you try this new build 29? Please try to do as follow:

    Uninstall the previous OSA version, reboot, delete the folder C:\Program Files\NoVirusThanks\OSArmorDevSvc\ and then install build 29.

    @loungehake

    What is the name of the 16-bit process you need to run?

    @lucd

    When you install OSArmor, by default, it opens our website page. There is a checkbox "Open NoVirusThansk Website" (checked) at end of installation.

    @UnderwaterBG

    FP on Flash Player should be fixed.

    @guest

    Yes, we'll work on a better Configurator UI later in the next versions.

    @Baldrick

    64-bit driver is now co-signed by Microsoft and supports Secure Boot (build 29).

    We are waiting for the 32-bit driver to be co-signed (should not take much).
     
    Last edited: Jan 31, 2018
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,700
    :thumb:
    If you are running a 64-bit OS, you can try OS Armor now.
     
  11. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,612
    Location:
    USA
    Thank you sir for adding Thunderbird :)
     
  12. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    804
    Protection in this version refuses to stay on. I have tried completely uninstalling the previous version and rebooting before installing and still, no protection enabled. I went back to the previous version and that one will work.
     
  13. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,062
    Location:
    .
    (test29)....lots of new stuff.
    Disable Protection survive Restart?
    Thanks
     
    Last edited: Feb 1, 2018
  14. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    123
    Location:
    Australia
    v1.4 (pre-release) (test29)

    Uninstalled the previous version and runs fine on a Legacy System (MBR) Win10X64 FCU fully updated.

    Using another system Win10X64 FCU fully updated (Secure Boot), Osarmor's "Protection Status" is always "Protection Disabled". I'm not able to set protection to enable.
     
  15. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    804
    Same here.
     
  16. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    786
    Location:
    sweden

    Same here, DISABLED. Some icons in the system tray takes looong time to load and problem with internet connection.
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,700
    OS Armor v1.4 (pre-release) (test29)
    (1)
    Each time the notification appears, there is a CPU load of ~25% for 5-6 seconds (OSArmorDevUI.exe) :cautious:
    a) I quickly closed the window as soon as it appears, but nevertheless after some seconds there is a CPU Load.
    b) After disabling of the notification window the problem is gone (no CPU Load)

    CPU Load_notification_osarmor_setup_1.4_test29.exe_(1).png CPU Load_notification_osarmor_setup_1.4_test29.exe_(2).png

    (2)
    [X] Block execution of any process related to Nirsoft
    I can run any Nirsoft related utility without problems (digitally signed by "Nir Sofer"), nothing is blocked :cautious:

    And:
    I have SecureBoot disabled and i can enable/disable OS Armor correctly. Perhaps there seems to be a problem with the new co-signed driver on SecureBoot enabled systems:
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,700
    (3) The main window looses the focus (OSArmorDevUI.exe)
    I have opened the GUI but it always looses the focus. I can't click on anything in the "File"-menu, because the menu always "disappears".
    OSArmor_window_looses_focus.gif
     
  19. sun88

    sun88 Registered Member

    Joined:
    Aug 27, 2009
    Posts:
    69
    Win 10 Pro 1703 x64: running HMP.A, EAM, OSA with no problems.
     
  20. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,132
    Location:
    Italy
    Here is a new v1.4 (pre-release) (test30):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test30.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Both 32-bit and 64-bit drivers are now co-signed by Microsoft
    + Removed option "Set notification window always on top" (it is done by default now)
    + Fixed CPU spikes when the notification dialog disappears
    + Fixed "can't open menu in OSArmorDevUI because it loses focus"

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    Secure Boot should be now fully supported in both 32 & 64-bit W10 OS.

    @bjm_

    Disable Protection does not survive to reboot.

    You can enable Passive Logging (from Configurator), it survives to reboot.

    @mood

    Issue 1) and 3) should be fixed on build 30, thank you for reporting them.

    About issue 2), can you retry now? It works fine on my end, here is what I do:

    - I install OSA build 30
    - Then I download a NirSoft exe
    - I enable on OSA Configurator "Block processes related to NirSoft"
    - Then when I run NirSoft exe, it is blocked by OSA

    @pb1 @IvoShoen @ronald739

    That behavior you reported is very strange, and is the same reported also by @Sampei Nihira

    I would like to ask to all of you more information:

    - Can you include the exact Windows version (including build and bitness 32 or 64-bit)?
    - What other security software do you have installed?
    - Can you try to first disable other security software and then install OSA?
    - Can you try to use our free tool "Kernel Mode Drivers Manager" to check if OSArmorDevDrv.sys is actually loaded?
    Please post a screenshot that highlights OSArmorDevDrv if possible:
    http://www.novirusthanks.org/products/kernel-mode-drivers-manager/
    - After you install OSA, can you send me the MD5 hash of C:\WINDOWS\System32\drivers\OSArmorDevDrv.sys?
    You can use our other free tool "MD5 Checksum Tool" to compute the file MD5 hash:
    http://www.novirusthanks.org/products/md5-checksum-tool/

    Thank you for the help!
     
    Last edited: Feb 1, 2018
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Build 30 looks good here.

    Thanks Andreas
     
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,062
    Location:
    .
    Ahh,... okay. Thanks
     
    Last edited: Feb 1, 2018
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,211
    Location:
    Italy
    @novirusthanks

    Test 29 is OK for me.

    There is this problem:

    http://sendvid.com/3vhr01in
     
    Last edited by a moderator: Feb 1, 2018
  24. plat1098

    plat1098 Guest

    Beginning w/test27, the info icon next to certain advanced rules is orange or red. Curious: what is the significance of the color? Haven't seen any hint in the changelogs, just the info in test27 w/download. Test30 is good so far, and Secure Boot is once again enabled.

    OSArmor info icon colors.PNG
     
  25. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    815
    Location:
    A Non-Sh*thole State
    Build 30 running great on three machine here, all 1703 x64 W10.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.