NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,638
    Test build 30 cannot be properly installed here (Win10, 32bit). Only the Service exe is to be found in my startup list, but the program just won't launch, not even after a reboot.

    PS: I've just removed test build 30 from my computer and reinstalled build 28, which works as expected.
     
    Last edited: Feb 1, 2018
  2. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    124
    Location:
    Australia
    @novirusthanks

    Unfortunately I went back to a clean system on Win10 X64 Home FCU 1709 (Secure Boot) so no logs. Only from I seen was the service would stop and could not be restarted.

    Test 30 works fine and "Protection is Enabled"

    Regards.
     
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,177
    Location:
    .
    try mouse hover ! ! > Can create false positives.
    2455.png
     
    Last edited: Feb 1, 2018
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    It's all about the likelihood that enabling the setting will cause issues/false positives.
    white means it probably won't, orange means it might, and red means...
     
  5. plat1098

    plat1098 Guest

    Right, the orange one was saying that as of a number of builds ago. But, the red one says the same thing, so was wondering about the color difference and significance--you can hazard a guess but...

    @shmu26: tried installing Alert w/OSArmor (no Sandboxie) and got a system slowdown, with a big-time delay at startup, with and without OSArmor. This secondary machine has several group policy rules in effect plus several exploit guards so something isn't quite meshing on here. True, though, Alert and OSArmor together didn't create any System errors for that short period. Couldn't make an exclusion for OSArmor in Alert either, Alert didn't take it. SurfRight will have to keep working on it, they were aware of some problems but these apparently were affecting only a minority of users.
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    Yeah, it started to do that to me, too. And the slowdown continued even after startup. On top of that, the known issue with HMPA and Windows start button started to plague me. So I simply said goodbye to HMPA.
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,177
    Location:
    .
    Ahh, okay. For me, red means stronger than orange.
    Orange means: caution FPs & Red means: caution++ FPs.
    Just me?
     
    Last edited: Feb 1, 2018
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    Yes, 1) and 3) are fixed now with build 30 and the notification window appears much smoother now.

    Regarding 2) (Nirsoft utilities are not blocked):
    Anyone who doesn't want to read the complete post, only need to read the quote (summary):
    I have noticed that some other rules has also no effect (i have ticked all options)
    For example:
    [X] Block execution of unsigned processes on Temp Folder
    [X] Block execution of unsigned processes on Windows Temp
    [X] Block execution of .cmd scripts
    [...]

    Then i have executed files (via filemanager Total Commander) for example on the Desktop folder, Public, and i was also able to execute unsigned files (.cmd-files, ...) :cautious:

    I have tried both custom rules below (CustomBlock.db) and they work perfectly:
    Code:
    [%PROCESS%: c:\Users\*\Downloads\*.exe] [%FILESIGNER%: Nir Sofer]
    [%FILESIGNER%: Nir Sofer]
    
    Ok, i guess i have found the source of the issue (why rules are simply failing)
    a)
    I have executed cmd.exe via startmenu = blocked (=expected behaviour)
    I have executed cmd.exe via filemanager = NOT blocked
    b)
    I have executed unsigned files via explorer = blocked (=expected behaviour)
    I have executed unsigned files via filemanager = NOT blocked
    c)
    I have executed .cmd-files via explorer = blocked (=expected behaviour)
    I have executed .cmd-files via filemanager = NOT blocked
    d)
    Launching of NirSoft Utilties via explorer = blocked (=expected behaviour)
    Launching of NirSoft Utilties via filemanager = NOT blocked

    Is the filemanager ("c:\Program Files\totalcmd\TOTALCMD64.EXE") internally whitelisted by OS Armor?
    Custom rules always work even if i launch files via filemanager (for example: [%FILESIGNER%: Nir Sofer]) which is correct behaviour.
    Edit: This is expected behaviour. Total Commander is a safe program and is allowed to run other processes:
     
    Last edited: Feb 2, 2018
  9. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,615
    Location:
    South Wales, UK
    Thanks mood, good to know...much obliged for the heads up.

    Regards, Baldrick
     
  10. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Test 30 fine on 7x64.
     
  11. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    187
    Location:
    Wigan
    "What is the name of the 16-bit process you need to run?"
    @novirusthanks
    It is called NEWSOED.exe and is in folder C:\Program Files\NewSOED\
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,538
    I have noticed that the rule for block processes in suspicious locations prevents the installation and updating of a lot of software.
    Maybe this is a necessary evil, but I just thought I would mention it.
     
  13. AeroFit

    AeroFit Registered Member

    Joined:
    Jan 16, 2018
    Posts:
    6
    Location:
    Russia
    Win7 x86 SP1
    When launching Test30 installation there is an alert from HPA that there is a malware in setup file )))
    Test29 didn't have such an alert, but when installed it couldn't start protection

    UPD: Test30 protection was enabled successfully right after installation
     
    Last edited: Feb 2, 2018
  14. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,504
    Location:
    Italy
    @ to All

    You can check if using the OSA internal uninstaller get the corresponding OSA pop-up:

    http://sendvid.com/3vhr01in

    You can check if a correct uninstallation also eliminates the driver and your service.
    TH.


    I cleaned all this and also the software folder for a new installation of the next version.
     
    Last edited by a moderator: Feb 2, 2018
  15. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    896
    Location:
    sweden
    V.30 solved my problems
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    Including OS Armor itself :)
    (launching of the setup and also the uninstallation):
    Code:
    Installer of OS Armor:
    Process: [9492]C:\Users\****\AppData\Local\Temp\is-8QOH7.tmp\osarmor_setup_1.4_test30.tmp
    Parent: [5804]C:\Users\****\Downloads\osarmor_setup_1.4_test30.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    
    Uninstallation of OS Armor:
    Process: [11100]C:\Users\***\AppData\Local\Temp\_iu14D2N.tmp
    Parent: [5208]C:\Program Files\NoVirusThanks\OSArmorDevSvc\unins000.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    
    As OS Armor is affected, all other installer which are based on NSIS (Nullsoft Scriptable Install System) are affected too.
    The installer is extracting a process to a temporary folder and part of the folder name is randomized with each execution of the installer:
    "...\AppData\Local\Temp\is-?????.tmp\[...].tmp"

    Perhaps the developer can add some internal rules to mitigate this.
     
  17. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    676
    Does OS Armor browser exploit rules protect against phony, malicious extensions?
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,175
    Location:
    Italy
    Here is a new v1.4 (pre-release) (test31):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test31.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Block processes executed from Shared Folder
    + Improved detection of malformed PowerShell commands
    + Improved detection of suspicious processes
    + Improved detection of suspicious scripts
    + Hint text for red icon (on Configurator) is changed to "Can create many false positives"
    + Block ShellExecute\Start-Process in PowerShell cmdline
    + Fixed false positive on "Block processes located in suspicious folders" related to SUA users
    + Prevent schtasks.exe from creating tasks

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    Question to users that had the issue "Can't enable protection":

    Did you try to install OSA from a SUA account?

    @mood @Sampei Nihira @shmu26

    The FP about "Block processes located in suspicious folders" related to installers\uninstallers is fixed now, thanks for the details.

    @Charyb

    No, OSA doesn't monitor for browser extensions.

    @mood

    About NirSoft, yes you are right.

    We use some internal whitelists and we allow safe programs on Program Files to run other processes.

    You can disable our internal whitelists from Configurator -> Uncheck "Enable internal rules to allow safe behaviors".

    However I would recommend to keep it enabled, it handles rules for Windows Updates, etc.

    Alternatively you may add a custom block rule to block all processes signed by Nir Sofer (bypassing our internal whitelist rules):

    Code:
    [%FILESIGNER%: Nir Sofer]
    
    @bjm_

    Now the red icon has a hint like "Can create many false positives", and for the orange icon is "Can create false positives".
     
    Last edited: Feb 2, 2018
  19. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,638
    I used an Admin account to uninstall build 28 and install build 30. Test build 30 did not install properly. I tried to launch it manually (with admin priviliges) but this didn't help, either. Back to build 28, which works here.
    I will give build 31 a try when I'm back home. Maybe I will be able to install it.
     
  20. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,177
    Location:
    .
    Can create many false positives.png
    many = simple, yet elegant.
    Um, perhaps rule numbers...e.g., M1, M2, .. A1, A2, ..
     
    Last edited: Feb 2, 2018
  21. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    676
    With each new update, how do I know when a new rule has been added? Can it be identified by date added?
     
    Last edited: Feb 2, 2018
  22. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    676
    @novirusthanks

    Windows Defender views the download as a trojan. This is a first.

    When I click on Learn More, after OS Armor was installed, I am blocked by OS Armor and when I search for the rule to uncheck it is difficult to find. The rule list is getting very long in the Advanced tab and needs a better way of organizing. I did forget that you added the option to temporarily disable protection which I should have used.

    Date/Time: 2/2/2018 10:34:03 AM
    Process: [7880]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Parent: [8664]C:\Windows\System32\RuntimeBroker.exe
    Rule: BlockProcessesFromRuntimeBroker
    Rule Name: Block processes executed from RuntimeBroker
    Command Line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "https://go.microsoft.com/fwlink/?linkid=142185&name=<Trojan:Win32/Fuerboos.B!cl>&threatid=<2147723653>"
    Signer: Google Inc
    Parent Signer: Microsoft Windows
    [​IMG]
     
    Last edited: Feb 2, 2018
  23. Nitty Kutchie

    Nitty Kutchie Registered Member

    Joined:
    Apr 10, 2015
    Posts:
    160

    Here is a new v1.4 (pre-release) (test31):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test31.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Block processes executed from Shared Folder
    + Improved detection of malformed PowerShell commands
    + Improved detection of suspicious processes
    + Improved detection of suspicious scripts
    + Hint text for red icon (on Configurator) is changed to "Can create many false positives"
    + Block ShellExecute\Start-Process in PowerShell cmdline
    + Fixed false positive on "Block processes located in suspicious folders" related to SUA users
    + Prevent schtasks.exe from creating tasks
     
  24. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,638
    Same issue with build 31, back to build 28.:(
     
  25. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    FP-Webroot OSA build 31

    Date/Time: 2/2/2018 9:21:08 AM
    Process: [3204]C:\Users\Jim\OneDrive\wsainstall.exe
    Parent: [3764]C:\Windows\explorer.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Users\Jim\OneDrive\wsainstall.exe"
    Signer: Webroot Inc.
    Parent Signer:

    Also does OSA protect the UEFI against ransomware?
     
    Last edited: Feb 2, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.