NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,603
    Maybe it's got something to do with new drivers because versions with the "old" drivers could be installed here (Win10, 32bit).
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,303
    Location:
    Italy
    @novirusthanks

    Test 31 works just fine on my W.10 x64.
    Good.
    :thumb:

    In SUA disabling OSA Protection does not require administrative rights:

    Immagine.jpg

    Can malware "easily" do the same?
    TH.
     
    Last edited: Feb 2, 2018
  3. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,149
    Location:
    Italy
    @Buddel

    That is strange, as other security app you have only EAM correct?

    Your OS is Windows 10 Pro 32-bit and Secure Boot is disabled?

    Do you have any logs in the Event Viewer?

    Also, how do you install the new build? Can you try this:

    - Uninstall old build and reboot
    - Remove C:\WINDOWS\System32\drivers\OSArmorDevDrv.sys (if present)
    - Remove C:\Program Files\NoVirusThanks\OSArmorDevSvc\
    - Delete registry key HKLM\Software\NoVirusThanks\OSArmorDevSvc\
    - Now try to install build 31

    @jimb949

    Thanks for reporting the FP, it'll be fixed in the next build.

    OSA can prevent the execution of a ransomware by blocking the exploit payloads and suspicious processes.

    It doesn't protect directly the UEFI\BIOS.

    @Charyb

    We'll try to contact MS about the FP with Windows Defender.

    Strange because our exes are all digitally signed by both SHA1 + SHA256 code sign.

    I'll fix that RuntimeBroker.exe FP on the next build.

    @Sampei Nihira

    The GUI uses a smart and secure way to communicate with the service so that should be no problem.

    On the next version we can add a password protection so to disable OSA user would need to type the correct password.
     
  4. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,104
    Location:
    .
    2465.png
    Process: [3844]C:\Windows\explorer.exe
    Parent: [5680]C:\Windows\System32\RuntimeBroker.exe
    Rule: BlockProcessesFromRuntimeBroker
    Rule Name: Block processes executed from RuntimeBroker
    Command Line: "C:\Windows\explorer.exe"
    Signer: Microsoft Windows
    Parent Signer: Microsoft Windows
    Code:
    [%PROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\explorer.exe"]
     
    Last edited: Feb 2, 2018
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    I had suspected that the filemanager is "somehow whitelisted" but now i know that there is indeed an internal whitelist :)
    Yes, Exclusions.db is the solution if a user want to block these tools completely (and to prevent other users from launching these tools)
    Would be good to have a password protection in addition, so the user can't disable the protection but it was mentioned some minutes ago that it will be added soon :thumb:
     
  6. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,628
    Location:
    USA
    Request: Protection for Cyberfox. Thank you.
     
  7. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Great! :thumb:
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,979
    You're not alone. I got that too! ;)
     
  9. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,603
    I have just tried all of the above, and always with admin rights (I don't even have a "Standard" account").
    - I uninstalled build 28 and rebooted
    - C:\WINDOWS\System32\drivers\OSArmorDevDrv.sys > not present
    - Remove C:\Program Files\NoVirusThanks\OSArmorDevSvc\ > not present
    - Delete registry key HKLM\Software\NoVirusThanks\OSArmorDevSvc\ > not present
    I installed build 31, same disappointing result. Back to build 28, which still works fine.:(

    ---------------------------------------------------------------------------------------
    Yes, only EAM.

     
    Last edited: Feb 2, 2018
  10. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Smooth sailing with test 31.
    7x64
     
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,149
    Location:
    Italy
    Here is a new v1.4 (pre-release) (test32):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test32.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed an issue on Windows XP
    + Fixed all reported false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    This new build should fix an issue on 32-bit OSes.

    @Buddel

    Can you try this new build 32?

    It fixes an issue related to 32-bit OSs and I noticed you use Win 10 32-bit.

    @bjm_ @jimb949 @Charyb

    All FPs should be fixed, thanks for reporting them.

    @bjm_

    I would personally just match the process and the parent process in your exclusion rule:

    Code:
    [%PROCESS%: C:\Windows\explorer.exe] [%PARENTPROCESS%: C:\Windows\System32\RuntimeBroker.exe]
    
    This way the exclusion rule is specific to the rule "Block processes executed from RuntimeBroker".

    Thanks everyone for the feedbacks.
     
  12. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,603
    Same result, it won't install. :( I wonder why I didn't have any problems with builds 1 to 28. Only the most recent builds do not seem to be compatible with my computer.
     
  13. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,603
    A little test:
    Test builds 1 to 29: They can all be installed without any problems.
    Test builds 30, 31, 32: These builds cannot be installed here, so the problem started with the release of test build 30.
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    @novirusthanks
    What about creating a new build but with the old driver?
    If this build now magicially works we know now that there seems to be a problem with the new driver (co-signed by Microsoft).
    Edit: Or try to provide an additional installer (one installer with a co-signed driver and the other installer without a co-signed driver [to find out if the driver is the wrongdoer])
    In build 30 and newer builds the driver is co-signed by Microsoft too (32-bit OS).
     
    Last edited: Feb 3, 2018
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,104
    Location:
    .
    Okay...."exclusion rule, specific to the rule"....Thanks
     
  16. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    972
    Location:
    Canada
    Buddel, build 30 was the first build to have both 32 and 64 bit drivers co-signed by Microsoft, may or may not be cause of your issue.
     
  17. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,603
    This is also my guess. Problems started with build 30; no problems whatsoever with any previous builds.
     
  18. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    972
    Location:
    Canada
    Running EAM also, will give it a try.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,458
    Location:
    Hawaii
    Running XP.

    Had same issue as Buddel with test 30. Returned to test 28. Skipped test 30 & 31. Installed test 32. Test 32 now running A-OKAY !

    In sum, XP runs test 32 fine after:
    1- Uninstall OSA using OSA's internal uninstaller.
    2- Reboot. (See NOTE)
    3- Install test 32

    NOTE: After step 2 I visually checked OSA's windows folder AND OSA's registry for any untoward leftovers. There were none.
     
  20. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    972
    Location:
    Canada
    No problem installing here, EAM behaviour blocker box popped up during install and I had to click "Allow", but installation went fine, running OSArmour ok now. Only other security software in real time is MB3. Secure boot is not supported on my computer if that matters.
     
    Last edited: Feb 2, 2018
  21. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,603
    I disabled EAM before uninstalling/installing OSA but this didn't help, either. Something must be wrong with builds 30 and newer.
     
  22. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,094
    Location:
    Europe, UE citizen
    Sorry for the question, may be it's already said here, but 37 pages to read are too many :thumbd:: NoVirusThanks OSArmor can protect from the exploit of Spectre using Browser's Java Scripts ?
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    What I meant is that EXE Radar already protects against exploits out of the box. Because if some process is not white-listed it can't execute, and ERP also blocks vulnerable system processes from loading. But OSArmor is a set and forget tool, I'm not sure if I really need it though.

    No it can't, it's an execution blocker, but it won't block scripts inside the browser.
     
  24. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    184
    Location:
    Wigan
    I use an Intel Pentium 4 3.2GHz dual core processor on my Windows 7 SP1 64bit system. When OSArmor is installed and the Microsoft Meltdown mitigations are enabled (Steve Gibson's inspectre.exe facilitates this) then the system becomes so slow as to be unusable when I run Google Chrome. If I disable the Microsoft Meltdown mitigation, no such difficulty occurs. OSArmor Test32 was installed.
     
  25. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,094
    Location:
    Europe, UE citizen
    Thank you.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.