NoVirusThanks OSArmor: An Additional Layer of Defense

Correct
But the difference is that:
ERP: whitelisted processes can still be executed by the browser.
OS Armor: the browser is prevented from launching all other processes.
And the good thing is, OS Armor is a set and forget tool and there is no complicated configuration needed.
It is no Anti-Executable but with installing of OS Armor the system can be hardened with ease.

@novirusthanks
a) Suggestion: Adding of "Passive Logging Mode" to the contextmenu of the tray-icon
To have access to the "Passive Logging Mode" (enable/disable) the Configurator has to be opened every time (this also includes entering the credentials)
What about adding of the option "Passive Logging Mode" to the contextmenu of the tray-icon. Now it is much easier to switch it on/off.
b) Issue: The Configurator can be opened several times:

c) cosmetic GUI issue:

The frame in "Anti-Exploit" has not the same height (it is a little bit below) as in "Main Protections" and "Advanced".
d) Keys Up/Down are not working correctly
Navigating with the keyboard within the lists is not working as expected.
Pressing 1x 'Down' should go one entry down but sometimes it is going 5 entries down or even in the opposite direction
(and PgUp/PgDown has no effect)
e) Suggestion: Adding of a GUI for "Custom Block-Rules" (as like for "Manage Exclusions")
The user has a nice helper for adding of Exclusions ("Exclusions Helper"), but can this also be added for adding of Blocked Processes (instead of manually editing the file "CustomBlock.db")?
("NoVirusThanks OSArmor CustomBlock Helper" )
f) Suggestion: All options in "Anti-Exploit" looks tidied up, but after switching to "Advanced" it gets a little bit hard to find specific options. Maybe the sequence can be optimized a little bit and separators can be used, etc.
"Block execution of unsigned processes on ..." is on top and "Block execution of unsigned processes on Downloads folder" is at the bottom, maybe it could also be moved to the top of the list.
And maybe "Powershell-related"/script-related/UAC-bypass options can be grouped together (to get a better overview)
g) Regarding "Block execution of .msc scripts (+outside System folder)":
I would suggest that only one of these options can be selected at once.
For example after ticking of the option "Block execution of .msc scripts outside System folder", the other option "Block execution of .msc scripts" should be automatically unticked.
h) Issue: A process has been blocked, the notification disappeared but after pressing of "Alt+Tab" the notification windows can still be seen in the list
(the "X" has to be clicked to remove the notification from the list)

 

@novirusthanks: HitmanPro scanner detected the test30 download as "malware." Seeing as these builds come and go, I simply installed the test32, deleted test30 and kept moving. However, I am curious: of all the 30+ builds, what was it specifically about test30 that would trigger this detection? Here is the notepad log with my user name edited out. The SHA is there. I hope you don't mind these questions out of curiosity. Also, can consideration for the "go to website" on the installation wizard be unchecked by default, until the release build is issued? Unless the majority really wants to go to the website every time a new OSArmor test build is installed.

Spoiler

Lovely observation. It would be a nice and professional touch if all frames were of the same dimensions.

Edited contents in spoiler.

 

A little knit -picking?
I would like to have an alarm (light up my house, when a notification pops-up).

On my system I see no problems. 7-64

 

DITTO

 

@novirusthanks , can you add PotPlayer?

Thanks

 

Does the new version support Secure Boot? Anyone tried it?

 

I am using it with Secure boot, no problems. I could not install the previous versions without disabling secure boot, but that is now history. I am back to secure boot.

 

@novirusthanks Andreas, would you say OSArmor covers the vulnerable processes here: https://excubits.com/content/files/blacklist.txt ?
(https://www.wilderssecurity.com/thr...-tuersteher-light.359127/page-72#post-2736087 )

I ask, because I have in the past tried to incorporate these into ERP, or AppGuard. But if OSArmor takes cognisance of these, it probably is not worth the effort.

Edit: Oops, I did mention this before: https://www.wilderssecurity.com/thr...-layer-of-defense.398859/page-24#post-2731515 but I am not sure if you responded ...

 

Thanks.

 

As far as I can see, Andreas has been systematically adding the vulnerable processes and the exploits.

 

@bellgamin

Hi.
Some advice for XP users.
If you do not set DEP as in the image below:



In OSA the DEP will be disabled for us that we use XP.

You can verify this with Process Explorer ver 16.12.
Subsequent versions of Process Explorer appear to work with XP but report incorrect values:

 

Some are already implemented (like said above #937) as an option but you have the choice to use CustomBlock.db.
Put [%PROCESS%]-tags around the commands you want to block, and it might look like this:

Code:

c:\Program Files\NoVirusThanks\OSArmorDevSvc\CustomBlock.db
[%PROCESS%: *\setx.exe]
[%PROCESS%: *\takeown.exe]
[%PROCESS%: *\xcacls.exe]

This is a general block but if one process need to launch one of these blacklisted processes (to do its legitimate work), it (the process which is launching the blacklisted process) can be excluded in Exclusions.db with using of [%PROCESS%] and [%PARENTPROCESS%]
(but of course It is also possible to click on "Add Exclusion" after something has been blocked and no manual writing of exclusions is needed.)
Example:

Code:

c:\Program Files\NoVirusThanks\OSArmorDevSvc\Exclusions.db
[%PROCESS%: C:\Windows\*\takeown.exe] [%PARENTPROCESS%: <a process placed here is allowed to launch takeown.exe>]

In comparison to other security applications which are blocking processes completely, OS Armor is more "flexible".

 

And what about adding perl.exe, for the sake of completeness?

 

It only served as an example. If the user wants more commands to be blocked, new entries has to be added to CustomBlock.db
In the case of perl.exe just adding an entry like this is enough and it is blocked:

Code:

[%PROCESS%: *\perl.exe]

 

Right, understood.
Really what I wanted to ask is whether you (or others) consider perl.exe to be a process that deserves to be included? It doesn't ship with Windows, but on the other hand, I think it is part of LibreOffice.

 

@novirusthanks

could:
- torrents clients be added to anti-exploits : tixati, qbitorrent, µtorrent, etc...
- SMplayer be added to media players.

 

Thanks @shmu26 #937 and @mood #939 .

 

If I could add to the wish list for media players:
MPC Black Edition
Foobar2000

 

... and MusicBee (unless it's there already, not at that machine right now).

 

Ah, ok.
And there is the problem with blacklisting of processes. Some applications might have installed these (blacklisted) processes or are launching them for doing legitimate things.
Adding something to the blacklist is prone to False Positives (in the latter case below:)

• If the user "knows" that adding specific processes to the blacklist doesn't lead to False Positives (the blacklisted process isn't installed and/or it wasn't launched in the last weeks/months [by reviewing logfiles of ERP or Process Logger Service]) then it might be added to the blacklist.
• If the user isn't sure about it and just add processes, there will be high likely blockings (or not,...)
  • The user can add an exception if this happens, but then it is already too late (adding an Exception doesn't help for the currently blocked process, but it mitigates future blockings).
  • Or the user can use "Passive Logging Mode" [Processes are not blocked and no harm is done to the system] for some days to find out if blacklisted processes are blocked (if yes, Exclusions can be added).

Each system is different, some might encounter blockings after adding processes to the blacklist and some not. It depends on the Operating System/Installed applications, etc.

Only applications with a digital signature are supported . Currently Foobar2000 has none (MusicBee [mentioned here: #946] also has none)

 

This may sound really silly but I have trouble telling whether the little OSA system tray icon is yellow (on) or white (off). After all, the center is always white, so the difference is kind of small.
Maybe the yellow border could be made stronger or thicker, or maybe the white border could be made more grayish?

 

+1

 

NVT- I'm sorry for you...