NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    test 34 works fine, it only happened for me with 33 plus it didn't uninstall correctly either
     
  2. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    I have never had issues with NVT's programs conflicting with each other, but I am wondering...they do have some overlap, so which one would block first, for example, I have exe's blocked from running via external devices such as usb on both programs :doubt:


    2018-02-08_205635.png
    2018-02-08_205744.png
     
  3. guest

    guest Guest

    NVT ERP should act first, since its driver's Altitude should be higher.
     
  4. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    Thanks guest
     
  5. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,439
    Location:
    USA
    Would running Malwarebytes anti-exploit module with NVT OSA be overkill or a good idea?
     
  6. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    379
    Glad you asked... Im interested in the answer to this too.
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,355
    They are really doing two different things.
    MB anti-exploit is trying to prevent malware from sticking its hand through a hole in the application and gain unapproved access to the system.
    In this context, OSA is a second line of defense. Even if malware gains access to the system, OSA keeps the lid on the cookie jar screwed on tight, so the malware can't get your goodies.
     
  8. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,672
    Location:
    Under a bushel ...
    Thanks @guest and @shmu26 for these insights.
     
  9. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    After uninstall/re-install it's working again. I will try your instructions if it happens again instead!

    What a wonderful tool you guys have created! Best tool since Sandboxie was released!
     
  10. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    145
    Location:
    Wigan
    Use of OSArmor AND MalwareBytes Anti-Exploit (MBAE)
    I am convinced that system lockups occur as the result of conficts. I would therefore request that OSArmor includes a switch to disable the Anti-Exploit feature completely. If this is not forthcoming, I can cope. The Main Protections are great on their own. MBAE seems to work by protecting applications from the parent process down. Therefore I have disabled all OSArmor Anti-Exploits.
     
  11. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,439
    Location:
    USA
    OK...Thanks shmu26
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,209
    OS Armor doesn't know anything about "DEP Enforcement, Heap Spraying, ROP mitigations, IAF, caller mitigations" or other detection techniques.
    It doesn't protect the running browser process from being modified (in memory) from other applications and it doesn't prevent (malicious) dll's from being injected into the browser process.
    As said above, MBAE and OS Armor are doing different things.

    There will be more likely problems if OS Armor would inject a dll into applications which might conflict with the injected dll of MBAE (MBAE is injecting its dll into protected applications)
    But it isn't doing it.
    OS Armor is monitoring processes, parent processes and command-lines but OS Armor only takes action if the browser wants to actually execute other files.
    As long as the browser isn't executing other files, OS Armor isn't even actively doing something with the browser process.

    Installing of HMP.A and MBAE, this will lead to problems (But ok, the developers of HMP.A has solved the issue and HMP.A is preventing MBAE from injecting its dll - but that's a different story)
    These applications are doing similar things and installing both of them will lead to issues if they are acting on the same process at the same time.
    Adding something like "disable Anti-Exploit feature" might be a good idea.

    Perhaps In addition: "disable options in 'Advanced'' :cautious:
    Why?
    If the user has selected all options in "Advanced" the PC is well protected but if the user wants to execute unsigned files (or wants to do other things which are prevented by enabled options in "Advanced"), the protection has to be turned off completely or the specific option has to be enabled/disabled every time.
    If options in 'Advanced' can be disabled via context-menu, the user can turn these options off easily (ticked/unticked options in Advanced are retained but enabled options has no effect after 'turning Advanced off') and the main protections of OS Armor are still active and are protecting the user.
    = Launching of unsigned files, PowerShell, installing programs which are creating tasks, etc. all these is now possible, but suspicious behavior is still prevented (Main Protections)
     
  13. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    145
    Location:
    Wigan
    "OSA keeps the lid on the cookie jar screwed on tight, so the malware can't get your goodies."

    Is the reference to the cookie jar a technical observation about data storage by cookie in the browser or a general usage about where goodies are kept. In the second case we in the UK might call it the biscuit tin.

    The OSArmor Anti-Exploits seem to be very different from those in MBAE. I have definitely been experiencing system hangs when OSArmor Anti-Exploits are enabled and they do not occur when OSArmor Anti-Exploits are disabled.
     
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,355
    Right. You would call them biscuits, mate. In my metaphor, the "cookies" or "biscuits" are the vulnerable processes that malware can use to wreak havoc.

    Recently, this type of attack has been described as "living off the land" (a different metaphor) because it relies heavily on use of vulnerable processes that you already have on your system, since they are components of Windows. OSA won't let it do that.
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,355
    I like that idea.
     
  16. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,439
    Location:
    USA
    Thanks for post #1012 mood
     
  17. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,820
    Location:
    Canada
    Hi Novirusthanks,

    Thanks for your reply. Effectively OSArmour GUI is disabled and OSArmorDevSvc is running. I tried to execute "invoice.pdf.exe but protection remain disabled.
     
  18. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    What do you think is better protection OSA, Ransom Off, or Voodooshield?
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,535
    Among those 3 you are comparing Apples to Oranges.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Yes correct, OSArmor does the thinking for you, will soon give it a try even if it does overlap with ERP on some parts.
     
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,540
    Location:
    Italy
    @novirusthanks

    Hi.
    If I can do it easily, could malware also do it?
    With XP would it be advisable to abilited the rule that prohibits the importation of reg files?


    http://sendvid.com/5q21sspe

    TH.:)
     
    Last edited by a moderator: Feb 10, 2018
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,540
    Location:
    Italy
    Sorry
    to abilited = "to enable"
     
  23. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    666
    Was automatic update going to be added to this version or is it planned for the next version?
     
  24. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,540
    Location:
    Italy
    @novirusthanks

    For now I have enabled the following rule:

    4.JPG 5.JPG



    Do you also recommend enabling the rules below?



    6.JPG 7.JPG

    or other rules?
    TH.
     
  25. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,209
    (Option: "Prevent reg.exe from importing .reg files")
    Doubleclicking on a registry-file is basically the same as using of the command:
    "reg import <registry-file>" (OS Armor is reacting if it encounters 'reg import' in the command-line)

    Importing of registry files is prevented if the option is enabled but the command "reg add" can still be used to modify settings in the registry.
    For example the following command will enable Passive Logging Mode:
    Code:
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\NoVirusThanks\OSArmorDev /v PassiveLogging /t REG_DWORD /d 1
    
    But administrator rights are needed to be able to do this.

    In this case some more mitigations against the command reg.exe could help (malware can't use reg add to modify settings, etc.)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.