NoVirusThanks OSArmor: An Additional Layer of Defense

test 34 works fine, it only happened for me with 33 plus it didn't uninstall correctly either

 

I have never had issues with NVT's programs conflicting with each other, but I am wondering...they do have some overlap, so which one would block first, for example, I have exe's blocked from running via external devices such as usb on both programs

 

NVT ERP should act first, since its driver's Altitude should be higher.

 

Thanks guest

 

Would running Malwarebytes anti-exploit module with NVT OSA be overkill or a good idea?

 

Glad you asked... Im interested in the answer to this too.

 

They are really doing two different things.
MB anti-exploit is trying to prevent malware from sticking its hand through a hole in the application and gain unapproved access to the system.
In this context, OSA is a second line of defense. Even if malware gains access to the system, OSA keeps the lid on the cookie jar screwed on tight, so the malware can't get your goodies.

 

Thanks @guest and @shmu26 for these insights.

 

After uninstall/re-install it's working again. I will try your instructions if it happens again instead!

What a wonderful tool you guys have created! Best tool since Sandboxie was released!

 

Use of OSArmor AND MalwareBytes Anti-Exploit (MBAE)
I am convinced that system lockups occur as the result of conficts. I would therefore request that OSArmor includes a switch to disable the Anti-Exploit feature completely. If this is not forthcoming, I can cope. The Main Protections are great on their own. MBAE seems to work by protecting applications from the parent process down. Therefore I have disabled all OSArmor Anti-Exploits.

 

OK...Thanks shmu26

 

OS Armor doesn't know anything about "DEP Enforcement, Heap Spraying, ROP mitigations, IAF, caller mitigations" or other detection techniques.
It doesn't protect the running browser process from being modified (in memory) from other applications and it doesn't prevent (malicious) dll's from being injected into the browser process.
As said above, MBAE and OS Armor are doing different things.

There will be more likely problems if OS Armor would inject a dll into applications which might conflict with the injected dll of MBAE (MBAE is injecting its dll into protected applications)
But it isn't doing it.
OS Armor is monitoring processes, parent processes and command-lines but OS Armor only takes action if the browser wants to actually execute other files.
As long as the browser isn't executing other files, OS Armor isn't even actively doing something with the browser process.

Installing of HMP.A and MBAE, this will lead to problems (But ok, the developers of HMP.A has solved the issue and HMP.A is preventing MBAE from injecting its dll - but that's a different story)
These applications are doing similar things and installing both of them will lead to issues if they are acting on the same process at the same time.

Adding something like "disable Anti-Exploit feature" might be a good idea.

Perhaps In addition: "disable options in 'Advanced''
Why?
If the user has selected all options in "Advanced" the PC is well protected but if the user wants to execute unsigned files (or wants to do other things which are prevented by enabled options in "Advanced"), the protection has to be turned off completely or the specific option has to be enabled/disabled every time.
If options in 'Advanced' can be disabled via context-menu, the user can turn these options off easily (ticked/unticked options in Advanced are retained but enabled options has no effect after 'turning Advanced off') and the main protections of OS Armor are still active and are protecting the user.
= Launching of unsigned files, PowerShell, installing programs which are creating tasks, etc. all these is now possible, but suspicious behavior is still prevented (Main Protections)

 

"OSA keeps the lid on the cookie jar screwed on tight, so the malware can't get your goodies."

Is the reference to the cookie jar a technical observation about data storage by cookie in the browser or a general usage about where goodies are kept. In the second case we in the UK might call it the biscuit tin.

The OSArmor Anti-Exploits seem to be very different from those in MBAE. I have definitely been experiencing system hangs when OSArmor Anti-Exploits are enabled and they do not occur when OSArmor Anti-Exploits are disabled.

 

Right. You would call them biscuits, mate. In my metaphor, the "cookies" or "biscuits" are the vulnerable processes that malware can use to wreak havoc.

Recently, this type of attack has been described as "living off the land" (a different metaphor) because it relies heavily on use of vulnerable processes that you already have on your system, since they are components of Windows. OSA won't let it do that.

 

I like that idea.

 

Thanks for post #1012 mood

 

Hi Novirusthanks,

Thanks for your reply. Effectively OSArmour GUI is disabled and OSArmorDevSvc is running. I tried to execute "invoice.pdf.exe but protection remain disabled.

 

What do you think is better protection OSA, Ransom Off, or Voodooshield?

 

Yes correct, OSArmor does the thinking for you, will soon give it a try even if it does overlap with ERP on some parts.

 

@novirusthanks

Hi.
If I can do it easily, could malware also do it?
With XP would it be advisable to abilited the rule that prohibits the importation of reg files?

http://sendvid.com/5q21sspe

TH.

 

Sorry
to abilited = "to enable"

 

Was automatic update going to be added to this version or is it planned for the next version?

 

@novirusthanks

For now I have enabled the following rule:





Do you also recommend enabling the rules below?





or other rules?
TH.

 

(Option: "Prevent reg.exe from importing .reg files")
Doubleclicking on a registry-file is basically the same as using of the command:
"reg import <registry-file>" (OS Armor is reacting if it encounters 'reg import' in the command-line)

Importing of registry files is prevented if the option is enabled but the command "reg add" can still be used to modify settings in the registry.
For example the following command will enable Passive Logging Mode:

Code:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\NoVirusThanks\OSArmorDev /v PassiveLogging /t REG_DWORD /d 1

But administrator rights are needed to be able to do this.

In this case some more mitigations against the command reg.exe could help (malware can't use reg add to modify settings, etc.)