NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Hi mood.:thumb:
    We hope that the developer takes all this into consideration.
    Powershell is not installed on my PC but I would like to know how to mitigate what is written below
    :

    http://woshub.com/how-to-access-and-manage-windows-registry-with-powershell/

    ____________________________________________

    1) Remote Registry Service - Disabled
    2) Enable the rule "Prevent Powershell from using Invoke - Expression via cmdline"

    3) ...................
     
    Last edited: Feb 11, 2018
  2. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    201
    Location:
    Wigan
    I am grateful to mood for post #1012. I was encouraged to persevere with OSArmor with its Anti-Exploit capability and am now pleased with it. I am still puzzled that only enabling Anti-Exploit for applications I actually use seems to prevent the system hangs/slowdowns that I experience with Windows 7. Never mind. OSArmor adds considerably to my layers of defence and also allows my peace of mind using Windows XP to be undisturbed.

    My security consist is made up of the following : -
    Agnitum Outpost Firewall Pro 9.3
    Panda Dome 18.04
    MBAE 1.11.1.48
    Comodo Memory Firewall 2.0.4.20 (for a Windows XP system without hardware DEP)
    Key Scrambler 3.11.0.3
    CryptoPrevent 9.0.0.0
    OSArmor 1.4 (Test34)
    All this is garnished with POSReady 2009 security updates on my XP system.

    This little lot seems to work nicely without any tantrums. My online life is peacefully undisturbed.
     
  3. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    @loungehake - Glad you are getting a handle on Anti-exploit - for many of us, it is one of the harder features of an app to grasp. :) I run MBAE and OSA at the same time with no problems on a Win 7 box.

    Wondering though why you run 2 firewalls?
     
  4. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    I don't think loungehake is running two firewalls - one of the firewalls is for a Windows XP system that doesn't have hardware DEP.
     
  5. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Are there any Windows 10 Home Premium 32-bit users here who succeeded in installing one of the latest test builds? Just curious.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    +2
     
  7. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    201
    Location:
    Wigan
    @JoWazzoo
    Re: Comodo Memory Firewall.
    You can be forgiven for being misled by the Memory Firewall product name chosen by Comodo in 2008. I do not know how effective it is but anything that purports to prevent 90%+ of buffer overflow attacks, is unobtrusive and uses very little system resources cannot be sniffed at. Anyone who uses such processors as an AMD Athlon XP 3000+ (Meltdown immune) should use it with Windows XP or Vista.

    Comodo says the following about Comodo Memory Firewall :-

    Comodo Memory Firewall is a buffer overflow detection and prevention tool which provides the ultimate defense against one of the most serious and common attack types on the Internet – the buffer overflow attack.

    Comodo Memory Firewall protects against data theft, computer crashes and system damage by preventing most types of buffer overflow attacks. This type of attack occurs when a malicious program or script deliberately sends more data to its memory buffer than the buffer can handle. It is at this point that a successful attack can create a back door to the system though which a hacker can gain access. The goal of most attacks is to install malware onto the compromised PC whereby the hacker can reformat the hard drive, steal sensitive user information, or even install programs that transform the machine into a Zombie PC.
    The product is aimed for system administrators as well as desktop users to protect their systems and detects suspicious code executions in the stack or the heap portions of the memory.

    Comodo Memory Guardian detects the following types of attack:-
    Detection of Buffer Overflows which occur in the STACK memory;
    Detection of Buffer Overflows which occur in the HEAP memory;
    Detection of ret2libc attacks;
    Detection of corrupted/bad SEH Chains.
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Sampei Nihira

    Yes in that case you should enable that two options too.

    We can add a new block-rule like:

    "Prevent reg.exe from modifying OSArmor settings"

    In the next versions, we may integrate RegGuardSvc technology to do what @mood has explained here:

    https://www.wilderssecurity.com/threads/registry-guard-service.392953/page-4#post-2737541

    Adding a new option "Prevent other programs from changing OSArmor settings".

    So only OSArmor will be able to change its settings.

    But it will work only on Vista+ OS.

    @Buddel

    I should send you a specific OSArmor version via PM later today or tomorrow.

    Since you can always reproduce the issue you reported (30000 timeout), I will make sure OSA can log specific events to a file.

    It will help us understand what is preventing OSArmor from communicating with SCM.

    @Charyb

    Auto-update is scheduled for next versions (not for v1.4).
     
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    @novirusthanks

    Would be great !! :thumb::thumb:

    It is not possible to have everything but this new rule would be much appreciated.
     
  10. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    Yes, it should always be possible for me to reproduce this timeout issue. Looking forward to your PM. Thank you very much for your help, Andreas.:thumb:
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I just got a similar block, on OSA test34:
    Date/Time: 2/12/2018 9:14:56 PM
    Process: [14024]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Parent: [1256]C:\Windows\System32\svchost.exe
    Rule: BlockPowerShellExecution
    Rule Name: Block execution of Windows PowerShell
    Command Line: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
    Signer:
    Parent Signer: Microsoft Windows Publisher
     
  12. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    815
    Location:
    A Non-Sh*thole State
    Exactly the same things here with Build 34.
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Windows 10 x64? That is what I am running. (Forgot to mention it in my post)
     
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I checked for windows updates, and sure enough, there is a cumulative update available for windows 10. It is being downloaded right now.

    It's pretty clear that this powershell command is run by windows update, it is checking out the local system to see if the update is applicable or not. That's how it seems to me, anyways.
     
  15. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    815
    Location:
    A Non-Sh*thole State
    Me too! Yes, Windows 10 x64 1709
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    If you run the update, you will get another block:
    Date/Time: 2/12/2018 10:09:11 PM
    Process: [10940]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Parent: [1216]C:\Windows\System32\svchost.exe
    Rule: BlockPowerShellExecution
    Rule Name: Block execution of Windows PowerShell
    Command Line: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
    Signer:
    Parent Signer: Microsoft Windows Publisher
     
  17. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    815
    Location:
    A Non-Sh*thole State
    I don't get that block running with OA enabled or disabled.
     
  18. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Yeah, something is wierd over here, the update keeps failing
     
  19. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    201
    Location:
    Wigan
    There is a definite problem when OSArmor is used on a Windows 7 (64bit) system running on a very slow processor such as an AMD Sempron 3000+. This system persists in hanging when OSArmor is installed and running. Uninstall OSArmor and the issue simply goes away. I guess that this is not a practical issue because few will be using a machine as slow as mine (although it's still usable to do my online banking - the system's sole purpose) and even fewer will run OSArmor on one.
     
    Last edited: Feb 13, 2018
  20. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii


    I did as you suggested. I don't understand why it is necessary but I believe Sampei. So there ....shazam!
     
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I reinstalled Appguard, while OSA protection was disabled, and the installation failed. It ended in a BSOD, and the Appguard service was unable to start.
    After uninstalling OSA, Appguard installed normally.
     
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    :thumb:;):)
     
  23. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    1,103
    Location:
    Lunar module
    On another software, I remember that the installation order can have a value, which is the first, and the second, for example, Kaspersky AV and Agnitum Outpost. After changing the order of installation, both the software works fine.
     
  24. guest

    guest Guest

    After disabling OS Armor and rebooting, the status is not retained and the protection is active after a reboot (it is not disabled anymore).
    This might cause issues when installing software which needs a reboot to be properly installed/configured.
    The solution is to switch "Passive Logging Mode". After switching to this mode and rebooting, it is still in "Passive Logging Mode".

    I think it would be nice if it can be done for "Disabled Mode" too (after disabling the protection and rebooting, the protection it is still disabled)
    Edit: It is coming soon:
     
    Last edited by a moderator: Feb 14, 2018
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    I have a Intel Celeron M380 and there are no problems.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.