NoVirusThanks OSArmor: An Additional Layer of Defense

@novirusthanks

The command of Powershell below bypass the OSArmor self defense (basic)

stop-service -force "OSArmordevsvc"

Better to provide.

 

Glad but not surprised that OSArmour passed the real world reckless son test. CFW on cruel sisters settings might make for a better combo than the others mentioned ?

Regards Eck

 

And a person could password protect the security settings of CF so Sonny-Boy couldn't install crap no matter how he tried.

 

@Azure Phoenix- Good timing on your part to install/configure the program when you did since it's not been out that long.

It can be a time eating ordeal to fork over the effort to do surgery on a system after it's been stung.

BTW, as mentioned on password protection? it's a pretty vital mechanism for many and can save the bacon when setting up protection for users who are as you say "reckless" in that manner.

 

Date/Time: 23/02/2018 09:25:43
Process: [14852]C:\Windows\SysWOW64\taskkill.exe
Parent: [4032]C:\Users\x\AppData\Local\Programs\Sync\sync-taskbar.exe
Rule: BlockTaskkillExecution
Rule Name: Block execution of taskkill.exe
Command Line: taskkill.exe /f /im sync-worker.exe
Signer:
Parent Signer: Sync.com Inc.

 

Up.....please.

 

Since today the protection doesn't start automatically. Protection disabled. A reboot fixes this.

 

if you don't set OSA to block powershell. If you do, it won't work (obviously).

 

Here is a new v1.4 (pre-release) (test37):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test37.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved detection of suspicious folders
+ Improved detection of suspicious command-lines
+ Improved detection of PowerShell encoded commands
+ Improved OSArmor self defense (basic)
+ Exclude "-a" execution for "Block execution of Shutdown.exe"
+ Improved detection of PsTools from Sysinternals
+ Improved detection of Nirsoft programs
+ Prevent regedit.exe from silently loading .reg scripts
+ Fixed "When uninstalled it disables: Block execution of cmd.exe\powershell.exe"
+ Fixed detection of SoftMaker Office 2012
+ Block execution of tskill.exe
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If anyone is having issues with this new build 37 please post them

@Krusty @plat1098

Will fix that scrolling-related issue in the next version.

@hayc59

I can't reproduce the download issue, tried from 4 VMs (one with XP) and the .exe file can be downloaded correctly.

@Krusty

I would ask PrivaZer developer if he can kill that PIDs programmatically instead of using taskkill.exe

@Sampei Nihira

If that powershell command is executed via command-line, OSA should block it.

If it is executed within powershell command prompt, OSA doesn't block it.

We'll add better protection in next version that will block any process termination attempt.

A possible workaround would be to block powershell.exe completely.

@rdsu

FP fixed.

@Gandalf_The_Grey

Also @Antarctica has reported that issue (on reboot the protection is disabled).

I'll try to reproduce your issue, wondering if it may be related somehow to EAM or VS that prevents OSA from doing things, will have to check.

 

I don't use VS any longer, but I still use EAM. As far as my 32bit Win10 computer is concerned, OSA works as expected. It may therefore be a VS issue. Just a shot in the dark, so to speak.

Edit: Just installed test build 37 - no problems here. Thank you.

 

Done. Thanks.

https://www.wilderssecurity.com/threads/privazer-discussion-thread.341840/page-66#post-2740594

 

Build 37 running great on 4 W10 1709 x64 systems here.

 

@novirusthanks-Thanks- Am still groggy from surgery this week but this should serve to get the ole senses up and running sooner than later.

A computer mind is a terrible thing to waste or lay dormant-as are good softwares-

 

+ Block execution of Taskkill.exe

I noticed this was enabled under Advanced. Should it be? It was the only thing under Advanced that was enabled.

Thanks.

 

After restarting my computer OSArmor service does not start correctly. This has happened twice.

 

@Krusty

"Block execution of Taskkill.exe" shoud be disabled by default, will fix it in the next build.

@Charyb

Please send me more details (are there any app crash .dmp file? can you send me the full Event Viewer log?) via email or PM.

Please include also your OS version and if 32 or 64bit, thank you.

 

Not using either one at the present time, I would say since the beginning of January.

 

I sent you a PM with a link to the Event Viewer log. I hope it is what you are looking for. There is no crash .dmp file.

Windows 10 Pro x64
Version 1709
OS Build 16299.248

 

Hi there

May I ask what might appear to be a somewhat silly question?

Is there any benefit and/or point in running OSArmor with EXE Radar Pro? There seems to me to be a relatively large area of overlap yet I have seen that some do. Just wondering what the cognicenti think about this (apologies if the question has been asked before/covered elsewhere).

Cheers, Baldrick

 

Thank you, Maestro...short, to the point and informative.

 

ERP is soon to move to v. 4.0. Is the buy in to 3.0 good for 4.0 upgrade? Is the ERP license lifetime?
TIA

 

Looking forward to 4 on this end and combo with the always tops IMO ERP which is been like a ever dependable anti-exe that just doesn't quit doing exactly what it was meant for and very well at it.

The two together should prove an amazing tandem!

 

Suspected False Positive:

Code:

Date/Time: 26/02/2018 7:50:01 PM
Process: [7104]C:\Windows\SysWOW64\mmc.exe
Parent: [7660]C:\Windows\SysWOW64\eventvwr.exe
Rule: AntiExploitMicrosoftEventViewer
Rule Name: (Anti-Exploit) Protect Microsoft Event Viewer
Command Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\eventvwr.msc" /v:"C:\ProgramData\Microsoft\Event Viewer\Views\hmpalert.xml"
Signer:
Parent Signer: