NoVirusThanks OSArmor: An Additional Layer of Defense

Awesome. Will install test build 38 tonight. Thank you!

 

I simply use OSA's uninstall exe. That's all I need to uninstall it. No need to use an uninstaller if just want to update. Just my humble opinion.

 

Does Revo use the built-in uninstaller of OSarmor first?

 

Build 38 running great on 4 W10 1709 x64 systems.

 

Yes, then Revo searches for left over traces.

 

Ok. I think that explains it. The current Iobit Uninstaller doesn't seem to use the built-in uninstaller of products.

And I'm guessing that's why it has issues uninstalling OSarmor.

 

Cerber used netsh to add Win firewall rules to block Windows Defender cloud scanning capability. One way among many to modify Win firewall rules and settings. I will never use the Win firewall since its settings are stored in clear text in the registry.

https://myonlinesecurity.co.uk/cerber-using-firewall-rules-to-disable-windows-defender/

 

But that means you still let Cerber on to your machine somehow anyway, doesn't it?

 

Here is a new v1.4 (pre-release) test39:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test39.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent Base Filtering Engine (BSE) from being disabled via cmdline
+ Improved detection of suspicious command-lines
+ Improved OSArmor self defense (basic)
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@itman

OSA would have blocked it at beginning with the rules:

Block execution of .js scripts
Block any process executed from wscript.exe

@Sampei Nihira

1) Iobit Uninstaller FP should be fixed now.

2) Should be fixed now (/VERYSILENT and /SILENT "without space" fix).

No, it would only filter for command-lines related to turning off or disabling Windows Firewall.

Yes, it also covers sc.exe stop MpsSvc, etc

 

It always runs the software's own installer first. It uninstalls software which uses Windows Installer, without showing the usual prompt asking if you want to proceed with uninstalling.

 

Yes, I am aware of that. Much better way is to run netstat via .Net using a C# program:

https://social.msdn.microsoft.com/F...ion-for-windows-7-machine?forum=csharpgeneral

 

(Dizzy!)

Rock On Andreas

 

I second this. Just installed test 39 build. Will report back tomorrow if any problems arise. Thank you!

 

Agree that Beta testing of this is a challenge. Especially when also trying ERP and SysHardener.

TY Andreas

 

These products are amazing already, but I am also weary of testing them all at once on the same machine, until they are more stable (I guess ERP 4 has a way to go).

I do hope Andreas develops and maintains them separately for those that want that granularity, but I would also kinda like to see some sort of converged product option eventually (with different defaults for the novice / intermediate / expert).

But either way, Andreas' stuff will increasingly become core to all my systems.

 

Thanks Andreas! Build 39 running smoothly here.

 

Trying an experiment I installed the lastet Avast Free AV on my current setup. After a restart OSA UI tray icon failed to start. Double clicking on the desktop shortcut started OSA UI but protection is disabled. Clicking Enable does nothing.

Probably going back to Windows Defender shortly.

Edit: Another restart and OSA started without problem so may have been a temporary glitch, although BlackFog Privacy service hasn't started properly with Avast installed yet.

 

Planning to join "Prevent Base Filtering Engine (BSE) from being disabled via cmdline" and "Prevent Windows Firewall from being disabled via command-line" in "Prevent important Windows Services from being disabled", and include Windows Defender, Security Essentials, Windows Update, Security Center (suggested by an user via email).

Will release the new build later or tomorrow.

A client has just sent me a log file of OSArmor that blocked a recent "MuddyWater" APT threat in a few workstations:

Code:

Date/Time: 06/03/2018 11:18:59
Process: [5104]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent: [4132]C:\Windows\System32\wmiprvse.exe
Rule: BlockPowerShellEncodedCommands
Rule Name: Block execution of PowerShell encoded commands
Command Line: powershell.exe  -exec Bypass -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\ProgramData\\WindowsDefender.ini))))
Signer:
Parent Signer:

Here are more information about recent "MuddyWater" attack:
https://sec0wn.blogspot.it/2018/03/a-quick-dip-into-muddywaters-recent.html

@Krusty

Also other users reported similar issues "OSArmor is disabled after a restart" with Avast installed.

Personally I tested Avast + OSA on a W10 VM and found no issues, but I excluded all OSA .exe files on Avast:
https://www.youtube.com/watch?v=nQCMcu1_G2s

//Everyone

I plan to enable a few option inA dvancted tab by default prior to releave OSA 1.4:

Block specific locations

Block scripts execution

Other useful block-rules

Attacks mitigation rules

These rules should not create FPs and should be fine with beginner users too.

What do you think guys?

 

@novirusthanks

Some apps like Slack or Discord have their executables on user's folder (appdata), this should be handled carefully.