NoVirusThanks OSArmor: An Additional Layer of Defense

Very Gooooood !!

Sei un asso !!

 

@guest @Peter2150

This option "Block execution of processes on All Users Folder" blocks processes on:

C:\Users\All Users\*

On my system I only have 3 .exe files inside C:\Users\All Users\*:



Blocking of programs on User's AppData (C:\Users\<CurrentUser>\AppData\) is handled with:

Block execution of unsigned processes on Local AppData
Block execution of unsigned processes on Roaming AppData
Block execution of unsigned processes on Common AppData

And yes, these 3 options can generate some FPs.

@Sampei Nihira

Great

 

@novirusthanks- Ok, looks good and big hearty thanks diving headlong into all areas of concern with this project.

One word-Super.

 

I think it's better to add too:



Andreas, what do you think of adding a rule for CHML?
The Mark Minasi Tool.
Works also on W.10:

 

not sure good for adding or not but worth adding it(it can be blocked by spyshelter,Bouncer) block execution url with command line
usually after some installer finish installing open browser it can block this staf

C:\some.exe>"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.some.com/"
C:\some.exe>"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.some.com

also check this maybe good for adding in SysHardener
https://hshrzd.wordpress.com/2017/0...ons-handlers-as-a-malware-persistence-method/

thanks

 

I haven't had issues with EAM. But my OSA has been on defaults and set to passive logging, so maybe that's why.

 

oh ok, i mistaken then, i thought All Users was for all users profiles folders (C:\Users\*)

 

Running latest beta of OSA along with Windows Defender. Nothing gets by that combination when I throw malware at it in a virtual environment. No issues whatsoever in everyday usage.

I have enabled every checkbox there is (including everything under advanced options). I have been running like this for over a month without any false positives.

Good job!

 

@shadek --- everything? Wow No flse positives, but any problems?

 

Thanks Pete. I've restored an image from before Avast so am back using Windows Defender which seems much more compatible with other programs.

 

Here is a new v1.4 (pre-release) test40:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test40.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Joined "Prevent Base Filtering Engine (BSE) from being disabled via cmdline" and "Prevent Windows Firewall from being disabled via command-line" in "Prevent important Windows Services from being disabled"
+ Added Windows Defender, Security Essentials, Windows Update, Security Center to "Prevent important Windows Services from being disabled"
+ Block cmstp.exe from loading .inf files (AppLocker bypass)
+ Improved detection of PowerShell malformed commands
+ Advanced -> Block execution of processes on Public Folder (C:\Users\Public) -> Enabled by default
+ Advanced -> Block execution of processes on All Users folder -> Enabled by default
+ Advanced -> Block execution of .msc scripts outside System folder -> Enabled by default
+ Advanced -> Block reg.exe from hijacking Registry startup entries -> Enabled by default
+ Advanced -> Prevent attrib.exe from setting +h or +s attributes -> Enabled by default
+ Advanced -> Prevent wevtutil.exe from cleaning Windows Eventlog -> Enabled by default
+ Advanced -> Prevent important Windows Services from being disabled -> Enabled by default
+ Advanced -> Block reg.exe from disabling UAC (User Access Control) -> Enabled by default
+ Improved "Prevent important Windows Services from being disabled"
+ Block execution of regini.exe

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Let me know if you find any FP with the 8 options enabled by default in Advanced tab.

@Sampei Nihira

Will check and discuss about CHML (Mark Minasi Tool).

@co22

Many legit programs use Firefox or IE or a web browser to open URLs, so that would generate many FPs.

To protect that registry entries you can use Registry Guard or Registry Guard Service.

@guest

No problem

@shadek

Great! Thanks for sharing it.

 

Um, what if I run with Windows Defender Security Center and Windows Update: Services disabled.

Which Windows Services are deemed "important"?

 

@bjm_

That's not a problem, that option prevents sc.exe, net.exe, wmic.exe, etc from disabling\stopping important Windows Services via command-line.

If you have already disabled them, no alert will be triggered by OSArmor.

Windows Firewall, Windows Defender, Windows Updates, Security Center, Microsoft Security Essentials.

These important (security-related) Windows Services are commonly hijacked\stopped\disabled by malware via sc.exe, net.exe, etc.

OSArmor makes sure they can't be hijacked\stopped\disabled via command-line.

 

Aha. Okay. Thanks.

 

I know it has been discussed in this lengthy thread before but will OSA have an updater built-in when released?

 

Same here.

 

Ditto on 3 systems. Win10 1709 x64.

 

I'm a couple betas late....LMAO. Had a side trip with a lunched machine installing something else. That's fixed so now I can play again with all the new stuff from NVT.

 

Installing now to a refreshed 10 system with ERP and various other goodies.