NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,084
    Location:
    Italy
    @novirusthanks

    Net command is not monitored.
    Do you think to add a rule?
     
    Last edited: Mar 7, 2018
  2. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,113
    Location:
    South Texas, USA
    Installed here with custom settings and no problem.
     
  3. fatex

    fatex Registered Member

    Joined:
    Apr 15, 2008
    Posts:
    5
    Any chance to put a build # in the about section with the updates, also a auto update feature or something to check for updates would be useful.
     
  4. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    It is working flawlessly - no false positives. I haven't been through a major Windows Update yet though, so we'll see.

    I block cmd.exe, and I use cmd.exe sometimes. Therefore I just have to disable protection temporarily when using the cmd.exe. But that's it.
     
    Last edited: Mar 8, 2018
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,588
    Location:
    U.S.A. (South)
    Solid piece of work for a test build beta/pre-release.
     
  6. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,124
    Location:
    Italy
    Planning to add these new rules to completely block other commonly abused system processes:

    + Block execution of sc.exe
    + Block execution of net\net1.exe
    + Block execution of wmic.exe
    + Block execution of netsh.exe
    + Block execution of bitsadmin.exe
    + Block execution of reg.exe

    osa1.png

    @Sampei Nihira

    We don't have specific rules for net.exe yet.

    Do you have any example of rules to add related to net.exe?

    @fatex

    We plan to add check for update on next version (v1.5)
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,084
    Location:
    Italy
    @novirusthanks

    Examples


    net user accountname /delete

    The Net command will also delete the contents of the folders Documents, Images, Downloads, Music, Video, ...

    ___________________________________________


    net user accountname /add
    net localgroup administrators account name /add

    The Net commands will create an account with administrative rights.

    ___________________________________________

    net user accountname *

    choice of password

    ___________________________________________

    For more info enter the command below:

    net help user

    ___________________________________________

    P.S.

    What happens if an attacker set the Integrity Level to "Untrusted" for every file in the OSArmorDevSvc folder?
    Usually the exe files stop working.
    With CHML this is easily possible:


    CHML.jpg
     
    Last edited: Mar 8, 2018
  9. Azazal

    Azazal Registered Member

    Joined:
    Oct 26, 2016
    Posts:
    8
    Location:
    Europe
  10. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    I already asked for it two times... :)

    +1
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,373
    Location:
    Under a bushel ...
  12. Azazal

    Azazal Registered Member

    Joined:
    Oct 26, 2016
    Posts:
    8
    Location:
    Europe
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,472
    If you launch cmd.exe the same way every time, all you have to do is make one exception rule when you get the block prompt, and you are good to go. You can launch cmd.exe, but malware can't.
     
  14. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Thanks! Something like this then?

    [%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\system32\cmd.exe"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows]

    I reckon malware could not mimic that in any way. Parent process needs to be signed 'Microsoft Windows' and namned 'explorer.exe' in order to abuse my exclusion for cmd.exe now?
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,472
    Well it depends on how paranoid you want to be about it. You see, explorer.exe is sometimes attacked by malware, so explorer>cmd is potentially abusable.

    It would be safer, I think, to make an allow rule for an alternative search tool, such as Everything or Ultra Search, or maybe someone else has an even better and more paranoid idea...
     
  16. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    True, but the exclusion doesn't whitelist any command lines. Wouldn't malware typically start cmd.exe with a command line?
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,472
    Good point. I think you are right.
     
  18. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    551
    Location:
    Sonoran Desert
    Build 40 running well with no issues for three days. Default with one additional setting.
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,124
    Location:
    Italy
    @Sampei Nihira

    We'll add the option "Block execution of net\net1.exe"

    The processes net\net1.exe are rarely executed in general, and that rule would block net\net1.exe entirely (easiest choice).

    Sys admins that need net.exe will need to exclude specific command-lines to use net\net1.exe

    @Azazal

    Will check it later and will see if will be added on this v1.4 or on next version.

    @shadek

    That exclusion for cmd.exe is correct because you included also the parent process and the command-line.

    It would just allow explorer.exe to launch cmd.exe (with no parameters) and is totally safe.

    @Peter2150

    No, it should keep these 8 options (on Advanced tab) checked after you click on "Reset to Default" button:

     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,373
    Location:
    Under a bushel ...
    Hmm. Just encountered problem too installing test40 - installed but was disabled, with no ability to change it.

    Disabled EAM, installed successfully and I was able to set it to Passive Logging mode.
     
    Last edited: Mar 9, 2018
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    With EAM disabled you should be able to do a full install
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Andreas

    After discovering the reset had me start over, I setup a really tight set up and a couple excludes handled everything, this is one powerful piece of software
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,084
    Location:
    Italy
    "The time comes when you have to choose between what is easy and what is right."

    (Harry Potter) ;)
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,373
    Location:
    Under a bushel ...
    :thumb: Indeed, I have edited my post.
     
  25. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,797
    After a few days of running the latest build, same problem. Protection is disabled. Any way to fix this? What info do you need from me? I ended up just uninstalling it for now.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.