NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,378
    Location:
    U.S.A. (South)
    Good catch.

    That one is in my own rules from ERP 3 in Vulnerable Process List.

    Nice additions and OSA is running swell on this side too.
     
  2. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    390
    Location:
    united kingdom
    Have you tested this? The very first post of this thread states:

    ...This security application analyzes parent processes and prevents, for example, MS Word from running cmd.exe or powershell.exe, it prevents ransomware from deleting shadow copies of files via vssadmin.exe, it blocks processes with double file extensions...
     
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,318
    Location:
    .
    good for u.
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,562
    Location:
    Italy
    :thumb::);)
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,562
    Location:
    Italy
    The generic vssadmin command is executable:

    13.JPG

    It is necessary to know if the developer has inserted a (hidden) specific rule.
     
    Last edited: Mar 15, 2018
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,995
    Try to delete shadow copies with vssadmin.exe.
    OS Armor should prevent it ("it prevents ransomware from deleting shadow copies of files via vssadmin.exe")
     
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,562
    Location:
    Italy
    It is not necessary because there is no specific rule (VSSADMIN) in the list of rules.
    The only rule I find monitored is wbadmin.exe
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,378
    Location:
    U.S.A. (South)
    Tested and just Confirmed on this end.

    yy.jpg
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,734
    Location:
    U.S.A.
    The commands used by ransomware to delete shadow volume copies are:

    C:\Windows\System32\vssadmin.exe Delete Shadows /All /Quiet

    -or-

    C:\Windows\SysWOW64\vssadmin.exe Delete Shadows /All /Quiet
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,378
    Location:
    U.S.A. (South)
    :thumb:

    You beat me to posting that itman. OSA is got the goods and drop on a ton of sets.
     
  11. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,190
    Location:
    Mass., USA
    If I may ask: What Rule Name (in log file) blocked the vssadmin.exe?
     
  12. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,028
    Location:
    Italy
    Here it is (enabled by default in Main Protections tab):

    vssadmin.png

    Rule: BlockDeletionOfShadowCopies
    Rule Name: Block system processes from deleting shadow copies
     
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,562
    Location:
    Italy
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,378
    Location:
    U.S.A. (South)
    Whew. Is there any sets that haven't been covered yet?

    Frankly, like most of you i'm blowed away with all the defensive measures implemented in this latest OSA build and the resource usage is virtually non-existent. It's running in tandem with the last build of ERP 4 which another of that release is due anytime I expect.

    Still trying to dig up any issues that could be considered a bug but nothing yet. Then again there's a long list of settings and testing them one by one is quite a chore.

    Compatibility with other security apps is picture perfect too. No friction detected whatsoever. Amazing.
     
  15. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,562
    Location:
    Italy
    Dism.exe

    https://research.checkpoint.com/beware-bashware-new-method-malware-bypass-security-solutions/

     
    Last edited: Mar 16, 2018
  16. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    603
    Location:
    The Netherlands
    NoVirusThanks OSArmor test42 prevents Outlook 2016 from opening when I have G Data Antivirus installed.
    I don't see anything in the logs but Outlook doesn't start with both enabled.
    Edit: excluded OSArmorDevUI.exe, OSArmorDevSvc.exe and OSArmorDevCfg.exe from being guarded by G Data antivirus and now Outlook open like before.
    Edit2: Second time it doesn't work anymore :(
     
    Last edited: Mar 16, 2018
  17. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,028
    Location:
    Italy
    @Sampei Nihira

    I'll take a look at that Bashware, probably we may just block bash.exe and other related processes.

    Will also add an option on SysHardener to "Disable Windows Subsystem for Linux".

    @EASTER

    Thanks for the good feedback :thumb::D

    We tried to include all needed rules to add a good additional layer of defense.

    I think we miss a very few rules and then it should be quite complete.

    In the next build will improve protection against UAC bypasses (will post a video soon).

    @Gandalf_The_Grey

    That looks strange, if nothing is blocked by OSA it should not be the cause.

    I see you already excluded\allowed OSA's processes on G-Data AV, that is good.

    Do you have the W10 OS up-to-date? I read on a forum that Outlook 2016 had an issue with a not-up-to-date W10 OS.

    Anyway will take a look at it asap.
     
  18. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    603
    Location:
    The Netherlands
    Windows 10 is up to date version 1709 build 16299.309
    I saw that G Data is the only one flagging build 42 on virus total: ~ Removed VirusTotal Results as per Policy ~
    Did a full scan on my computer and submitted the file osarmor_setup_1.4_test42.exe to G Data as false positive. Have no response back yet...
    Reinstalled OSArmor and this time excluded all 5 exes in C:\Program Files\NoVirusThanks\OSArmorDevSvc from G Data.
    No problems anymore with opening Outlook 2016 :thumb:
     
    Last edited by a moderator: Mar 17, 2018
  19. fatex

    fatex Registered Member

    Joined:
    Apr 15, 2008
    Posts:
    5
    Is there a way to reset the statistics?
     
  20. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,318
    Location:
    .
    Exit GUI
     
  21. fatex

    fatex Registered Member

    Joined:
    Apr 15, 2008
    Posts:
    5
    Thanks!
     
  22. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,101
    Location:
    South Texas, USA
    Everything working fine so far only things I had to disable was the following cause they would not let my VPN connect normally.
     

    Attached Files:

  23. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Just out of curiosity, as I use a VPN myself. Is your VPN-connection using OpenVPN?
     
  24. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    473
    Weird, seems to have stopped working for me and have uninstalled, rebooted and installed the latest version. Now I can rename any file and it does not block it, even though the program is active.
    Any other suggestions?
     
  25. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,101
    Location:
    South Texas, USA
    Yes and there is an OpenVPN.exe running also.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.