NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    The issue with protection disabling when switching between user accounts seems to be fixed. So far, so good.
     
  2. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    482
    Try as I may, I could not get it to work again, so have taken the drastic step of format and reinstall. I like the program a lot, but if I can't get it to work it won't be much use to me. Fingers crossed all will be well after reload
     
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,777
    Location:
    Italy
    @ to All

    Has anyone enabled the rule indicated by the arrow?


    98.jpg


    FP?


    https://www.bleepingcomputer.com/news/security/windows-control-panel-links-abused-in-cyber-espionage-campaign/

    https://www.contextis.com/blog/applocker-bypass-via-registry-key-manipulation

    I enabled the rule today.
     
  4. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,588
    Location:
    .
    Yes, all rules checked.
     
  5. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    482
    Ok, I have formatted and reinstalled windows, updated it and then installed OsArmor on the clean install. It says it is running and working. I have renamed a pdf file to pdf.exe to test it....................not a peep, the file opens. I am at a loss, why is this not working? Can anyone help please? Windows 10 64 bit
     
    Last edited: Mar 18, 2018
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    try like this:
    FILENAME.pdf.exe
    If you rename an exe file like this, it will be blocked.
    If the final ending of the file is .pdf, then it will try to open as a pdf file, which is not malicious. The malicious behavior is a file that looks like a PDF and smells like a PDF, but opens as EXE.
     
  7. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    482
    Yes, that's exactly what I did, not a peep out of OsArmor :(
    It sure has me confused, it used to work fine on older versions. I have just spent a few hours formatting windows and reinstalling as that solves most problems.........not this one it seems

    The double extension blocking is definitely not working for me, however I checked the box to prevent files from running in the documents folder, copied a normal executable there, and hey presto that worked. It seems that is working but not double extensions. I am using 1.4 test 42 if anyone is able to replicate?
     
    Last edited: Mar 18, 2018
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    Yeah, if it fails that test, something is wrong.
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,588
    Location:
    .
    Date/Time: 3/18/2018 11:18:35 AM
    Process: [12404]C:\Users\bjms\Downloads\advisorinstaller.pdf.exe
    Parent: [5508]C:\Windows\explorer.exe
    Rule: BlockDoubleExt
    Rule Name: Block processes with known fake extensions (i.e .pdf.exe)
    Command Line: "C:\Users\bjms\Downloads\advisorinstaller.pdf.exe"
    Signer: Belarc, Inc.
    Parent Signer: Microsoft Windows
     
    Last edited: Mar 18, 2018
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    I also tested it, and it blocks for me, too.

    Date/Time: 3/18/2018 5:04:51 PM
    Process: [3524]C:\Users\Shmu26\Desktop\TogglDesktopInstaller-7.4.122.pdf.exe
    Parent: [7840]C:\Windows\explorer.exe
    Rule: BlockDoubleExt
    Rule Name: Block processes with known fake extensions (i.e .pdf.exe)
    Command Line: "C:\Users\Shmu26\Desktop\TogglDesktopInstaller-7.4.122.pdf.exe"
    Signer: Toggl OÜ
    Parent Signer: Microsoft Windows
     
  11. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    482
    Which version are you using? I am on 42, wondering if I should try an earlier version?
     
  12. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,248
    I also tried it, and it seems to work well with the latest test build 42.

    Date/Time: 18.03.2018 16:21:55
    Process: [944]C:\Users\ME\Desktop\Bildverkleinerer 1-7b.pdf.exe
    Parent: [4648]C:\Windows\explorer.exe
    Rule: BlockDoubleExt
    Rule Name: Block processes with known fake extensions (i.e .pdf.exe)
    Command Line: "C:\Users\ME\Desktop\Bildverkleinerer 1-7b.pdf.exe"
    Signer:
    Parent Signer: Microsoft Windows
     
  13. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    482
    Thanks. I have tried version 39 and then went back to plain old 1.3. Doesn't work on either of them. Seems the program has a hissy fit with something on my computer, not sure what though as its a fresh install. Uninstalled for now unless the developer can come up with something. Shame as I really like the program and what it should do
     
  14. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,248
    You should get in touch with Andreas. I also had some issues with OSA, but he managed to find a solution to this problem. I'm sure he will be able to find a solution for you, too.
     
  15. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    482
    Thanks, does he have an email?
     
  16. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,248
    Just send him a personal message via Wilders. He visits this forum almost every day.
     
  17. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Here is a new v1.4 (pre-release) test43:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test43.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved detection of system processes
    + Improved detection of suspicious processes
    + Block known UAC-bypass attempts
    + Block new and unknown UAC-bypass attempts (experimental)
    + Block known system processes used for UAC-bypass
    + Block ALL "autoelevate" system processes
    + Merged "Block execution of sdctl.exe\sysprep.exe\etc" with "Block known system processes used for UAC-bypass"
    + Block execution of Logoff.exe
    + Block execution of Vssadmin.exe
    + Block execution of Makecab.exe
    + Block execution of LxRun.exe
    + Block execution of Bash.exe
    + Block execution of Sdbinst.exe
    + Minor fixes and optimizations
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    Since the issue "protection disabled at startup" seems fixed, we may officially release OSA v1.4 with the next build.

    With this build 43 there is a new section dedicated to UAC-bypass mitigations:

    osa43.png

    "Block known UAC-bypass attempts"

    This option should not generate FPs (even if I added the orange icon).

    It should block known (public) UAC-bypass attempts.

    The other 3 options, may generate FPs:

    "Block new and unknown UAC-bypass attempts (experimental)"

    This experimental option should mitigate new and unknown UAC-bypass attempts that exploit system processes to elevate the malware payload. In my tests it performed well with very low FPs (on the work-PC, with just a few programs installed).

    "Block known system processes used for UAC-bypass"

    This option blocks the execution of known system processes used to bypass UAC, for example slui.exe, sdctl.exe, fodhelper.exe, wusa.exe, mmc.exe, dccw.exe, BitlockerWizardElev.exe, and some more. By preventing their execution we mitigate entirely the UAC bypass attempt, but in exchange we may get a few alerts (FPs) when they are legitimately executed by the OS.

    "Block ALL "autoelevate" system processes"

    This option blocks ALL autoelevate system processes and may be particularly useful for companies or officies to mitigate new and unknown UAC bypass attempts that exploit "autoelevate" system processes (generally used in targeted attacks against companies). This option may generate alerts (FPs) depending on the PC usage, i.e if the office PC is used to print\edit documents, read emails, open the web browser, open a few programs and such (doing the same routine all days), you may even get no alerts.

    Would be nice if some of you could test these new options (mainly the first two) and share here if you get FPs.

    Please include also the blocked event so I can fix it in case.

    @rollers

    I received your PM.

    @Sampei Nihira

    With that option (block .cpl applets) you should have no FPs.

    You may get alerts if you run Control Panel applets via the command-line or if rundll32.exe runs them via:

    "rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl"

    https://support.microsoft.com/it-it/help/192806/how-to-run-control-panel-tools-by-typing-a-command

    For the case of rundll32.exe, you can write exclusions or share them so I can see if I can fix them.
     
    Last edited: Mar 18, 2018
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,153
    Location:
    Among the gum trees
    Test 42

    Win10 x64 1709

    I just booted this machine and even before the desktop loaded properly I got this:
    Code:
    Date/Time: 19/03/2018 12:40:05 PM
    Process: [4044]C:\Windows\System32\attrib.exe
    Parent: [5368]C:\Windows\System32\cmd.exe
    Rule: PreventAttribExeToSetHorSAttributes
    Rule Name: Prevent attrib.exe from setting +h or +s attributes
    Command Line: attrib  +R +H +S +A *.cui
    Signer:
    Parent Signer: 
    It doesn't look to me as though there is much to go on but I thought I should mention it anyway.

    Installing Test 43 now.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,737
    Location:
    U.S.A. (South)
    Some developers are just never satisfied with only the average. :argh:

    I came in here a long time ago to practice and sharpen skills in PC Security.

    Would love to tear this baby apart but it's well too far along to even consider such a thing.

    What a rare and tight piece of excellent work! Hah, and it's still a discovery work in progress.

    On Topic, Test 43 is picture perfect so far but if anything raises a concern.......

    Thank You andreas for the UAC-bypass mitigations entry series. My compliments, I know others share as well.
     
  20. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,777
    Location:
    Italy
    Tried five commands and no false positive.
    As soon as I have a minute of time
    :( I try the other options.;):):thumb:

    Two test.
    No FP:


    98.jpg

    Commands executed by Standard Account.
    My compliments Andreas.:D

    P.S. I verify that you have decided to completely block vssadmin.
     
    Last edited: Mar 19, 2018
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    @novirusthanks is it possible to have an option for blocking
    system.management.automation.dll
    in order to prevent advanced powershell exploits
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    34,744
    ...and it gets stronger with each new build :thumb:
    It wasn't blocked.
    i have also launched other .cpl files (via command-line, via filemanager, etc.) or have copied them to different places and launched them but still no peep from OS Armor :cautious:
    But there should be some blockings after enabling of the option (block .cpl applets), right? (or are certain .cpl files [powercfg.cpl, appwiz.cpl, etc.] already internally whitelisted?)
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,737
    Location:
    U.S.A. (South)
    Confirmed. I also seem to be able to launch applets AFTER SELECTING without a alert at all.
     
  24. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,777
    Location:
    Italy
    @mood
    @EASTER

    I now read your tests.
    It is suspicious.
    We waiting for an explanation from the developer.
    :thumb:
     
  25. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    I'm also not getting any blocks/notifications when invoking .cpl files from the command line, run dialog or even third party applications (e.g. Listary)

    Hi @Krusty,

    I have the same entry on my machine.
    Code:
    Date/Time: 19/03/2018 09:13:47
    Process: [2084]C:\Windows\System32\attrib.exe
    Parent: [8432]C:\Windows\System32\cmd.exe
    Rule: PreventAttribExeToSetHorSAttributes
    Rule Name: Prevent attrib.exe from setting +h or +s attributes
    Command Line: attrib  +R +H +S +A *.cui
    Signer:
    Parent Signer: 
    It appears to be from a batch file invoked by the "Intel HD Graphics Control Panel Service" service (igfxCUIService.exe).

    Here is the corresponding entry in the NVT ERP4 log file showing the batch file being started:
    Code:
    Date/Time    : 2018-03-19 09:13:37.870
    Action       : System file
    Expression   : -
    Category     : -
    PID          : 8432
    Process      : C:\Windows\System32\cmd.exe
    SHA1         : 7C3D7281E1151FE4127923F4B4C3CD36438E1A12
    Signer       :
    Command      : C:\Windows\system32\cmd.exe /c "C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat"
    Parent       : C:\Windows\system32\igfxCUIService.exe
    Parent SHA1  : 97D0CB627FDC9719C2D66E00CAC88E473C1498C6
    Parent Signer: Intel Corporation - pGFX
     
    Last edited: Mar 19, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.