NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,140
    Location:
    Among the gum trees
  2. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
  3. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,234
    Only got one alert for the UAC known bypass setting.

    Date/Time: 3/19/2018 6:31:33 PM
    Process: [5148]C:\Windows\System32\rundll32.exe
    Parent: [12836]C:\Windows\System32\dllhost.exe
    Rule: BlockKnownUACBypassAttempts
    Rule Name: Block known UAC-bypass attempts
    Command Line: "C:\Windows\System32\rundll32.exe" devmgr.dll,DeviceProperties_RunDLL /DeviceId "PCI\VEN_10EC&DEV_D723&SUBSYS_8319103C&REV_00\00E04C000000000000"
    Signer:
    Parent Signer: Microsoft Windows
     
  4. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,248
    This is what I got today. Hm...

    Date/Time: 20.03.2018 22:37:54
    Process: [196]C:\Windows\System32\WinSAT.exe
    Parent: [4332]C:\Windows\System32\rundll32.exe
    Rule: BlockKnownSysProcsUsedForUACBypass
    Rule Name: Block known system processes used for UAC-bypass
    Command Line: "C:\WINDOWS\system32\winsat.exe" disk -wsswap
    Signer:
    Parent Signer:

    Date/Time: 20.03.2018 22:39:03
    Process: [4276]C:\Windows\System32\WinSAT.exe
    Parent: [2408]C:\Windows\System32\rundll32.exe
    Rule: BlockKnownSysProcsUsedForUACBypass
    Rule Name: Block known system processes used for UAC-bypass
    Command Line: "C:\WINDOWS\system32\winsat.exe" disk -wsswap
    Signer:
    Parent Signer:
     
  5. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,119
    is osa redundant along with erp and vice versa?if yes, which one should be our first choice?
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    Later on, ERP might make OSA redundant, but right now, it makes sense to use both.
    My first choice would be OSA.
     
  7. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,119
    how about osa + erp vs "locked down" cfw?it's not an a vs b,i'm just asking for your opinion.
     
    Last edited: Mar 21, 2018
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    Sorry, but I don't know what is locked down comodo firewall. Do you mean proactive mode with alerts suppressed?
     
  9. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,119
    you got that right.
     
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    Comodo Firewall is much easier to just install and use.
    ERP has more of a learning curve, and requires more configuring and answering to alerts.
     
  11. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,119
    alrite, thank you.
     
  12. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Here is a new v1.4 (pre-release) test44:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test44.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed blocking of .cpl applets
    + Block execution of wscript\cscript.exe
    + Improved blocking of vbs\js\vbe\etc scripts
    + Block execution of .cpl applets outside System folder
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @Buddel @Azure Phoenix

    Thanks for reporting that FPs about the new UAC-bypass rules.

    Will think on these days about improving them to reduce FPs.

    @askmark @Krusty

    The reported FPs are fixed, thanks for sharing them.

    @Sampei Nihira

    The .cpl applets are now blocked correctly:

    Code:
    Date/Time: 21/03/2018 17:37:12
    Process: [4972]C:\Windows\System32\rundll32.exe
    Parent: [3788]C:\Windows\System32\control.exe
    Rule: BlockCPLApplets
    Rule Name: Block execution of .cpl applets outside System folder
    Command Line: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\1w.cpl
    Signer:
    Parent Signer:
    
    Date/Time: 21/03/2018 17:37:43
    Process: [1424]C:\Windows\System32\rundll32.exe
    Parent: [5944]C:\Windows\System32\cmd.exe
    Rule: BlockCPLApplets
    Rule Name: Block execution of .cpl applets outside System folder
    Command Line: rundll32.exe  shell32.dll,Control_RunDLL C:\1w.cpl
    Signer:
    Parent Signer:
    
    No alerts for these two commands:

    rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl
    control.exe appwiz.cpl

    @shmu26

    Not for now, DLL monitoring is not present.
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    Right, but maybe you can write a rule to block any command line containing
    "system.management.automation.dll"
    Just an idea from an amateur, I don't know if this is possible or practical.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I agree. I've got it blocked in Appguard
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,733
    Location:
    U.S.A. (South)
    Good show ole boy.

    Thanks as always. OSA is growing magnificently! by leaps and bounds.
     
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,773
    Location:
    Italy
    96.jpg

    :thumb:
     
  17. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    170
    Location:
    Wigan
    My limited knowledge means I can only be a passive observer in the development of OSArmor although I have enjoyed reading many of the comments in this forum,at least those which I actually understood. However I can say that this software is becoming increasingly well-behaved and it seems that I am now able to run it reliably under Windows 7 as well as Windows XP with which it has been well-behaved since very early beta releases of OSArmor 1.4. I appreciate having the benefit of the expertise of Andreas and colleagues to develop what seems to be a powerful and effective tool in keeping Windows PCs secure and private.

    I will be restricting my use of settings to those which are enabled by default.
     
  18. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    Well - they do different things, though there is a wee bit of overlap. Many of us here run both. ERP needs more attention than OSA.
    Between the two, there is little that gets past em.

    At this point, they are both in Beta and the author - NoVirusThanks is very active here and eagerly accepts suggestions and input.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,733
    Location:
    U.S.A. (South)
    With ERP 4 seemingly backburner or at the very least different priority to OSA, i been using the always superior ERP 3 (i say that coz it's flawless on my 10/8.1 systems), and could not be more satisfied with the combo in tandem. The resource usage is nill consistently, and while what overlap does raise, serves efficiently enough IMO as a secondary prevent feature in the event of whatever.

    Looking forward to the new ETP 4 version but as is can honestly say i'm gonna miss it once ERP 4 fine tunes for prime time. But as in everything, we learn to adapt and favor improved features and new security.
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,140
    Location:
    Among the gum trees
    Great! Thanks. :thumb:
     
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    Okay, now I realize that it is not as simple as I made it sound. In Excubits MemProtect, I made a rule to block any process from loading *System.Management.Automation*.dll

    Later, I saw in the log that a valid process, mscorsvw.exe, was blocked from loading it:

    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe > C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7f06bbe7908fb8d914459155ec6219e7\System.Management.Automation.ni.dll
     
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,773
    Location:
    Italy
    Also the commands:

    ipconfig
    netstat

    show output with dangerous information.
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,773
    Location:
    Italy
    Explained in the article below:

    https://www.wilderssecurity.com/threads/ransomware-and-recent-variants.384890/page-17#post-2746440

    why it is better to enable some rules in the "Advanced" section of OSA.
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,733
    Location:
    U.S.A. (South)
    :thumb:
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Here is a new v1.4 (pre-release) test45:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test45.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved Block suspicious command-lines
    + Show process username/domain and integrity level on the log file of blocked processes
    + Improved Block execution of syskey.exe\cipher.exe
    + Improved Block execution of .vbs\.vbe\.js\.jse\etc scripts
    + Improved Block execution of .hta scripts
    + Improved Block suspicious processes
    + Improved rules related to blocking UAC-bypass behaviors
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.