NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,535
    @novirusthanks,

    Can you add an option to auto enable protection after x time?

    Thanks
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,568
    Hi Andreas

    Another key powershell risk is system.management.automation.dll I block c:\*\System.management.automation.dll* can you add that to OSarmor?

    pete
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,568
    Oh and build 45 is running smooth here
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,378
    Location:
    U.S.A. (South)
    New build running as smooth as if nothing was added at all.

    Thrilling really how this is in development stages.
     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,367
    +1
    As Andreas said before, OSA does not presently monitor dlls, but I still think a rule could be written to block any argument containing "System.management.automation.dll"
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,568
    Exactly. I don't care about monitoring DLL's per se, but I want that one blocked
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,192
    Location:
    Among the gum trees
    Any news on this?
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,378
    Location:
    U.S.A. (South)
    Are there any plans that can be looked at from the menu Manage Exclusions and at the Exclude Processes box, maybe add a Read Data from File similar to the new ERP 4 Edit Expressions instead of having to manually fill in those fields?

    Just seems that might add another touch of convenience.
     
  9. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    I rarely post about "suggestions" provided by members at Wilders... but I cannot hold my breath about this one...

    I second this. Would be quite convenient!
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,028
    Location:
    Italy
    Here is a new v1.4 (pre-release) test46:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test46.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved Block suspicious processes
    + Improved Block suspicious command-lines
    + Improved Block execution of .hta scripts (2)
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @rdsu

    Added to the todo list.

    @Peter2150 @shmu26

    Rule added.

    @Krusty

    Not yet, will check it asap.

    @EASTER

    Added to the todo list.
     
  11. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,072
    Installed the new build - no problems here. Looks good, Andreas. Thank you!:thumb:
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,378
    Location:
    U.S.A. (South)
    Appreciate today's new release!! Thank You Andreas. :)
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,568
    New build is superb. Thanks Andreas
     
  14. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,717
    Location:
    Gaia
    Just installed my first OSA version. :)
    I apologize if these have already been asked...

    Suggestion 1: Make "An additional layer of Defense" (and maybe "NoVirusThanks") text in main window darker, just like on buttons.
    Suggestion 2: Make a button to Enable/Disable protection in main window too (not only through tray icon).
    Suggestion 3: If protection is temporarily disabled, the duration could be also displayed in main window Protection Status.
    Suggestion 4: "Exit GUI" option in tray icon could be renamed to only "Exit".
    Suggestion 5: Add SRWare Iron to browsers list.
    Suggestion 6: Make an option for users to add custom applications for Anti-Exploit protection.
     
    Last edited: Mar 31, 2018
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,568
    Hi Siketa

    Given we are at build 46 some of these are a bit late in the game. Also given the philosophy behind OSArmor, some of them probably are redundant.
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,028
    Location:
    Italy
    @siketa

    Welcome back =)

    6) and 5) are already in the todo list.

    About 4) it says "Exit GUI" because it just closes the GUI, the service is not touched and will still protect the system even if the GUI is not active (the GUI is only shown to display a notification dialog once a process is blocked and to disable\enable protection).

    Will do 1) on next build.

    Will discuss about 2) and 3) soon (saved in the todo list).
     
  17. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,717
    Location:
    Gaia
    Thank you guys for replies. :)
    It's never too late for improvements and some of them could be introduced in the future. ;)
    I made 2) and 3) cause I think lots of people work through GUI only and they rarely go to tray icon to make some changes. Therefore, it would be more convenient for them if major options are in GUI.

    Andreas, are we near 1.4 final?
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,321
    Location:
    .
    I use tray Icon.
     
  19. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,717
    Location:
    Gaia
    Good for you but I don't.
    No need to turn this into voting. ;)
    It is up to Andreas to accept or reject suggestions.
    IMHO it is good to cover both sort of users and let them choose to work the way they want.
     
  20. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,321
    Location:
    .
    I use tray Icon.
     
  21. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,190
    Location:
    Mass., USA
    Ditto.
    (I always delete desktop shortcut.)
     
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,321
    Location:
    .
    > test 46 with all Advanced rules checked
    Date/Time: 3/31/2018 5:05:15 PM
    Process: [3420]C:\Windows\System32\mmc.exe
    Parent: [3272]C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe
    Rule: BlockKnownSysProcsUsedForUACBypass
    Rule Name: Block known system processes used for UAC-bypass
    Command Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\Services.msc"
    Signer:
    Parent Signer: NoVirusThanks Company Srl
    User/Domain: bjms/BJM-PCW10
    Integrity Level: High

    Date/Time: 3/31/2018 5:10:31 PM
    Process: [9940]C:\Windows\System32\Taskmgr.exe
    Parent: [3272]C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe
    Rule: BlockAllAutoElevateSysProcs
    Rule Name: Block ALL "autoelevate" system processes
    Command Line: "C:\WINDOWS\system32\TaskMgr.exe"
    Signer: Microsoft Windows
    Parent Signer: NoVirusThanks Company Srl
    User/Domain: bjms/BJM-PCW10
    Integrity Level: High
    Code:
    [%PARENTSIGNER%: NoVirusThanks Company Srl]
     
    Last edited: Mar 31, 2018
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,562
    Location:
    Italy
    @novirusthanks
    @ To All

    Hi.
    I also included MicrosoftEdgeCP.exe in the WDEG List.

    "Do not Allow Child Processes" - Enabled

    It is also possible to enable the protection above.
    Can this overlap with OSA Exploit Protection for this?

    I think not.
     
    Last edited: Apr 1, 2018
  24. plat1098

    plat1098 Guest

    Test45. Adding the Winstep .exe to Exclusions via the OSArmor block notification did not work; it blocked the update process again so the above rule was disabled. Seeing as Winstep is regularly updated, is there another way to exclude? The rule for blocking unsigned processes on temp folder was not enabled.

    osalogsnip.PNG

    winstep error.PNG
     
    Last edited by a moderator: Apr 1, 2018
  25. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    21,084
    I don't know what exactly OS Armor has added to exclusions but i guess it has added the whole command-line.
    But parts of the command-line might change with each update, especially the numbers (/SPAWNWD= $XXXX and /NOTIFYWD=$XXXX)
    Edit the exclusion and exchange the numbers with a "*"
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.