NoVirusThanks OSArmor: An Additional Layer of Defense

I'm not sure if this is going to be of any use, but I use this shortcut to run Edge:

%windir%\explorer.exe shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge

V48 started blocking it from running, and with 49, it runs properly again.

 

Fixed!

 

TH.

 

@novirusthanks

A small bug in the file name. It should be regsvr32.exe

Advanced > Attack Mitigation Rules > Prevent resgvr32.exe from loading DLLs

 

Latest version fixed the Eagleget alerts.

 

Here is a new v1.4 (pre-release) test50:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test50.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed a typo on the Configurator GUI
+ Block loading of .inf files via InstallHinfSection\LaunchINFSection
+ Improved Block suspicious command-lines
+ Improved Block suspicious Svchost.exe process behaviors
+ Improved Block execution of suspicious scripts
+ Improved support for multiple alerts
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive please let me know.

@Lorina

On build 49 (and 50) we improved many rules and fixed many false positives (including the event that blocked that shortcut).

@Azazal

Thanks, fixed now.

@Azure Phoenix

Great!

 

Here is a new v1.4 (pre-release) test51:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test51.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved detection of WannaCry ransomware

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive please let me know.

Just a quick update.

 

Didn't get this morning's early release in yet and already a new one!

Awesome. Thank You Andreas.

 

Another quick update (sorry )

Here is a new v1.4 (pre-release) test52:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test52.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of nslookup.exe
+ Block processes executed from regasm.exe
+ Block netsh.exe "import" and "exec" commands
+ Improved Block suspicious command-lines
+ Improved Block suspicious processes
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

We're planning to release v1.4 on 10 April (Tuesday), let me know if you find any FPs.

 

Tuesday is April the 10th

 

Fixed, thanks

 

im starting to like OSArmor, even tho i just started using it. it seems to do well so far. it blocked like 30 process in just one day, they were all positive aswell

 

Keep 'em coming. np.

 

FWIW ~ call Task Manager with ctrl+shift+esc
Date/Time: 4/7/2018 4:42:09 PM
Process: [240]C:\Windows\System32\Taskmgr.exe
Parent: [476]C:\Windows\System32\LaunchTM.exe
Rule: BlockAllAutoElevateSysProcs
Rule Name: Block ALL "autoelevate" system processes
Command Line: "C:\WINDOWS\System32\Taskmgr.exe" /2
Signer: Microsoft Windows
Parent Signer:
User/Domain: bjms/BJM-PCW10
Integrity Level: High
~ test52 all rules checked

 

Yes, keep 'em coming and thanks for your hard work.

 

Coming sooooo fast need an auto-uninstall.
Thanks you sir!

 

Just taking a look at this now. Very nice program. Being able to make custom rules is a nice touch.

How about adding to Anti-Exploit
Chromium - chrome.exe (unless this is already covered under Google Chrome)
and
PotPlayer - PotPlayerMini.exe and PotPlayerMini64.exe

 

@novirusthanks OSA works properly on Win10 Spring Creator Update

 

@novirusthanks

https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html

https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/

Is it possible to insert only one rule to monitor the "fodhelper" command?

 

@bjm_

Thanks for sharing.

@JimboW

Will discuss about them.

@guest

Thanks for letting me know.

@Sampei Nihira

OSA already blocks that behaviors with default rules

 

Thanks.

Great program. Think I’m going to replace Bouncer (though I won’t give up MemProtect for anything) with this for the simple fact that it’s so much quicker to create exclusions with the popups and to toggle protection on and off compared to Bouncers Install mode. Having the ability to make custom rules makes it a winner.


Chromium is unsigned and won’t run because of the “Block execution of unsigned processes on Local AppData” setting. OSArmor didn’t choke once as chrome.exe tried to spawn off all its child processes. Only took two quick exclusion rules to let it run. One quick and simple by using the exclusion popup creating an automatic exclusion [%PROCESS%: C:\Users\JimboW\AppData\Local\Chromium\Application\chrome.exe] [%PROCESSCMDLINE%: "C:\Users\JimboW\AppData\Local\Chromium\Application\chrome.exe" --disable-reading-from-canvas] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows] and one manual exclusion using a wildcard for all the child processes which come with a different string of numbers every time [%PROCESS%: C:\Users\JimboW\AppData\Local\Chromium\Application\chrome.exe] [%PROCESSCMDLINE%: *] [%PARENTPROCESS%: C:\Users\JimboW\AppData\Local\Chromium\Application\chrome.exe] while every other unsigned process is still blocked from execution from the Local AppData folder. Not to mention how light OSArmor is and can’t even tell it’s running. Terrific.

 

Indeed, OSA can do the job of an anti-exe, if the Custom Block-Rules list is properly populated. The user will need to make a few exceptions, but that is not so hard.

Here are some custom block rules that I am using in that respect (besides the many that I took from the excubits blacklist https://excubits.com/content/files/blacklist.txt):

[%PROCESS%: C:\ProgramData\*]
[%PROCESS%: C:\users\*]
[%PROCESS%: *\rundll32.exe]

This necessitates some exclusions, for instance:

[%PROCESS%: C:\ProgramData\*] [%FILESIGNER%: Microsoft Corporation]

[%PROCESS%: C:\Windows\System32\rundll32.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState]

[%PARENTPROCESS%: C:\Windows\System32\svchost.exe] [%PARENTSIGNER%: Microsoft Windows Publisher]
[%PROCESS%: C:\Windows\System32\rundll32.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\rundll32.exe Startupscan.dll,SusRunTask] [%PARENTPROCESS%: C:\Windows\System32\svchost.exe] [%PARENTSIGNER%: Microsoft Windows Publisher]

 

So add from blacklist.txt to CustomBlock.db will be correct?