NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,737
    Location:
    U.S.A. (South)
  2. Lorina

    Lorina Registered Member

    Joined:
    Mar 13, 2018
    Posts:
    13
    Location:
    EU
    I'm not sure if this is going to be of any use, but I use this shortcut to run Edge:

    %windir%\explorer.exe shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge

    V48 started blocking it from running, and with 49, it runs properly again.
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,153
    Location:
    Among the gum trees
    Fixed! :thumb:
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,777
    Location:
    Italy
    :thumb:
    TH.:)
     
  5. Azazal

    Azazal Registered Member

    Joined:
    Oct 26, 2016
    Posts:
    8
    Location:
    Europe
    @novirusthanks

    A small bug in the file name. It should be regsvr32.exe

    Advanced > Attack Mitigation Rules > Prevent resgvr32.exe from loading DLLs
     
    Last edited: Apr 6, 2018
  6. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,235
    Latest version fixed the Eagleget alerts.
     
  7. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Here is a new v1.4 (pre-release) test50:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test50.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed a typo on the Configurator GUI
    + Block loading of .inf files via InstallHinfSection\LaunchINFSection
    + Improved Block suspicious command-lines
    + Improved Block suspicious Svchost.exe process behaviors
    + Improved Block execution of suspicious scripts
    + Improved support for multiple alerts
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    If you find any false positive please let me know.

    @Lorina

    On build 49 (and 50) we improved many rules and fixed many false positives (including the event that blocked that shortcut).

    @Azazal

    Thanks, fixed now.

    @Azure Phoenix

    Great!
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Here is a new v1.4 (pre-release) test51:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test51.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved detection of WannaCry ransomware

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    If you find any false positive please let me know.

    Just a quick update.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,737
    Location:
    U.S.A. (South)
    Didn't get this morning's early release in yet and already a new one!

    Awesome. Thank You Andreas. :)
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Another quick update (sorry :D)

    Here is a new v1.4 (pre-release) test52:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test52.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Block execution of nslookup.exe
    + Block processes executed from regasm.exe
    + Block netsh.exe "import" and "exec" commands
    + Improved Block suspicious command-lines
    + Improved Block suspicious processes
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    We're planning to release v1.4 on 10 April (Tuesday), let me know if you find any FPs.
     
  11. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    745
    Location:
    Italy
    Tuesday is April the 10th ;)
     
  12. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    Fixed, thanks
     
  13. anonskii

    anonskii Registered Member

    Joined:
    Dec 16, 2016
    Posts:
    18
    Location:
    UK
    im starting to like OSArmor, even tho i just started using it. it seems to do well so far. it blocked like 30 process in just one day, they were all positive aswell
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,737
    Location:
    U.S.A. (South)
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,588
    Location:
    .
    FWIW ~ call Task Manager with ctrl+shift+esc
    Date/Time: 4/7/2018 4:42:09 PM
    Process: [240]C:\Windows\System32\Taskmgr.exe
    Parent: [476]C:\Windows\System32\LaunchTM.exe
    Rule: BlockAllAutoElevateSysProcs
    Rule Name: Block ALL "autoelevate" system processes
    Command Line: "C:\WINDOWS\System32\Taskmgr.exe" /2
    Signer: Microsoft Windows
    Parent Signer:
    User/Domain: bjms/BJM-PCW10
    Integrity Level: High
    ~ test52 all rules checked
     
    Last edited: Apr 10, 2018
  16. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,553
    Location:
    USA
    Yes, keep 'em coming and thanks for your hard work.
     
  17. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    Coming sooooo fast need an auto-uninstall. :)
    Thanks you sir!
     
  18. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    280
    Just taking a look at this now. Very nice program. Being able to make custom rules is a nice touch. :thumb:

    How about adding to Anti-Exploit
    Chromium - chrome.exe (unless this is already covered under Google Chrome)
    and
    PotPlayer - PotPlayerMini.exe and PotPlayerMini64.exe
     
  19. guest

    guest Guest

  20. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,777
    Location:
    Italy
    @novirusthanks

    https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html

    https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/

    Is it possible to insert only one rule to monitor the "fodhelper" command?
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,067
    Location:
    Italy
    @bjm_

    Thanks for sharing.

    @JimboW

    Will discuss about them.

    @guest

    Thanks for letting me know.

    @Sampei Nihira

    OSA already blocks that behaviors with default rules :)
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Andeas

    Finally got to test the new build. Have had some hardware issues. New build is good here.

    Pete
     
  23. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    280
    Thanks.

    Great program. Think I’m going to replace Bouncer (though I won’t give up MemProtect for anything) with this for the simple fact that it’s so much quicker to create exclusions with the popups and to toggle protection on and off compared to Bouncers Install mode. Having the ability to make custom rules makes it a winner.


    Chromium is unsigned and won’t run because of the “Block execution of unsigned processes on Local AppData” setting. OSArmor didn’t choke once as chrome.exe tried to spawn off all its child processes. Only took two quick exclusion rules to let it run. One quick and simple by using the exclusion popup creating an automatic exclusion [%PROCESS%: C:\Users\JimboW\AppData\Local\Chromium\Application\chrome.exe] [%PROCESSCMDLINE%: "C:\Users\JimboW\AppData\Local\Chromium\Application\chrome.exe" --disable-reading-from-canvas] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows] and one manual exclusion using a wildcard for all the child processes which come with a different string of numbers every time [%PROCESS%: C:\Users\JimboW\AppData\Local\Chromium\Application\chrome.exe] [%PROCESSCMDLINE%: *] [%PARENTPROCESS%: C:\Users\JimboW\AppData\Local\Chromium\Application\chrome.exe] while every other unsigned process is still blocked from execution from the Local AppData folder. Not to mention how light OSArmor is and can’t even tell it’s running. Terrific.:thumb:
     
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,453
    Indeed, OSA can do the job of an anti-exe, if the Custom Block-Rules list is properly populated. The user will need to make a few exceptions, but that is not so hard.

    Here are some custom block rules that I am using in that respect (besides the many that I took from the excubits blacklist https://excubits.com/content/files/blacklist.txt):

    [%PROCESS%: C:\ProgramData\*]
    [%PROCESS%: C:\users\*]
    [%PROCESS%: *\rundll32.exe]

    This necessitates some exclusions, for instance:

    [%PROCESS%: C:\ProgramData\*] [%FILESIGNER%: Microsoft Corporation]

    [%PROCESS%: C:\Windows\System32\rundll32.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState]

    [%PARENTPROCESS%: C:\Windows\System32\svchost.exe] [%PARENTSIGNER%: Microsoft Windows Publisher]
    [%PROCESS%: C:\Windows\System32\rundll32.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\rundll32.exe Startupscan.dll,SusRunTask] [%PARENTPROCESS%: C:\Windows\System32\svchost.exe] [%PARENTSIGNER%: Microsoft Windows Publisher]
     
  25. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    620
    Location:
    Lunar module
    So add from blacklist.txt to CustomBlock.db will be correct?
    ScreenShot_52.png
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.