NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    Work what out? It is my understanding that OSA and VS can peacefully coexist.
     
  2. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
    My bad I thought the reference to VS was voodooshield LOL
     
  3. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,370
    Correct me if I'm wrong, but wouldn't using both VoodooShield OSArmor be redundant?
     
  4. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    My opinion Vs is to chatty to AI and VT and who knows what others.
    OSArmor is so light and lean, whit no chat. :thumb: With AppGuard and EIS most excellent.
     
  5. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    I may be wrong but it is my understanding that Voodooshield and OSArmor complement each other. Hm...
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I just installed OSArmor version 1.2 on Windows 10 x64 Pro version 1709. I will report back if I have any problems, or suggestions.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    It would be nice to have an option to disable OSArmor when installing software.
     
  8. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Wouldn't, right-click exit do the same?
     
  9. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    675
    Installed 1.2 and the problem with the gui not closing at startup is fixed. I didn't have the chance to install 1.1.

    It would like to have the option to return to the default configuration.

    Not a big deal, but it would be nice to have the GUI move to the front when double-clicking the tray icon. It remains behind all other windows.

    Does a notification appear each time there is a block? If so, does it remain until the user closes it? I ask because the GUI and the log file show blocked processes but I have not seen any notifications.

    Epson Printer Driver/Software Update

    Date/Time: 12/19/2017 7:36:00 PM
    Process: [3212]C:\Windows\System32\spool\drivers\x64\3\E_YTSNAE.EXE
    Parent: [1168]C:\Windows\System32\svchost.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: C:\Windows\system32\spool\DRIVERS\x64\3\E_YTSNAE.EXE /EXE:"{25EECB78-DF8A-4EC6-A4FC-1EF8C1A5C0A6}" /F:"Update"
    Signer: SEIKO EPSON CORPORATION
    Parent Signer: Microsoft Windows Publisher

    Date/Time: 12/19/2017 8:18:07 PM
    Process: [8704]C:\Users\chris\AppData\Local\Temp\EPSON\Download Navigator\20171219201607\Firmware\Resouce\FWE555TL\EPFWUPD.exe
    Parent: [1888]C:\Program Files (x86)\EPSON Software\Download Navigator\EPSDNRUD.EXE
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Users\chris\AppData\Local\Temp\EPSON\Download Navigator\20171219201607\Firmware\Resouce\FWE555TL\EPFWUPD.exe" /SU:M:"64EB8C40C479" /W /R
    Signer: SEIKO EPSON CORPORATION
    Parent Signer: SEIKO EPSON CORPORATION

    Date/Time: 12/19/2017 8:18:08 PM
    Process: [7696]C:\Users\chris\AppData\Local\Temp\EPSON\Download Navigator\20171219201607\Event Manager\Data\Setup.exe
    Parent: [1888]C:\Program Files (x86)\EPSON Software\Download Navigator\EPSDNRUD.EXE
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Users\chris\AppData\Local\Temp\EPSON\Download Navigator\20171219201607\Event Manager\Data\Setup.exe" -NOLA
    Signer: SEIKO EPSON CORPORATION
    Parent Signer: SEIKO EPSON CORPORATION

    Date/Time: 12/19/2017 8:18:09 PM
    Process: [9544]C:\Users\chris\AppData\Local\Temp\EPSON\Download Navigator\20171219201607\EasyPhotoScan\EPS_10010_ALL_web_41\Data\Setup.exe
    Parent: [1888]C:\Program Files (x86)\EPSON Software\Download Navigator\EPSDNRUD.EXE
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Users\chris\AppData\Local\Temp\EPSON\Download Navigator\20171219201607\EasyPhotoScan\EPS_10010_ALL_web_41\Data\Setup.exe" /qn
    Signer: SEIKO EPSON CORPORATION
    Parent Signer: SEIKO EPSON CORPORATION

    Date/Time: 12/19/2017 8:36:00 PM
    Process: [5208]C:\Windows\System32\spool\drivers\x64\3\E_YTSNAE.EXE
    Parent: [1168]C:\Windows\System32\svchost.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: C:\Windows\system32\spool\DRIVERS\x64\3\E_YTSNAE.EXE /EXE:"{25EECB78-DF8A-4EC6-A4FC-1EF8C1A5C0A6}" /F:"Update"
    Signer: SEIKO EPSON CORPORATION
    Parent Signer: Microsoft Windows Publisher
     
    Last edited: Dec 19, 2017
  10. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,933
    Definitely need the exclusions. It is blocking certain programs now after reviewing the logs.
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Normally when that language is used it means it will only close the GUI, or tray icon, but the driver continues to run. I guess Andreas will have to answer that question.
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,841
    You can't really compare both applications.
    The protection of OS Armor depends on rules and it is monitoring the behaviour of processes.
    It monitors the system for suspicious processes/processes in suspicious folders and suspicious command-lines.

    If you have an Anti Executable installed, try to execute "unknown" applications and you will get an alert about the execution.
    OS Armor wouldn't give a peep :) Only if one of its rules gets triggered.

    If applications like: java.exe/mmc.exe/mstsc.exe are about to launch other (legitimate or whitelisted) applications, the Anti Executable wouldn't give a peep.
    OS Armor would block it, if the according options are checked ("Block any process executed from mmc.exe (unchecked by default)", etc.)

    If you want to have full control, use an Anti Executable.
    But OS Armor provides an additional layer of protection. It has no complex configuration ("zero-configuration") and right after installation it is protecting without annoying prompts.
     
  13. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,011
    Location:
    Canada
    Thank you mood for this detail explanation. Appreciate.:)
     
  14. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    @mood Thank you very much for your explanation. So I guess OSA and VS do not make each other redundant. I still consider OSA an additional layer of protection, so I will keep using it alongside VS.
     
  15. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,398
    Location:
    Germany
    Hi @novirusthanks

    I have some questions about this Programm

    1. Need you the blocked Files

    2. Any Infos for the multilanguage Version of it

    3. And when will it Install into c Programms with x versionsnumber can you tell us which versionsnumber

    With best Regards
    Mops21
     
    Last edited: Dec 22, 2017
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,228
    Location:
    Italy
    @novirusthanks

    Problems of absent opening "Configurator".
    The mouse hourglass continues to be displayed.

    Unistalled with IobitUnistaller Portable.

    *** Windows XP - No NET Installed - MBAE Premium (ver 24) ***
     
  17. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    This program seems very interesting! :)

    After Windows Startup, this was blocked:
    Code:
    Date/Time: 20/12/2017 16:20:59
    Process: [11984]C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Tray.exe
    Parent: [9844]C:\Windows\explorer.exe
    Rule: BlockDoubleExt
    Rule Name: Block processes with double file extensions (i.e .pdf.exe)
    Command Line: "C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Tray.exe" -NoControlPanel -CheckNumberOfRunningAgents
    Signer: Veeam Software AG
    Parent Signer: Microsoft Windows
     
  18. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    I tried one named "keymaker" and "patch" and it wasn't blocked, so maybe you should add those and anything else similar?
     
  19. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    103
    I am testing this out. I don't like it installing in C:\OSArmorDevSvc. Also, this directory is writable by non-administrators. The programs that are not running can be deleted!
     
  20. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    This is the only thing I don't like about OSA, either. Apart from that, OSA is a keeper!:D
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,841
    There is no exclusion feature, but maybe it will be implemented sooner or later :cautious:
    But you can disable the rule so Veeam.EndPoint.Tray.exe is not blocked anymore.
     
  22. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,595
    I'm pretty sure an exclusion feature will soon be implemented. It's still an experimental tool; new, exciting features will soon be added.:)
     
  23. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    When installing Firefox here is what LOG say about it:
    "Date/Time: 20.12.2017. 21:15:40
    Process: [2776]C:\Users\AV-Gurus\AppData\Local\Temp\nsuAF0D.tmp\nsD3A1.tmp
    Parent: [1080]C:\Users\AV-Gurus\AppData\Local\Temp\7zS74C2.tmp\setup.exe
    Rule: BlockUnsignedProcessesAppDataLocal
    Rule Name: Block execution of unsigned processes on Local AppData
    Command Line: "C:\Users\AV-Gurus\AppData\Local\Temp\nsuAF0D.tmp\nsD3A1.tmp" "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
    Signer:
    Parent Signer: Mozilla Corporation"


    All rules are set to ON.
    Firefox is running fine...looks like it....
     
  24. plat1098

    plat1098 Guest

    I don't use VoodooShield anymore either, @Buddel. Three tiny working standalones to assist Windows Defender are plenty and as far as annoyance factor--close to zero, footprints (exclusive of sandbox contents) and draw of system resources--minimal. It's like tissue paper on here. I have a little system monitor on desktop, OSArmor is working. No protracted irritations--and this BETA came out just a few days ago. What's enabled by default in the configurator looks good to me--intricate and complicated heavy duty additions are yesterday.
     
  25. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    103
    C:\OSArmorDevSvc inherits its permissions from C:\. I have tried removing Modify and Write permissions from Authenticated users and it still appears to work so this would be better.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.