NoVirusThanks OSArmor: An Additional Layer of Defense

@novirusthanks

I am cautiously optimistic that the problem with OSArmor and Windows 7 has gone away. The advent of KB4100480 might have something to do with it. 64bit Windows 7 in particular has been a bit of a mess since the Meltdown fixes and the issue of KB4100480 is hopefully the end of the problem. I look forward to seeing what comes on 10 April. I am presently using Test 52 of OSArmor on both Windows 7 systems.

PostScript: I have now been running OSArmor on my Windows 7 systems for more than a day without incident. Previous to installing KB4100480, it took only a very short time for the problem to appear and to lock the systems up. This is good news for me because I can now enjoy the protection of OSArmor on Windows 7 and I can also have the pleasure of informing you that the possibility of an obscure bug in OSArmor seems now to be almost zero.

 

Nothing new to report with test 52. Running great.

 

You need to change each rule to the OSA syntax.
For instance, the first one on the list needs to be like this:
[%PROCESS%: *\AppData\Local\Temp\*.bat]
And so forth for all the rest.

Also, you will get a lot of overlap, unless you check which ones OSA is already blocking. But the truth is, the overlap doesn't really matter. AFAIK, you will get one OSA prompt, even if two rules block it. You will probably see the prompt from your custom rule, rather than the built-in OSA rule.

 

Is there a lot of overlap between NVT OSArmor and NVT ERP -- or is it worthwhile running both?

 

OSA has some "anti-exploit" protection, ERP doesn't; obviously it has some overlaps, but they don't conflict.

ERP is more for the geeky guys while OSA is more for the "average" users.

Personally i like to use both.

 

Thank!
To novirusthanks
1/ AutoRuns is not blocked

2/ In the section Anti-Exploit add the browser 360 Extreme Explorer (360 Chrome Explorer).
3/ How to protect Portable Browsers?
4/ Many applications have a white window background, so the message box looks unnatural and sloppy. Change the background of the message box or add a frame.

 

AutoRuns is not part of the PsTools and is therefore not blocked.

 

Does anyone else notice that OSA causes a delay in system startup, and in launching of apps?
On my system, OSA does both.
By contrast, ERP 4 does not impact system startup very much, but definitely slows program launching.

 

I thought that all programs by Russinovich are related to PsTools Sysinternals.

No and no. Win10 x64.

 

PsTools Suite: https://docs.microsoft.com/en-us/sysinternals/downloads/pstools
All filenames of these tools begin with "Ps..."
PsExec can be used for malicious purposes and malware is actually using it so the decision was made to block "PsTools" but not all other regular Sysinternals Tools.

 

No

No

 

Here is a new v1.4 (pre-release) test54:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test54.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious command-lines
+ Improved Block suspicious processes
+ Improved Block suspicious Svchost.exe process behaviors
+ Block execution of unsigned processes on user space
+ Block unsigned processes to run with high or system privileges
+ Block processes executed from netsh.exe
+ Block possible UAC bypass attempts [method 1]
+ Block possible UAC bypass attempts [method 2] (disabled at the moment, need to complete this)
+ Block execution of ftp\tftp\telnet.exe
+ Block suspicious process elevation attempts
+ Block InfDefaultInstall.exe if executed by unknown processes
+ Some rules have been moved to their appropriate section
+ Added text-link to reset statistics on Main GUI
+ Configurator GUI can be maximized and is resizeable
+ Added a dark-gray frame on the notification window
+ Removed Block ALL autoelevate system processes
+ Removed Block known system files used for UAC-bypass
+ Show parent process integrity level on log file
+ Show process md5 hash on log file
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know (official release will be postponed of some days).

Here is a screenshot:

 

"Block unsigned processes to run with high or system privileges"

Enabled.

_________________________________
"Removed Block known system processes (not files) used for UAC-bypass"

Too bad.
I used it only for my XP (MMC).

P.S.

MMC is also no longer blocked !!

_________________________________

Where is the rule for Fodhelper?
I checked if the current version of Fodhelper always presents the self-elevation instruction:



I believe a rule is necessary.

 

I disabled Excubits FIDES, and now OSA is visibly faster.

 

Actually, OSA already protects most of the things on the Excubits blacklist without saying so explicitly. Many of them fall under various general categories, if I understand right, or are called by different names.

 

I get this when closing Chrome Portable:

Date/Time: 4/10/2018 7:38:12 AM
Process: [324]C:\Windows\SysWOW64\regedit.exe
Process MD5 Hash: 592628D2A739189F17C0E97901B11FA8
Parent: [5752]Z:\GoogleChromePortable\GoogleChromePortable.exe
Rule: PreventRegeditSilentlyLoadingScripts
Rule Name: Prevent regedit.exe from silently loading .reg scripts
Command Line: regedit /s "C:\Users\JD\AppData\Local\Temp\GoogleChromePortable\rlz.reg"
Signer:
Parent Signer: Rare Ideas, LLC
User/Domain: JD/admin-PC
Integrity Level: Medium
Parent Integrity Level: Medium

 

I knew...

 

1/ Bug detected: configurator does not save the custom window size even in the current work session (between the openings of the configurator window).
2/ Setting a custom sound, «when notification is displayed», would increase the informativeness, since the current beep is weak and inexpressive.

 

@novirusthanks

probably a new process from the Spring Update

Date/Time: 4/10/2018 10:44:42 PM
Process: [7276]C:\Windows\System32\LocationNotificationWindows.exe
Process MD5 Hash: 0EFEA89BB50F3ACEE491168D851C48F1
Parent: [1244]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: C:\Windows\System32\LocationNotificationWindows.exe
Signer:
Parent Signer: Microsoft Windows Publisher
User/Domain: xxxxxxxx
Integrity Level: Medium
Parent Integrity Level: System

 

I should probably know this, but what is MMC?

 

Microsoft Management Console.

 

Microsoft Management Console

It lets you use "snap-ins" to run administrative tasks on your PC. Right click on my computer and select "manage", or run mmc.exe.

 

https://pentestlab.blog/2017/05/02/uac-bypass-event-viewer/

The command is abused.

 

If MMC.exe is blocked , Event Viewer like most admin tools are hence blocked too.

 

Thanks for reminding me.