NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    675
    Event viewer blocked.

    Date/Time: 4/14/2018 11:46:43 AM
    Process: [10024]C:\Windows\System32\mmc.exe
    Process MD5 Hash: 25A01E7B77B696693957812508D7F55D
    Parent: [5320]C:\Windows\explorer.exe
    Rule: BlockMSCScripts
    Rule Name: Block execution of .msc scripts
    Command Line: "C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\eventvwr.msc" /s
    Signer:
    Parent Signer: Microsoft Windows
    User/Domain: -----/DESKTOP-5XXTJTA
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: Medium
     
  2. guest

    guest Guest

    That is normal.You block execution of .msc
     
  3. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    675
    I wasn't aware it was supposed to block legitimate Windows processes.

    Enable internal rules for allowing safe behaviors should take care of this.
     
    Last edited: Apr 14, 2018
  4. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    So, the anti-exploit rule for Chrome doesn't cover Chromium? In MBAE it does.
    What about if the browser is portable? Does the rule cover only C:\Program Files ?
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,995
    Location:
    .
    Any interest in Statistics info maintained thru machine restart?
     
    Last edited: Apr 14, 2018
  6. guest

    guest Guest

    From what i understand, it takes precedence because this is not a default option. If you want keep using it and allow MS processes, you have to make exclusions.
     
  7. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    860
    Location:
    Lunar module
    Thanks to everyone, I understood a lot, but not all :)
     
  8. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    675
    Ok, thanks. Still learning this program.
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,125
    Location:
    Italy
    Here is a new v1.4 (pre-release) test59:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test59.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Added "Windows Live Mail" on Anti-Exploit tab
    + Added "PotPlayer" on Anti-Exploit tab
    + Added an Help\FAQs file (tray-icon -> Help\FAQs, Main menu -> Help -> Help\FAQs, GUI "?" top-right border icon)
    + Renamed Block system processes from cleaning Windows Eventlog
    + Minor fixes and optimizations

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    If you find any false positive or issue please let me know.

    @Charyb

    You should uncheck "Block execution of .msc scripts" and check "Block execution of .msc scripts outside system folder", it will not generate FPs.

    Probably the option "Block execution of .msc scripts" may be removed, leaving only "Block execution of .msc scripts outside system folder".

    @imuade

    Chromium is not supported because unsigned, Google Chrome monitors only Chrome by Google.

    Will take a look at Chromium later, but I would prefer to support only digitally-signed apps.

    It supports also portable versions, here is a screenshot with LibreOffice portable (the exploit payload has been blocked):

    test-exp-osarmor.png

    @bjm_

    Stats on GUI are reset when GUI app is restarted, you can check the .log file for historical of blocked events.

    Personally I don't need them to be remembered on the GUI.
     
  10. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,577
    I like the new FAQ. Well done, Andreas.:thumb:
     
  11. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    174
    Location:
    Wigan
    The limited response time allowed by the dialog box for excluding blocking of suspicious processes is too short for proper user consideration, especially if you are away from computer at the time.
     
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,995
    Location:
    .
    2667.png
     
  13. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    It would be great if you could add it, i agree with the idea to support only digitally-signed apps, but Chromium is widely used, so it could be an understandable exception :)
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    Ok let's discuss if it's ok.

    Highly respect your personal preference on the log display sequence however there are some user's of this great program who have also weighed in their support of the (last blocked event) who seem to share the suggestion of having the most recent blocked event show up first, and at the top squarely in front of them first on log open

    It's (OSA) pop up alert dialog is first to indicate a blocked event was engaged and logged and it just seemed fluid to also have that same logged event in front of the user when they Open Logs Folder.

    A proposition. Not a request. How about an option? OSA is a program of myriad options already. Does this make sense?

    At any rate keep up the fantastic work and effort. It's easy to see that more and more users are really warming up fast in what OSA offers for solid protection and needless to say it's a very convincing piece of excellent work.
     
  15. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,577
    This is also my preference - last blocked event shown at the bottom of the log file.
     
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,127
    Location:
    Italy
    + Added "PotPlayer" on Anti-Exploit tab

    Good.:thumb:
    I use Potplayer on Windows XP.
     
  17. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Would be nice to see SMPlayer on it also.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    I respect that, honestly do, but for the life of me can't understand a purpose in doing what Windows for years have always made users do and that is go hunting for something "most recent" that could easily be brought to the front first.
     
  19. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    Agree. Whether here or in other apps, scrolling to the bottom to see what is new is illogical for me. The stuff above is of little interest.

    I like the suggestion of an option to show eithe way, but at some point Andreas will likely say ENUFF!! :)
     
  20. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    In case you aren't aware, there are shortcuts you can use to get to the bottom of a text file very quickly. You can either press CTRL + END on the keyboard, or right-click on the scroll-bar and select "Bottom" from the menu. Apologies if you knew this already, just trying to be helpful.
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    Appreciate the workaround for a roundabout search, still another extra step to have to take just to find most recent.

    Not wanting to make too much out of this, it's just simpler and more immediate IMHO for a logged event to show itself up front and center.

    This is a cutting edge creation with outstanding protection and that's really what counts most.
     
  22. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    174
    Location:
    Wigan
    D'oh! I am suitably embarrassed. :oops:
     
  23. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    I think the best idea would be to keep the log files as they are, but also add a "events" tab to the gui, just like ERP 4 has, that shows all the events as they happen.
     
  24. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,125
    Location:
    Italy
    @EASTER

    I'll see if we can add an option in Settings tab like this (only one option will be checkable):

    [X] Append events to the log file (as is now, checked by default)
    [ ] Insert events to the log file (this will insert the event, so the last event will be always on first line)

    What do you think?
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    I think the best idea would be most recent up first since it is an immediate alert. But we all have our own opinions on that.

    As already mentioned this interest is way far from anything that actual matters to the program's core function.

    Merely a proposition that seemed might be useful to share to the developer with some others who agree, that's all.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.